Unfortunately, it is of frequent occurrence that people launch a security scan against a website or web application sitting behind a web application firewall, or some other kind of web security gateway device. Scanning a website through a “man in the middle” device or software, will only give a false sense of security. First and most importantly of all, one would be scanning the web farm’s perimeter network and not the website itself. Therefore if the scope is to secure a website, this is not the right approach. If the target website is vulnerable to a SQL injection attack, a web application firewall sitting in front of the website might block the scanner’s requests, resulting in the vulnerability not being discovered and reported.
Follow this link:
Should you scan a website through a web application firewall?