PCI Scan fails because Qualys scanner can't scan the ssl-vpn login page

Forum|Forum|5 years ago
January 28, 2021
1 reply
6808 views

We have an issue where our PCI scans from a third party (Qualys) are failing. Their support tell us the following:

This vulnerability is because the scanner found tcp port 443 open to the public internet but the https service could not be used for a scan. If I connect to this port in my browser ([link]https://xxx.xxx.xxx.xxx)[/link] I can load a Forticlient VPN login page with https. If I can see this page over https then you will need to permit the scanner to have the same access to https so it can scan the VPN login page.

How can we exempt Qualys scans to our ssl-vpn login page?

Toshi_Esumi

SuperUser

Do you happen to limit the source IPs for SSL VPN (CLI "set source-address" under "config vpn ssl settings")? Then, you just need to add the source IP (NATed IP) where the scanner is coming from.

adidasnmotionAuthor

New Member

We don't limit the source IP's for SSL VPN. Its accessible from anywhere. A tech from the pci compliance vendor can connect to the page in a web browser, but when they use their scanning tools on the page the firewall apparently blocks the scan.

Toshi_Esumi

SuperUser

Then nothing else you can do other than insisting the problem is on their end since a browser can access. None of our customer's, including ours, PCI auditors don't have any problem scanning IPs, on which SSL VPN is set up without source restrictions.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded