On v7.4.2 and later, the PCI compliance scan on port 8013 may fail due to the use of a local self-signed certificate on the FortiGate if 'Security Fabric Connection' access is configured on the scanned interface.

Security Fabric Connection combines FortiTelemetry (Security Fabric and FortiClient compliance) and CAPWAP (FortiSwitch and FortiAP management) due to the consolidation of features into one option since v6.2.3.

FortiTelemetry uses TCP port 8013 by default. CAPWAP uses UDP ports 5246-5247 by default. Both functions are enabled or disabled together.

For more information regarding the consolidation, refer to the following document: New features or enhancements.

Beginning in v7.4.2, Security Fabric Connection uses a local self-signed certificate (FortiGate factory default local certificate) to support an SSL connection for FortiClient Security Posture tag update from remote FortiClients.

An SSL connection is used to collect the ZTNA client certificate used to authenticate the FortiClient. Replacing the local self-signed certificate used by the FortiGate is not possible for now.

Workarounds:

Take one of the following workarounds based on respective requirements:

1. If no FortiAPs or Security Fabric features are used on the interface, disable the 'Security Fabric' option because CAPWAP service is not required.
2. If FortiAPs are used on the interface- configure a local-in policy that blocks TCP 8013 traffic inbound.

To do this, create a new service object for TCP 8013 by navigating to Policy & Objects -> Services.

Make a new local-in policy using this service object.

Note:

• FortiClient Telemetry is not impacted by the workaround because this service was moved to FortiClient EMS.
• FortiClient Security Posture tags updates on FortiGate will fail if either workaround is used.
• FortiClient EMS Security Posture tag updates on behalf of FortiClient will still succeed if the FortiClient EMS version supports this.