|
The issue is resolved by identifying that the self-signed certificate used for GUI admin access is the root cause of the PCI Compliance failure.
The steps to resolve this issue are:
- Update Server Certificate to Self-Signed:
config system global
set admin-server-cert "self-sign"
- Change Admin Secure Port:
set admin-sport 4443
end
- Acquire a Certificate from a Trusted CA:
Follow the link to get the certificate signed by a CA:
Getting the certificate signed by a CA
- Import Signed Certificate:
Follow the link to import a certificate as Local CA:
Technical Tip: How to import a certificate as Local CA
- Update Server Certificate to Trusted CA Signed:
config system global
set admin-server-cert "name-of-signed-cert"
end
- Run PCI Compliance Scan:
Initiate a new PCI Compliance scan to test the solution
It should be noted that PCI compliance may flag other services that are using self-signed certificates apart from FortiGate's GUI admin access. This article only applies to the scenario when the self-signed certificate is being used for GUI admin access.
Note:
It will also depend on what the PCI scan is performed i.e. If the scan is run with the FQDN or the public IP address on which the FQDN resolves this will also result in failure of the PCI scan.
|
