Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nevan
Staff
Staff

Created on ‎08-22-2024 11:14 AM Edited on ‎11-03-2024 10:19 PM By Staff

Article Id 335642

Troubleshooting Tip: PCI compliance check failed, review logs and configuration

Description This article describes the steps to follow when the PCI compliance check fails in FortiGate. A review of the logs and configuration may be required to be reviewed by security professionals as appropriate.
Scope FortiOS.
Solution

The PCI compliance check is one of the security measuring requirements that verifies that the FortiGate firewall complies with the Payment Card Industry Data Security Standard or PCI DSS.

 

This is a legacy check that was removed starting in 6.0.0 and was replaced with the Security Rating menu.

Originally, this would have been configured under System > Advanced > Compliance.

More details are visible on page 1021 of this document: 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/1408fd42-1a1b-11e9-9685-f8bc12...


When the compliance check is being initiated and a failure happens, the failure can be seen in the Log and Reports with the sub-type compliance-check and the log ID 0109045151.

Sample Logs:

date=2024-03-02 time=00:04:29 devname=FG60F devid=FGT90GXXXX logid="0109045151" type="event" subtype="compliance-check" level="alert" vd="root" eventtime=1677159268 logdesc="PCI DSS compliance check failed" action="comp-check" result="fail" reason="FTNT-XXXX" status="critical" module="WF" msg="Check that Hacking-related sites are being blocked by a WF policy"

date=2024-02-26 time=00:04:14 devname=FG101F devid=FGT100FXXXX logid="0109045151" type="event" subtype="compliance-check" level="alert" vd="root" eventtime=1645805054 logdesc="PCI DSS compliance check failed" action="comp-check" result="fail" reason="FTNT-XXXX" status="medium" module="Anti-Botnet" msg="Check FGT's Anti-Bot configuration enabled on interfaces"


The following steps can be followed once the incident is triggered in the Log & Reports section.

Review the Event Log Details: When these log events are visible, they will give a recommendation depending on why they are failing. For the examples above, it is visible that the FortiGate would fail to block certain traffic.

Review FortiGate Configuration: Inspect the FortiGate configuration settings and correct them as per the recommendation seen in the event log. For example, configuring a Web Filter to block sites in the 'hacking' category would solve the issue seen in the first log. 

Involve Security Professionals: If needed, involve security professionals or consultants with expertise in PCI DSS compliance to perform a thorough assessment of the FortiGate configuration and provide recommendations for improvement.

Important articles to consult when 'PCI DSS compliance check failed' triggers:

Technical Tip: Compliance Check - Check the dropped out-of-state TCP packets

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/1408fd42-1a1b-11e9-9685-f8bc12...
878
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.