- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: allowing PCI scans for Web apps behind Fortiwe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
allowing PCI scans for Web apps behind Fortiweb
Hi,
anybody here with experience with PCI scanning but FortiWeb now allowing it ? I don't understand customer in full extent but we would need to reconfigure Fortiweb in order to give qualys free access. We are running 5.2.4
Damir
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like they do not understand the PCI DSS spec.
Blocking vulnerabilities and untrusted scanners like Qualys is normal for all WAF. If FortiWeb did *not* block, then they would violate PCI DSS requirement 1.2, 1.3, 2.5...
https://www.pcisecurityst..._Change_Highlights.pdf
https://www.pcisecurityst...cuments/PCI_DSS_v3.pdf
Compliance = show diligent security, and use WAF to protect vulnerable apps & data. So unrestricted access is the *opposite* of what they want for a PCI audit... In fact, they *want* the vulnerability scanner to prove that FortiWeb is blocking Everything Bad(TM). You shouldn't open up your FortiGate nor FortiWeb nor FortiDB.
Maybe their purpose is not really PCI though? Or, they are doing PCI requirement 6.3.2?
If you're doing a vuln scan for code audits, to find performance tweaks (to find & enable only applicable signatures on FortiWeb), or to find unpatched apps BEFORE a PCI audit (requirement 6.3.2) — that's different. Run that scan on testing/staging with a fake database, NOT real cardholder data, and choose FortiWeb's Alert Only protection profile or disable all scans. Depending on what you're looking for, don't use HTTPS (SSL offloading/inspection) as FortiWeb has built in SSL/TLS attack protection. You may need to route traffic directly to servers and avoid FortiWeb if you're looking for HTTPS vulnerabilities on the servers. Obviously DON'T run it on your production servers, because, as PCI stipulates, those should be protected at all times.
Basically sometimes it's useful to scan an unprotected non-PCI testing/staging environment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thank you for pointing it to all direction. I am aware of that but customer would like to scan web app behind WAF without actually taking off WAF. Also they would like to "allow" Fortiweb to be scaned. Per their saying, Fortiweb doesn't respond to scans? Is this douable with WAF as I know it is possible to open it up ?
Damir
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
damiri wrote:Do you mean with an error code? Like HTTP 500?
Per their saying, Fortiweb doesn't respond to scans?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"untrusted scanners like Qualys" what do you mean by this? How to Qualys make "trusted" since they purchased this service?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to trust Qualys— not block ANY scans, even if it simulates an attack. — then whitelist it Basically, it is like removing FortiWeb. Qualys will have full visibility .
http://docs-legacy.fortin...ing_clients_by_IP.html
Important:
1) Understand it is *not*a real PCI scan that way.
Only helps check if servers are patched & code is secure. It can't check your security config.
2) The Qualys report may show many "false positives" — vulnerabilities that attackers cannot really exploit.
Why? Because FortiWeb will protect vulnerable web apps unless you disable all signatures/rules or whitelist the attacker ... ;)
3) Scan a test environment, NOT the live production web servers.
If Qualys tests for SQL injection vulnerabilities, for example, it could ruin the database.
4) Scan HTTP, not HTTPS.
Some of FortiWeb's SSL/TLS attack protection cannot be disabled (if in reverse proxy mode). Blocks some HTTPS vuln scans.
Related Posts
- VPN connected clients only allowed to... 144 Views
- Fortiweb Manager - add Device 100 Views
- Fortinac allow internet access (Guest Network)... 355 Views
- allow port access for specific ip 143 Views
- Trouble Receiving DHCP Packet Over S2S... 228 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.