I'm trying to find documentation that would answer the following PCI requirement, specifically the last line:
Products I'm looking to cover is FortiGate, FortiAP and FortiSwitch
PCI-DSS Requirement 5.2.3:
All system components not at risk for malware are evaluated periodically to include:
A documented list of all system components not at risk for malware.
Identification and evaluation of evolving malware threats for those system components.
Confirmation that such systems continue to not require anti-malware protection.
I have not been able to find anything in the admin guides. As much as I would love to say "because I said so", it's not acceptable. I need either an industry doc or a vendor doc for firewalls, APs, switches.
Can someone point me to a document either by Fortinet or from "recognized" industry/experts?
This would be an accepted answer from another vendor as an example - VMWare's response:
https://knowledge.broadcom.com/external/article/345255/using-antivirus-and-malware-detection-so.html
There are SAQ docs that list out which requirements and sub requirements are required for each type of SAQ. That might be the closest thing. Otherwise, ctrl+f "interview" in the PCI DSS 4.0.1. That won't be perfect either because QSAs might not always do do every interview or one interview might cover a wife range of requirements https://tutuapp.uno/ .
I believe you misunderstood, I posted the requirement from PCI-DSS. I need a document from Fortinet that states it does not need to run a local AV on the OS because of XYZ reasons.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.