Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
NeilG wrote:In this case the only external ports are SSLVPN on the fortigate itself, and this scan has to pass every quarter so the configuration is ongoing.
If the scans are directed at the Fortigate itself, you will likely need to set up a local-in policy to handle that traffic. By default, the fortigate has "open ports", which are shown (if feature is enabled) under policy/policy/local in policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Mark Oakton wrote:
you do not have to enable inbound traffic for a PCI scan, just disable IPS for the scanner range
Mark,
I had already tried adding exceptions for IPS before going with the Allow to LAN but maybe I am doing it in the wrong place?
(I personally don't understand how whitelisting IP addresses can be a safe policy given the ability to spoof so if there is a better way that works I would like to know it.)
btw Does anyone use Fortinet for their external PCI compliance scans? Do they offer that?
Thanks!
-Neil
I'd push back against the auditors, you have a right to despite what they imply. I have to all the time. If they can't connect, I think that demonstrates that your config is working. I would NEVER reduce my rules to allow someone to attack me unless it was for a very specific exercise (which this may be so please excuse my casual observations if that is the case). If they are trying to run vuln scans, they should either connect via a VPN or bring something in-house if they need unfiltered access to your LAN systems. Again I would never open my firewall to comply with something like this. It is madness. My guess is that most of the dimwits they scan have SOHO routers with NATs and not IPS/IDS. They are most likely not familiar with the UTM2 world.
Like others have said, they should be able to scan your open ports (I'll assume you have 80, 443, and perhaps 23 open) and run recon that way. That is how an attacker would do it. White-listing them so their scans will succeed doesn't make sense. Scanning as you have it will provide a more accurate result as it will demonstrate what an attacker is actually able to see.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.