Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: How do I NOT block PCI scans on WAN ports?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I NOT block PCI scans on WAN ports?
I am trying to determine what I am doing wrong.
I' m working with a vendor who requires that they scan the external (WAN1) interface of the firewall for PCI compliance audit check process. To that effect they require a range of IP addresses to be " whitelisted" within IPS.
I thought I had done that by doing the following:
[ul]
For the IPS profile that is assigned to the SSLVPN port, for each policy add the IP address/subnet mask to the IP exceptions list
Reboot the firewall
[/ul]
The vendor performing the scan' s indicates that they are still being blocked.
Have I " whitelisted" them wrong? Is there a better way of doing this?
Thanks in advance!
-Neil
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NeilG wrote:In this case the only external ports are SSLVPN on the fortigate itself, and this scan has to pass every quarter so the configuration is ongoing.
If the scans are directed at the Fortigate itself, you will likely need to set up a local-in policy to handle that traffic. By default, the fortigate has "open ports", which are shown (if feature is enabled) under policy/policy/local in policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
what I do not really understand is why you are implementing for this scan something special. This means you have the firewall configured as from best know-how and practice. What is required within a audit is a scan from outside world trying to access whatever. There will be some ports open from outside world like:
- IKE 500 TCP/UDP
- UDP 4500 for NAT Traversal
- etc.
This rules open are most based on Implied Rules. All what is the scan from the audit recongizing to be open you have to verfiy or give statement. This means if you implement the range of the audit organization you will not have a scan which represents the really open ports etc. What the audit organization should do (can be done by Qualys) is not a aggresive scanning meaning a low scan which takes some hours more but which does not impact your firewall.
If the audit finds as example IKE 500 to be open and you use site2site VPN you can implement some rules to cover more security by command:
config firewall local-in-policy
This rules are manually defined local-in-policy and would overwrite the local-in-policy. At the moment I do not understand why the auditor gives you his IP range to be whitelisted?
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
Put an old crappy workstation on an unused interface (dmz, for example)
Create a VIP without port mapping and point it to that unit
Make a policy from the outside to that PC
This won' t be accurate, but it won' t expose your network to internet bad guys either...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Much like Bob has indicated -- the security audit check/scan that I am more familiar with simply involves sticking a small box (mini pc?) on the network, behind the firewall with a VIP connection from outside the firewall (WAN connection) pointing to it from the security company' s IP space; but from what I gather a " PCI compliance audit" is geared towards assessing a company' s POS system.
Still, Neil' s description of what the vendor wants is a bit cryptic. I would just ask the vendor if the above scenario would work better for them.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
I manage and monitor over 200 Fortinet firewalls, that have to be PCI scanned quarterly.
The only way to satisfy this request, is to program all their whitelisted IPs in, set them up as a group, then create a firewall rule (the very top rule, although I technically have a Banned Countries rule even above that one) that says;
Source interface: WAN1
Source IP: PCI_Scan_Group
Destination Interface: LAN
Destination IP: ANY
Ports: ANY
Schedule: ANY
That' s it. If the firewall has no inbound rules, nothing is found. If you do, it uses that rule to snoop what is alive behind the firewall.
NOTE: If you allow your firewall login site to be accessed from anywhere (eg no restriction by IP) it will;
1) fail on weak SSL (' set strong-crypto enable' in the global), as well as
2) the SSL certificate not matching the location, and
3) not being a valid signed SSL Cert.
Hope this helps!
EDIT: Be aware, after the No Such Agency outrage, and after all my devices failed because a firmware update changed the strong crypto back to weak, I contacted a senior engineer at Fortinet, who claimed the need to lower strong crypto was to facilitate easier snooping of SSL Deep Packet Inspection. So, if you do do DPI on webfiltering, the strong crypto setting may affect this. I can' t say by how much (e.g. whether it fails outright, or forces more resources to be used).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The PCI compliance seems to require the audit scan to scan from Outside IN as ShrewLWD confirms.
I don' t like it, but the audit is given a failing mark if scanning attack attempts on the WAN interface are blocked by IPS.
[link=]https://www.controlscan.com/support_resources_qa.php#22b[/link]
ShrewLWD -
[ul]
Thanks for the warning about the strong-crypto.
I am running 5.0.7 - do you, by any chance, have some cli commands of your current settings for that rule that you could share or private message me?
[/ul]
Thanks again!
-N
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The PCI DSS audit requirement for an ASV scan is to have all live IP addresses scanned that are part of the CDE (firewall wan interface IP and all vip' s) on a quarterly basis, and that IPS is disabled for the scanner source range.
So a dmz box will not help, the scan must be on the visible range
Infosec Partners
Infosec Partners
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you do not have to enable inbound traffic for a PCI scan, just disable IPS for the scanner range
Infosec Partners
Infosec Partners
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mark Oakton wrote:
you do not have to enable inbound traffic for a PCI scan, just disable IPS for the scanner range
Mark,
I had already tried adding exceptions for IPS before going with the Allow to LAN but maybe I am doing it in the wrong place?
(I personally don't understand how whitelisting IP addresses can be a safe policy given the ability to spoof so if there is a better way that works I would like to know it.)
btw Does anyone use Fortinet for their external PCI compliance scans? Do they offer that?
Thanks!
-Neil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd push back against the auditors, you have a right to despite what they imply. I have to all the time. If they can't connect, I think that demonstrates that your config is working. I would NEVER reduce my rules to allow someone to attack me unless it was for a very specific exercise (which this may be so please excuse my casual observations if that is the case). If they are trying to run vuln scans, they should either connect via a VPN or bring something in-house if they need unfiltered access to your LAN systems. Again I would never open my firewall to comply with something like this. It is madness. My guess is that most of the dimwits they scan have SOHO routers with NATs and not IPS/IDS. They are most likely not familiar with the UTM2 world.
Like others have said, they should be able to scan your open ports (I'll assume you have 80, 443, and perhaps 23 open) and run recon that way. That is how an attacker would do it. White-listing them so their scans will succeed doesn't make sense. Scanning as you have it will provide a more accurate result as it will demonstrate what an attacker is actually able to see.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Reality Check On Exposed Ports 336 Views
- Forti vm strange request 458 Views
- How to block 1723 port incoming... 391 Views
- Telnet - non default port 450 Views
- App ctrl - Block applications detected... 487 Views
Labels
-
FortiGate
8,407 -
FortiClient
1,700 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
403 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
FortiWeb
197 -
5.0
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1643 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.