Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: RE: How do I NOT block PCI scans on WAN ports...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I NOT block PCI scans on WAN ports?
I am trying to determine what I am doing wrong.
I' m working with a vendor who requires that they scan the external (WAN1) interface of the firewall for PCI compliance audit check process. To that effect they require a range of IP addresses to be " whitelisted" within IPS.
I thought I had done that by doing the following:
[ul]
For the IPS profile that is assigned to the SSLVPN port, for each policy add the IP address/subnet mask to the IP exceptions list
Reboot the firewall
[/ul]
The vendor performing the scan' s indicates that they are still being blocked.
Have I " whitelisted" them wrong? Is there a better way of doing this?
Thanks in advance!
-Neil
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NeilG wrote:In this case the only external ports are SSLVPN on the fortigate itself, and this scan has to pass every quarter so the configuration is ongoing.
If the scans are directed at the Fortigate itself, you will likely need to set up a local-in policy to handle that traffic. By default, the fortigate has "open ports", which are shown (if feature is enabled) under policy/policy/local in policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- « Previous
-
- 1
- 2
- Next »
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfollis wrote:I'd push back against the auditors, you have a right to despite what they imply. I have to all the time.
<snip>
Like others have said, they should be able to scan your open ports (I'll assume you have 80, 443, and perhaps 23 open) and run recon that way. That is how an attacker would do it. White-listing them so their scans will succeed doesn't make sense. Scanning as you have it will provide a more accurate result as it will demonstrate what an attacker is actually able to see.
In this case the only external ports are SSLVPN on the fortigate itself, and this scan has to pass every quarter so the configuration is ongoing.
The worst is that with no firewall changes, scans that last quarter pass, now this quarter fail saying they are being blocked on 443 which is the SSLVPN.
IPS logs shows NOTHING, I had already created a WAN->ALL rule with an IPS whitelist, and modified the WAN->ROOT(SSLVPN) rule to whitelist the IPS for their IP range.
Other than reboots, nothing had changed between the pass/fail. but then the last pass before that failed due to not having 2FA, which we now have -- and they have no way of testing for without a valid login.
This whole PCI-DSS external vulnerability scan seems lame - since their old, weak, IPS provided modem/router "firewall" always passed without fail.
How ridiculous is that, that a cheap home firewall passes the PCI external vuln scan but a UTM device takes 8-20 hours of time every 90 days to get to pass.
-Neil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Target and Home Depot were PCI Compliant. I would try and work with the auditors to gain a more accurate benchmark. I would say give them a test login to simulate someone stealing credentials, but now that you have 2FA, that is less likely to occur. Then again if someone has a bot on a home computer they can attack you that way even with 2FA unless you sandbox their connection adequately.
Unless you are a Security Manager and audits are your primary responsibility I would go to your Finance/Regulatory department and explain the situation to see if you can find another metric since it is wasting so much of your time. I definitely would not lessen my rules to allow them to get a "good" scan. That defeats the entire purpose of the exercise. Good luck.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NeilG wrote:In this case the only external ports are SSLVPN on the fortigate itself, and this scan has to pass every quarter so the configuration is ongoing.
If the scans are directed at the Fortigate itself, you will likely need to set up a local-in policy to handle that traffic. By default, the fortigate has "open ports", which are shown (if feature is enabled) under policy/policy/local in policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
It seems the majority of the responders, while thinking logically, have not had to do PCI Audit Compliance scanning.
PCI will not accept our say-so on what ports are open, and what ports are not, they MUST find out for themselves, determine what is listening on that port, and then test that application against a set of known vulnerabilities.
Their sweep is incidental (while critical) to them testing the application that is internet facing. Given how prevalent exploits are for specific applications, hackers don't often do full sweeps anymore, they just go looking for those open ports. PCI needs to know those applications are updated with fixes, and not just relying on a UTM feature of the firewall to protect it.
Because of this, they must be able to do a full sweep, and they must be able to do an unhindered vulnerability assessment of the application behind it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved: So the issue that is happening with NeilG and the same with me is this. When you enabled SSL-VPN and/or turn on HTTP and/or HTTPS access on your firewall it is creating webserver ports that are being scanned. The internal webserver on the firewall doesn't allow multiple connections and blocks the server from scanning everything it needs to scan. There is no way that I know of to let the server on the firewall allow this to happen. IPS and all that other whitelisting doesnt work. The way I got it to work was to do the following:
1. Create ports under: "Services". Add the ports that are listed under the SSL-VPN and settings. Usually 443, 80, and what ever your VPN port is. (SSL-VPN Settings)
2. Create Virtual IP: Map the IPv4 to 1.2.3.4. Toggle on Optional Filters and toggle on source address. If you use Qualsys as the engine for PCI scans you want to add 64.39.96.0/20 and 139.87.112.0/23 as source addresses. This may be different for your company. Check your scanner page right before you schedule a scan and it will tell you what servers are scanning you. Under Services toggle that on and add those ports your created under "services".
3. Under firewall policy create a new policy and set the following:
Incoming interface: Wan1
Outgoing interface: internal
Source: all
Destination: <Add your virtual IP>
Schedule: always
Services: all
Action: Deny
You are all done. Make sure that policy is enabled and you will be able to access all your open ports on the firewall but the scanner will be banned from scanning your firewall ports and allow you to pass the scan. You dont need an actual computer at 1.2.3.4 its just going to come back as a dead server.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Reality Check On Exposed Ports 336 Views
- Forti vm strange request 458 Views
- How to block 1723 port incoming... 391 Views
- Telnet - non default port 450 Views
- App ctrl - Block applications detected... 487 Views
Labels
-
FortiGate
8,407 -
FortiClient
1,700 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
403 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
FortiWeb
197 -
5.0
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1643 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.