Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adidasnmotion
New Contributor

Created on ‎01-28-2021 02:53 PM

PCI Scan fails because Qualys scanner can't scan the ssl-vpn login page

We have an issue where our PCI scans from a third party (Qualys) are failing.  Their support tell us the following:

This vulnerability is because the scanner found tcp port 443 open to the public internet but the https service could not be used for a scan. If I connect to this port in my browser ([link]https://xxx.xxx.xxx.xxx)[/link] I can load a Forticlient VPN login page with https. If I can see this page over https then you will need to permit the scanner to have the same access to https so it can scan the VPN login page.

How can we exempt Qualys scans to our ssl-vpn login page?

5544
0 Kudos
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-29-2021 09:21 AM

Do you happen to limit the source IPs for SSL VPN (CLI "set source-address" under "config vpn ssl settings")? Then, you just need to add the source IP (NATed IP) where the scanner is coming from.

4288
0 Kudos
adidasnmotion
New Contributor
In response to Toshi_Esumi

Created on ‎01-29-2021 09:38 AM

We don't limit the source IP's for SSL VPN.  Its accessible from anywhere.  A tech from the pci compliance vendor can connect to the page in a web browser, but when they use their scanning tools on the page the firewall apparently blocks the scan.

4288
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to adidasnmotion

Created on ‎01-29-2021 10:17 AM

Then nothing else you can do other than insisting the problem is on their end since a browser can access. None of our customer's, including ours, PCI auditors don't have any problem scanning IPs, on which SSL VPN is set up without source restrictions.

4288
0 Kudos
adidasnmotion
New Contributor
In response to Toshi_Esumi

Created on ‎02-01-2021 09:41 AM

Does the ssl-vpn login page have IPS applied to it?  If so, how would we exempt the qualys scan there?

4288
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to adidasnmotion

Created on ‎02-01-2021 09:54 AM

IPS works when you applied a profile to policies. Do you have any applied to the SSL VPN policies? But they scan it without logging in like the admin GUI HTTPS interface. Shouldn't be a matter.

4288
0 Kudos
ajmueller
New Contributor
In response to Toshi_Esumi

Created on ‎03-30-2021 03:41 PM

I am having the same issue (along with the same canned response from the PCI scan tech).  Were you able to solve the issue?

4288
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.