- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PCI Scan fails because Qualys scanner can't scan the ssl-vpn login page
We have an issue where our PCI scans from a third party (Qualys) are failing. Their support tell us the following:
This vulnerability is because the scanner found tcp port 443 open to the public internet but the https service could not be used for a scan. If I connect to this port in my browser ([link]https://xxx.xxx.xxx.xxx)[/link] I can load a Forticlient VPN login page with https. If I can see this page over https then you will need to permit the scanner to have the same access to https so it can scan the VPN login page.
How can we exempt Qualys scans to our ssl-vpn login page?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you happen to limit the source IPs for SSL VPN (CLI "set source-address" under "config vpn ssl settings")? Then, you just need to add the source IP (NATed IP) where the scanner is coming from.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We don't limit the source IP's for SSL VPN. Its accessible from anywhere. A tech from the pci compliance vendor can connect to the page in a web browser, but when they use their scanning tools on the page the firewall apparently blocks the scan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then nothing else you can do other than insisting the problem is on their end since a browser can access. None of our customer's, including ours, PCI auditors don't have any problem scanning IPs, on which SSL VPN is set up without source restrictions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the ssl-vpn login page have IPS applied to it? If so, how would we exempt the qualys scan there?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS works when you applied a profile to policies. Do you have any applied to the SSL VPN policies? But they scan it without logging in like the admin GUI HTTPS interface. Shouldn't be a matter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having the same issue (along with the same canned response from the PCI scan tech). Were you able to solve the issue?
