Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
damiri
New Contributor

allowing PCI scans for Web apps behind Fortiweb

Hi,

anybody here with experience with PCI scanning but FortiWeb now allowing it ? I don't understand customer in full extent but we would need to reconfigure Fortiweb in order to give qualys free access. We are running 5.2.4 

 

Damir

5 REPLIES 5
Courtney_Schwartz

It sounds like they do not understand the PCI DSS spec. Blocking vulnerabilities and untrusted scanners like Qualys is normal for all WAF. If FortiWeb did *not* block, then they would violate PCI DSS requirement 1.2, 1.3, 2.5... https://www.pcisecurityst..._Change_Highlights.pdf https://www.pcisecurityst...cuments/PCI_DSS_v3.pdf Compliance = show diligent security, and use WAF to protect vulnerable apps & data. So unrestricted access is the *opposite* of what they want for a PCI audit... In fact, they *want* the vulnerability scanner to prove that FortiWeb is blocking Everything Bad(TM). You shouldn't open up your FortiGate nor FortiWeb nor FortiDB. Maybe their purpose is not really PCI though? Or, they are doing PCI requirement 6.3.2? If you're doing a vuln scan for code audits, to find performance tweaks (to find & enable only applicable signatures on FortiWeb), or to find unpatched apps BEFORE a PCI audit (requirement 6.3.2) — that's different. Run that scan on testing/staging with a fake database, NOT real cardholder data, and choose FortiWeb's Alert Only protection profile or disable all scans. Depending on what you're looking for, don't use HTTPS (SSL offloading/inspection) as FortiWeb has built in SSL/TLS attack protection. You may need to route traffic directly to servers and avoid FortiWeb if you're looking for HTTPS vulnerabilities on the servers. Obviously DON'T run it on your production servers, because, as PCI stipulates, those should be protected at all times. Basically sometimes it's useful to scan an unprotected non-PCI testing/staging environment.
damiri
New Contributor

Hi,

thank you for pointing it to all direction. I am aware of that but customer would like to scan web app behind WAF without actually taking off WAF. Also they would like to "allow" Fortiweb to be scaned. Per their saying, Fortiweb doesn't respond to scans?   Is this douable with WAF as I know it is possible to open it up ?

Damir

Courtney_Schwartz

damiri wrote:
Per their saying, Fortiweb doesn't respond to scans?
Do you mean with an error code? Like HTTP 500?
damiri
New Contributor

"untrusted scanners like Qualys" what do you mean by this? How to Qualys make "trusted" since they purchased this service?

Courtney_Schwartz

If you want to trust Qualys— not block ANY scans, even if it simulates an attack. — then whitelist it Basically, it is like removing FortiWeb. Qualys will have full visibility . http://docs-legacy.fortin...ing_clients_by_IP.html Important: 1) Understand it is *not*a real PCI scan that way. Only helps check if servers are patched & code is secure. It can't check your security config. 2) The Qualys report may show many "false positives" — vulnerabilities that attackers cannot really exploit. Why? Because FortiWeb will protect vulnerable web apps unless you disable all signatures/rules or whitelist the attacker ... ;) 3) Scan a test environment, NOT the live production web servers. If Qualys tests for SQL injection vulnerabilities, for example, it could ruin the database. 4) Scan HTTP, not HTTPS. Some of FortiWeb's SSL/TLS attack protection cannot be disabled (if in reverse proxy mode). Blocks some HTTPS vuln scans.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors