PCI Compliance Certification and FortiManager

My company is in the final stages of acquiring a PCI Compliance certification.  We're one scanned tested away from obtaining this however the scans that are failing has traffic being directed to a FortiManager appliance.  The appliance is a VM, running on a Gen8 HP BL460 blade server with ESXi 5.0 as the Hypervisor.  Per Fortinet, the ports that are required to run are 22, 443, 6022, 6023, 53, 123, 514, 541, and 161.  Initially we had a full PAT from our external IP address to the internal IP address and so the vulnerability scan was picking up other vulnerabilities.  I setup firewall objects for each port and rewrote the policy to pass traffic on those ports only.  The scan comes back and and says that we're still failing on 22 and 443, which are secure, right?  Our FortiManager appliance is running at 5.0.6 currently.  There ARE newer versions of firmware which I'm not going to ignore as an option, but I want to be certain this is going to resolve my issue before spending the time to update the appliance.  Fortinet's technical support hasn't been much help, ironically, although I suspect the issue their is a matter of customer service, not intelligence.

Has anyone had to deal with PCI compliance and Fortinet Appliances?  Can someone tell me that fix for this is just to upgrade the appliance's firmware?  Any help would be appreciated.
LVL 3
JoeSystems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You need to see the error in specific to 22 and 443. The port does not mean secure and compliant, my take on possible area
a) clear traffic still go through like any other port though it should be implementing proper key exchange and encryption or even the expected protocol services
b) use of weak crypto cipher in 22 and 443
c) unpatched or vulnerable services in 22 and 443
d) trigger signature of exploits existence or matched in scanner db
e) false positive

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.