Solved

PCI Compliance Certification and FortiManager

Posted on 2014-11-20
1
183 Views
Last Modified: 2015-02-05
My company is in the final stages of acquiring a PCI Compliance certification.  We're one scanned tested away from obtaining this however the scans that are failing has traffic being directed to a FortiManager appliance.  The appliance is a VM, running on a Gen8 HP BL460 blade server with ESXi 5.0 as the Hypervisor.  Per Fortinet, the ports that are required to run are 22, 443, 6022, 6023, 53, 123, 514, 541, and 161.  Initially we had a full PAT from our external IP address to the internal IP address and so the vulnerability scan was picking up other vulnerabilities.  I setup firewall objects for each port and rewrote the policy to pass traffic on those ports only.  The scan comes back and and says that we're still failing on 22 and 443, which are secure, right?  Our FortiManager appliance is running at 5.0.6 currently.  There ARE newer versions of firmware which I'm not going to ignore as an option, but I want to be certain this is going to resolve my issue before spending the time to update the appliance.  Fortinet's technical support hasn't been much help, ironically, although I suspect the issue their is a matter of customer service, not intelligence.

Has anyone had to deal with PCI compliance and Fortinet Appliances?  Can someone tell me that fix for this is just to upgrade the appliance's firmware?  Any help would be appreciated.
0
Comment
Question by:Josef Al-Chacar
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40457181
You need to see the error in specific to 22 and 443. The port does not mean secure and compliant, my take on possible area
a) clear traffic still go through like any other port though it should be implementing proper key exchange and encryption or even the expected protocol services
b) use of weak crypto cipher in 22 and 443
c) unpatched or vulnerable services in 22 and 443
d) trigger signature of exploits existence or matched in scanner db
e) false positive
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question