Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 30 subscribers
  • Views 12730 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG PCI compliance

Paul Schwegler

We just installed a new XG 115 for a client of ours that had a ~15 old Cisco ASA and was failing PCI compliance scans due to firmware updates not being available. Now that we have installed this new UTM, I re-ran the scans. Unfortunately, the scan failed citing "The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules". The suggested 'fix' is to update the appliance, but it is already up-to-date. I need to figure out how to fix this because I am going to have a hard time explaining why their new UTM isn't passing scans! Ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    What SFOS version is your XG 115 running?

    Did you have any Business Application rules performing a direct DNAT to your local network? (Feel free to share this information via PM if you would like to keep this info private)

    Regards,

  • 0 in reply to FloSupport

    We have 17.0.8 MR-8 installed. There are no Business Application rules. Since there is nothing that needs to come into this network normally, we are just using the default rule with HTTP scanning, lantowan_general IPS, the 'No Ads or Explicit Content' web filtering rule, and no application control (yet). Basically, we went with the defaults on set up, but turned off MTA mode for e-mail scanning as it was causing some issues with their legacy e-mail. 

     

    I did create a firewall rule at the top that exempts the scanning IPs from all protections. I was told this needed to be done to prevent the port scanning from triggering the IPS protections. This seemed to be the way to do it per the articles I found online. Here is a screenshot of the rule, is this right? I can remove it and rescan, but it takes 24-36 hours for a scan to run, so trial and error is time-consuming. 

Reply
  • 0 in reply to FloSupport

    We have 17.0.8 MR-8 installed. There are no Business Application rules. Since there is nothing that needs to come into this network normally, we are just using the default rule with HTTP scanning, lantowan_general IPS, the 'No Ads or Explicit Content' web filtering rule, and no application control (yet). Basically, we went with the defaults on set up, but turned off MTA mode for e-mail scanning as it was causing some issues with their legacy e-mail. 

     

    I did create a firewall rule at the top that exempts the scanning IPs from all protections. I was told this needed to be done to prevent the port scanning from triggering the IPS protections. This seemed to be the way to do it per the articles I found online. Here is a screenshot of the rule, is this right? I can remove it and rescan, but it takes 24-36 hours for a scan to run, so trial and error is time-consuming. 

Children