Sophos XG PCI compliance

What "Device Access" options are enabled on the Zone you are testing? My thinking being that User Portal or Console access is active on the IP's being tested.

The only things enabled on the WAN were the user portal and SSL VPN. We use neither so I disabled them. 

Then, I realized that the Sophos is behind a Centurylink Modem. I fear this port scan is catching something wrong with the modem. I put the Sophos in the modem's DMZ and will see if the scan passes. If that doesn't work, I'll have to put the modem in bridge mode and let the Sophos handle PPPoE. Ah, the joys of small office networking /s

The only things enabled on the WAN were the user portal and SSL VPN. We use neither so I disabled them. 

Then, I realized that the Sophos is behind a Centurylink Modem. I fear this port scan is catching something wrong with the modem. I put the Sophos in the modem's DMZ and will see if the scan passes. If that doesn't work, I'll have to put the modem in bridge mode and let the Sophos handle PPPoE. Ah, the joys of small office networking /s

Paul,

What was the outcome?

Still failing. The next step will be to put the modem into bridge mode to keep it from interfering with the scan. 

I don't have anything to add except that, at least for the people who do our PCI scanning, we're required to whitelist their IP's so the scanners get a clean crack at us.  Apparently IPS/IDS can detect the scan as an attack and just block everything from the scanner, but that paradoxically results in a "failure" scan since the scanner cannot complete its survey.  

If you have RED enabled, you'll get dinged for weak ciphers unless something has recently changed.  

I did initially whitelist their IPs but disabled that in troubleshooting. I scheduled a scan to run yesterday, and it is still pending, I will update when I know if this worked or not.