Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 30 subscribers
  • Views 12730 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG PCI compliance

Paul Schwegler

We just installed a new XG 115 for a client of ours that had a ~15 old Cisco ASA and was failing PCI compliance scans due to firmware updates not being available. Now that we have installed this new UTM, I re-ran the scans. Unfortunately, the scan failed citing "The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules". The suggested 'fix' is to update the appliance, but it is already up-to-date. I need to figure out how to fix this because I am going to have a hard time explaining why their new UTM isn't passing scans! Ideas?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Paul Schwegler

    I don't have anything to add except that, at least for the people who do our PCI scanning, we're required to whitelist their IP's so the scanners get a clean crack at us.  Apparently IPS/IDS can detect the scan as an attack and just block everything from the scanner, but that paradoxically results in a "failure" scan since the scanner cannot complete its survey.  

    If you have RED enabled, you'll get dinged for weak ciphers unless something has recently changed.  

  • 0 in reply to Bill Roland

    I did initially whitelist their IPs but disabled that in troubleshooting. I scheduled a scan to run yesterday, and it is still pending, I will update when I know if this worked or not.