The goal here is to show one way to pass a PCI DSS compliance scan with a Sophos XG firewall. Hopefully if my scenario doesn't exactly match yours, it will at least get you closer to the goal. The scan failed yesterday on the following Services/port, which are enabled on the WAN zone:
- HTTPS (Admin)
- SSL VPN
- User Portal
- Port 8094
We have the client using a single terminal to run credit transactions. That terminal is connected to it's own network using Ports 3 and 4 of the firewall, which has a different static external IP. This ended up being the key to what I expect will be a passing scan tomorrow.
Port 8094 was solved by tying the e-mail encryption to Port 8 (unused, disconnected). We don't use the E-mail security portion of our XG firewalls. If you do, tie it specifically to the non-credit card network ports (in our case, Ports 1 & 2).
The rest of the services were solved by doing a local services ACL Exception Rule. My rule dropped traffic from WAN to the zone created for the Credit Card network (CC zone), and were for the above remaining services that are enabled on the WAN zone. This successfully closed all ports in question for the "Credit Card Data Network" that PCI is concerned with. I then confirmed with a port checker if those ports were listening, and they were not. I will update this tomorrow confirming how the scan went. Let me know if anything is unclear, and I will do my best to edit/clarify.
Here are some links to other questions/discussions that led me to this resolution:
https://community.sophos.com/kb/en-us/127419
https://community.sophos.com/kb/en-us/123114
This thread was automatically locked due to age.
