Whitelist PCI ASV Scan

I am not quite a fan of those Scanners. They are not showing "the real picture". 

Can you get more information about this alert? 

Maybe some other technique in XG is blocking this scan (DOS protection for example). 

Maybe your client blocks something? Are you running any Endpoint protection software on it? Those Scanner performs "DDOS" attacks / port scanning. So maybe your Endpoint or your Network system (switch etc.) blocks something. 

It is pretty basic, (not a fan of the scanners today either lol)  

For the most part it is a webserver located in the DMZ, I did create a WAF rule for it using best practices to better protect the server.  From what I can tell it is all working, I have tried a few pen tests manually and the protection is there.

What is bothering me is I think this may have to do with how the IPS is responding on the XG.  Is there a way to confirm if it is set to drop vs deny or reject?  Or am I miss understanding that aspect?  

All and all any suggestions or thoughts are appreciated.

So I spoke with Tenable, essentially they became more accredited or gained more certification about 3 weeks ago.  So now when you run a ASV scan you will see a few more things than you did before, basically they are raising the bar which is a good thing.  As for scanning PCI requires that you whitelist scanning vendors which from what I can tell Tenable was unable to notice the difference until recently, hence the flags.  It also looks like they have added compensating controls/out of scope items where you can justify them after the scan is completed per vulnerability.  For example we have FTP for non PCI reasons, the scan flags this and I simply have to acknowledge that this is not used for PCI data.  The scan can also flag vulnerabilities that the XG would block if the scanner was not whitelisted, in this case you would write a compensating control pointing out the XG would handle said vulnerability. 

However I am not sure how one would whitelist this to basically allow the scanners to scan our external IP's 

Would I make a rule like-

Source: WAN

Devices: Tenable IP List

Services: ANY

Destination: WAN

Devices : ANY

Services: ANY

???????

I am a little confused since the IP's I need to scan are on the WAN and the source is also the coming from the WAN.

It would seem like this should be a Business application rule because the request is coming from the Internet and pointing towards a hosted server in the DMZ. In thinking through this because we disabled the reflexive rules for this policy, the response from the server to the scan would be sent from the DMZ zone out to the WAN zone and therefore a user network rule would then establish if the scan result was allowed based on the source networks and devices created as exceptions in the rule. Essentially we are whitelisting those networks as approved to the exclusion of all others. 

At least this is how I think through the process but perhaps someone can correct my logic so I never make that mistake again.... There just doesn't seem to be a go-to resource for these type of questions but I am certain there is someone out there in the community who could tell us how to configure an exclusion for an ASV scan on  the XG FW. IN case anyone asks, SFOS 17.5.5 MR-5...

I think instead of adding the whitelisted IP's to a new rule you may need to add them to the exception list within the original WAF rule for the server in question, I may be wrong about this but it would make sense in terms of rule placement.

So, a few things I am learning on this-

You may get the same ports flagged if they were found in a previous scan so read results of scanner carefully and or start a new scan each time. I only say this because you may fix an issue then see the port again after waiting a hour for a scan then spend 30 minutes going over everything you did to fix it only to find out you read the scan wrong because the scan will flag a port that was previously seen but not seen now, not sure the logic for this or if your required to wait a time period but it will, unless you run a new scan.

Again, I am just saying that may happen to someone lol.  (This is a Tenable IO aspect, I cannot speak for all scanners)

Now to get past the scan or to get the scan to not show-

PCI DSS Compliance : Scan Interference

Description

Interference from either the network or the host did not allow the scan to fulfill the PCI DSS scan validation requirements. This report is insufficient to certify this server. There may be a firewall, IDS or other software blocking Nessus from scanning.

Solution

- Adjust Nessus scan settings to improve performance.

- Whitelist the Nessus scanner for any IDS or Firewall which may be blocking the scan.

You need to whitelist the scanners IP's, if you see the above you will not pass a Tenable ASV Scan, I spoke with their engineering team and per PCI you are required to whitelist their scanners, they will not pass any ASV if this specific aspect if flagged. 

Basic Explanation for Whitelist PCI ASV

www.pcicomplianceguide.org/.../

Tenable's IP List-

docs.tenable.com/.../Scanners.htm

Create a DNAT Rule for your External IP’s

Sophos KB-

https://community.sophos.com/kb/en-us/122976

Rule I created-

Source Zone: WAN

Allowed Client/Networks: Scanner IP Addresses

Destination Network: External IP’s (DMZ)

Services: Any

Protect Servers: Servers in DMZ

Protected Zone: DMZ

Now you also want to leave everything off in terms of IPS, then place the rule where you feel it will work the best, for example I placed mine above all other DMZ rules I had in place.

After that the scan will go through without the interference warning.

A few others that may pop up-

• You may also get port 8094 as open, read here to understand the reasoning-
  • community.sophos.com/.../how-to-block-port-8094-on-sophos-xg
• I did also find these settings that need to be setup as well, these again will depend on your setup-
  • community.sophos.com/.../127419