Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 2640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Whitelist IP Address PCI Scan

Bradley

Hello,

I am new to Sophos. We recently had a Sophos XG 125 installed on our small network at work. 

In order to stay PCI compliant, a scan is run every few months on our IP address.

The IP source addresses are:

  • 64.39.96.0/20
  • 64.39.106.0/24
  • 154.59.121.0/24

I created a firewall rule like this:

Source: WAN

Devices: IP List

Services: ANY

Destination: ANY

Devices : ANY

Services: ANY

Not sure what the numbers after the IP addresses are. Are these port numbers?

Many thanks,

Bradley



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Bradley, Thanks for reaching out to Sophos Community.

    The numbers after the IP addresses are called CIDR value which refers to the subnet mask that denotes the IP range of the given Block.

    So for 64.39.106.0/24 --> range becomes 64.39.106.1 to 64.39.106.254

    For your requirement, I think you need to add a local service exception because the firewall rule will be allowing traffic between zones, and in that case firewall will not respond to the requests coming from those source IPs and it'll rather try to allow it to all the other zones.

    Create a local ACL exception for these IPs and allow all the firewall services (Except for SSH if not needed) to those IPs.

    Check this article for the information on Local ACL Exceptions: docs.sophos.com/.../LocalServiceACLEdit.html

  • 0 in reply to FormerMember

    Hi Devesh, 

    Thank you for responding. I have scheduled a PCI scan, so I am just waiting for the results now.

    I added the following rule. For the IP addresses, I added it as a range of IP addresses like you suggested. 

    This is the firewall rule I created.

    The website mentions: 

    "I understand that Sysnet requires access be granted to the above IP addresses in order to complete a scan.

    I will ensure that any active protection (including Intrusion Prevention System) is disabled or that I will white-listed Sysnet's above IPs for the duration of the test."

    Do I need to disable IPS for the scan to work?

    Many thanks,

    Bradley

  • 0 in reply to Bradley

    I got the results back from the scan. It seems to have worked fine, except it failed to pass the test.

    It seems to be about the SSL Certificate. Is there a way to fix these? Many thanks,

    Bradley

  • FormerMember
    0 FormerMember in reply to Bradley

    If you're specific to the SSL Certificate error guess this error is due to the certificate used with XG for User-portal and WebAdminl. By default, XG uses Appliance Certificate which is signed by the CA present on Appliance which isn’t globally trusted as it's a local CA.

    You can try getting a third party certificate signed by a well-known CA to mitigate this error.

Reply
  • FormerMember
    0 FormerMember in reply to Bradley

    If you're specific to the SSL Certificate error guess this error is due to the certificate used with XG for User-portal and WebAdminl. By default, XG uses Appliance Certificate which is signed by the CA present on Appliance which isn’t globally trusted as it's a local CA.

    You can try getting a third party certificate signed by a well-known CA to mitigate this error.

Children
No Data