Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 2638 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Whitelist IP Address PCI Scan

Bradley

Hello,

I am new to Sophos. We recently had a Sophos XG 125 installed on our small network at work. 

In order to stay PCI compliant, a scan is run every few months on our IP address.

The IP source addresses are:

  • 64.39.96.0/20
  • 64.39.106.0/24
  • 154.59.121.0/24

I created a firewall rule like this:

Source: WAN

Devices: IP List

Services: ANY

Destination: ANY

Devices : ANY

Services: ANY

Not sure what the numbers after the IP addresses are. Are these port numbers?

Many thanks,

Bradley



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Bradley, Thanks for reaching out to Sophos Community.

    The numbers after the IP addresses are called CIDR value which refers to the subnet mask that denotes the IP range of the given Block.

    So for 64.39.106.0/24 --> range becomes 64.39.106.1 to 64.39.106.254

    For your requirement, I think you need to add a local service exception because the firewall rule will be allowing traffic between zones, and in that case firewall will not respond to the requests coming from those source IPs and it'll rather try to allow it to all the other zones.

    Create a local ACL exception for these IPs and allow all the firewall services (Except for SSH if not needed) to those IPs.

    Check this article for the information on Local ACL Exceptions: docs.sophos.com/.../LocalServiceACLEdit.html

  • 0 in reply to FormerMember

    Hi Devesh, 

    Thank you for responding. I have scheduled a PCI scan, so I am just waiting for the results now.

    I added the following rule. For the IP addresses, I added it as a range of IP addresses like you suggested. 

    This is the firewall rule I created.

    The website mentions: 

    "I understand that Sysnet requires access be granted to the above IP addresses in order to complete a scan.

    I will ensure that any active protection (including Intrusion Prevention System) is disabled or that I will white-listed Sysnet's above IPs for the duration of the test."

    Do I need to disable IPS for the scan to work?

    Many thanks,

    Bradley

  • 0 in reply to Bradley

    I got the results back from the scan. It seems to have worked fine, except it failed to pass the test.

    It seems to be about the SSL Certificate. Is there a way to fix these? Many thanks,

    Bradley

  • FormerMember
    0 FormerMember in reply to Bradley

    If you're specific to the SSL Certificate error guess this error is due to the certificate used with XG for User-portal and WebAdminl. By default, XG uses Appliance Certificate which is signed by the CA present on Appliance which isn’t globally trusted as it's a local CA.

    You can try getting a third party certificate signed by a well-known CA to mitigate this error.

  • FormerMember
    0 FormerMember in reply to Bradley

    Hi ,

    You can get the third-party signed certificate either directly from CA or can generate a CSR from XG and then ask CA to sign it.

    Refer to the article below for more information:

    https://support.sophos.com/support/s/article/KB-000041071?language=en_US

    support.sophos.com/.../KB-000041072

  • 0 in reply to FormerMember

    Hi Yash and Devesh,

    Thank you for both responding.

    Is it the local IP address of the firewall that I need for the certificate?

    Also, can you recommend a CA? I I found this website (https://ssl.comodo.com/pci-scanning). Would I need to sign up for something like this?

    Many thanks,

    Bradley

  • FormerMember
    0 FormerMember in reply to Bradley

    Hi Bradly, 

    Not much aware of Comodo's offering here but you can always get a Certificate on a domain that you own or planning to own and run these tests directly on the domain and have it point to XG's public IP. All you need will be to import the certificate with the private key on XG and use it for WebAdmin and User-Portal.

    You can always get a self-signed certificate from the firewall for an Interface IP or the IP you need but that again falls under the same issue of it being signed by a Private CA (XG in this case).

    If you're not looking to spend and rather want a free solution then I would recommend getting a cert signed by LetsEncrypt (Currently R3). Just a caveat that it'll be valid for 3 months only which then you can renew or get a new one. 

  • 0 in reply to FormerMember

    Hi Devesh, 

    Thank you for responding.

    We own a domain so that is helpful. I have Let's Encrypt on a domain already which has given me an encoded certificate, private key and an intermediate certificate. Do you know how I point it to XG's public IP? Is it to do with the DNS records?

    I have tried looking online but not sure how.

    Many thanks,

    Bradley

  • FormerMember
    0 FormerMember in reply to Bradley

    Hi Bradly, 

    You need to check where you've hosted these DNS records (Godaddy, Namecheap, Route53 etc..) where you can add a A record for the XG's public IP. 

    Ensure that the same A record isn’t pointing elsewhere otherwise it'll create problems. If you have a wildcard certificate for the domain, Then you can use any subdomain to point to XG's IP.

  • 0 in reply to FormerMember

    Hi Devesh,

    Thank you for your help.

    I have tried to sort it out but keep running into problems.

    Is it possible I can get paid support so someone can help me remotely with this?

    Many thanks.

Reply Children
No Data