Hello All. So I had read all of the posts regarding work arounds, etc for failed PCI compliance scans. But I guess I am looking for a more permanent solution.
So over the years with the UTM9 devices they would fail PCI compliance IF we have any sort of remote access VPN enabled (SSL VPN, etc). The solution on those was to simply not use any remote access VPN and manually adjust the strongwan service to stop listening on UDP port 500. This solve the issue of the scans. So we then installed several XG firewalls (latest firmware) hoping this issue would be resolved but it is still an issue. UDP500 is still somehow open and we need to manually disable the strongwan service to get UDP port 500 blocked. And in the past (on the UTM 9's) a firmware update would cause UDP500 to open again. Note that I do know about the business firewall rule to for UDP500 into a blackhole (invalid IP).
Soo..It does not seem like the XG models do anything to really correct this if the users need remote access into their network. And more and more PCI scanning providers will fail you if they see ANY evidence of remote access (UDP 500, 8443 SSLVPN, etc). The new Sophos Connect uses port 500 so that is out.
So the question is are there any long term options for providing secure remote access into a network using Sophos products that will not trigger a PCI scan fail? I know RED's MIGHT be an option but we are trying to avoid spending more on hardware for remote access.
Right now SSL VPN is enabled and it is failing on port 8443. We can take care of the other failures as listed above. Can the SSLVPN client be configured in a different way (possibly certs, etc) to eliminate this issue?
Thanks
Dave
This thread was automatically locked due to age.
