Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port-500/4500 UDP and 8094 failing PCI scans

Units are XG125W and XG135W running firmware SFOS 17.5.9 MR-9

 

Having issues with PCI scans failing port 500 UDP

We are using IKEv2 (above suggested standards) so strongswan is obviously enabled and disabling is not an option.

You can not add an ACL as those services for ACL are unable to be edited.

 

I tried creating a firewall rule to drop anything related to port 500 UDP from the firewalljust to see if the port would stop scanning.

I placed the rule at the top of the page and verified it was active and traffic still flows/port is able to be scanned

Once I can prove that it is dropping scans I will add an allow rule for the IPs that need to be able to access this.

Service Object

Drop rule

 

Port 8094

The device has been taken out of MTA mode and the SPX Portal settings have been pointed to Port9 which doesn't connect to anything and is completely separate from everything else.

 

Not sure how to nail these down. Any thoughts would be grand

 

Here is the failure on PCI scan (Some data omitted for privacy reasons)

Protocol     Port      Program
UDP           500      isakmp
TCP           8094    unknown


TCP 8094 www Title:
SSL Self-Signed Certificate
Synopsis:
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Impact:
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If
the remote host is a public host in production, this nullifies the use of SSL as anyone could
establish a man-in-the-middle attack against the remote host. Note that this plugin does not
check for certificate chains that end in a certificate that is not self-signed, but is signed by an
unrecognized certificate authority.


TCP 8094 www Title:
SSL Certificate with Wrong Hostname
Synopsis:
The SSL certificate for this service is for a different host.
Impact:
The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a
different machine.
Resolution:
Purchase or generate a proper certificate for this service.
Data Received:

The Common Name in the certificate is : SophosApplianceCertificate_C1XXXXXXXXXX

 



This thread was automatically locked due to age.
Parents Reply Children
No Data