RED configuration for PCI DSS compliance v18 DNAT

I have an XG135 running (SFOS 18.0.1 MR-1-Build396) and I am currently failing Security Metrics PCI scan for the following:

I am trying to follow the KB Sophos has provided but in v18 DNAT and Firewalls are separated, and I can't seem to get everything set properly to pass this scan.

My Firewall rules:

NO NAT/ DNAT Rules:

Blackhole Route:

I cannot figure out how to pass this scan without getting traffic to follow these rules. So far nothing has "hit them".

Top Replies

H_Patel 11 days ago in reply to Brandon McGouldrick +1 verified

Hi Brandon McGouldrick,

Thank you for the screenshots.

The source port needs to be the port range from 1:65535.

Please change the source port from 3400 to port range 1:65535 and let us know if that helps…

0 H_Patel 11 days ago
Hi Brandon McGouldrick,

Thank you for reaching out to the Community!

Can you try to create an SD-WAN policy route instead of the static route?

Check out the following document for more info on SD-WAN policy routing:

SD-WAN policy routing

Thanks,
Harsh Patel (H_Patel)

Community Support Engineer | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' button.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Brandon McGouldrick 11 days ago in reply to H_Patel

Thank you for the response! I read the documentation an put in place what I think would be a "Blackhole route" for connections with destination port 3400.

I enable sd-wan-policy-route for system generated traffic and reply packets.

I also set SD-WAN Routing to #1 precedence.

I put this new SD-WAN Route in place:

I still have the DNAT and Firewall rules enabled. The counters are not showing any activity, it is like the Red Service is not affected by any of the rules, policies, or routes.

When I run a port scan externally for 3400 it still shows as open. SD-WAN policy routing does not seem to be working for this.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 H_Patel 11 days ago in reply to Brandon McGouldrick

Hi Brandon McGouldrick,

Can you show us the screenshot of the service definition that you’re using with the DNAT rule?

Thanks,

Harsh Patel (H_Patel)

Community Support Engineer | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' button.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Brandon McGouldrick 11 days ago in reply to H_Patel

DNAT rule:

Service Definition:

Blackhole host (does not exist on our network):

Blackhole gateway:

Thanks,

Brandon
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
+1 H_Patel 11 days ago in reply to Brandon McGouldrick

Hi Brandon McGouldrick,

Thank you for the screenshots.

The source port needs to be the port range from 1:65535.

Please change the source port from 3400 to port range 1:65535 and let us know if that helps.

Thanks,

Harsh Patel (H_Patel)

Community Support Engineer | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' button.
Cancel
Up +1 Down

Reply

Verify Answer

Reject Answer

Cancel
0 Brandon McGouldrick 11 days ago in reply to H_Patel

Port 3400 is no longer visible! I believe this is going to work. I am running my PCI scan now!

Thanks!

Brandon
Cancel
Up 0 Down

Reply

Verify Answer

Cancel