I have an XG135 running (SFOS 18.0.1 MR-1-Build396) and I am currently failing Security Metrics PCI scan for the following:
I am trying to follow the KB Sophos has provided but in v18 DNAT and Firewalls are separated, and I can't seem to get everything set properly to pass this scan.
My Firewall rules:
NO NAT/ DNAT Rules:
I cannot figure out how to pass this scan without getting traffic to follow these rules. So far nothing has "hit them".
Hi Brandon McGouldrick,
Thank you for the screenshots.
The source port needs to be the port range from 1:65535.
Please change the source port from 3400 to port range 1:65535 and let us know if that helps…
Thank you for reaching out to the Community!
Can you try to create an SD-WAN policy route instead of the static route?
Check out the following document for more info on SD-WAN policy routing:
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Thank you for the response! I read the documentation an put in place what I think would be a "Blackhole route" for connections with destination port 3400.
I enable sd-wan-policy-route for system generated traffic and reply packets.
I also set SD-WAN Routing to #1 precedence.
I put this new SD-WAN Route in place:
I still have the DNAT and Firewall rules enabled. The counters are not showing any activity, it is like the Red Service is not affected by any of the rules, policies, or routes.
When I run a port scan externally for 3400 it still shows as open. SD-WAN policy routing does not seem to be working for this.
Can you show us the screenshot of the service definition that you’re using with the DNAT rule?
Blackhole host (does not exist on our network):
Please change the source port from 3400 to port range 1:65535 and let us know if that helps.
Port 3400 is no longer visible! I believe this is going to work. I am running my PCI scan now!