RED configuration for PCI DSS compliance v18 DNAT

I have an XG135 running (SFOS 18.0.1 MR-1-Build396) and I am currently failing Security Metrics PCI scan for the following:

I am trying to follow the KB Sophos has provided but in v18 DNAT and Firewalls are separated, and I can't seem to get everything set properly to pass this scan.

My Firewall rules:

NO NAT/ DNAT Rules:

Blackhole Route:

I cannot figure out how to pass this scan without getting traffic to follow these rules. So far nothing has "hit them".

Top Replies

Parents
  • Hi ,

    Thank you for reaching out to the Community! 

    Can you try to create an SD-WAN policy route instead of the static route? 

    Check out the following document for more info on SD-WAN policy routing: 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Thank you for the response! I read the documentation an put in place what I think would be a "Blackhole route" for connections with destination port 3400.

    I enable sd-wan-policy-route for system generated traffic and reply packets.

    I also set SD-WAN Routing to #1 precedence.

    I put this new SD-WAN Route in place:

    I still have the DNAT and Firewall rules enabled. The counters are not showing any activity, it is like the Red Service is not affected by any of the rules, policies, or routes.

    When I run a port scan externally for 3400 it still shows as open. SD-WAN policy routing does not seem to be working for this.

Reply
  • Thank you for the response! I read the documentation an put in place what I think would be a "Blackhole route" for connections with destination port 3400.

    I enable sd-wan-policy-route for system generated traffic and reply packets.

    I also set SD-WAN Routing to #1 precedence.

    I put this new SD-WAN Route in place:

    I still have the DNAT and Firewall rules enabled. The counters are not showing any activity, it is like the Red Service is not affected by any of the rules, policies, or routes.

    When I run a port scan externally for 3400 it still shows as open. SD-WAN policy routing does not seem to be working for this.

Children