This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED configuration for PCI DSS compliance v18 DNAT

I have an XG135 running (SFOS 18.0.1 MR-1-Build396) and I am currently failing Security Metrics PCI scan for the following:

I am trying to follow the KB Sophos has provided but in v18 DNAT and Firewalls are separated, and I can't seem to get everything set properly to pass this scan.

My Firewall rules:

NO NAT/ DNAT Rules:

Blackhole Route:

I cannot figure out how to pass this scan without getting traffic to follow these rules. So far nothing has "hit them".

This thread was automatically locked due to age.

Top Replies

FormerMember over 3 years ago in reply to Brandon McGouldrick +1 verified

Hi Brandon McGouldrick , Thank you for the screenshots. The source port needs to be the port range from 1:65535. Please change the source port from 3400 to port range 1:65535 and let us know if that…

Parents

0 FormerMember over 3 years ago
Hi Brandon McGouldrick,

Thank you for reaching out to the Community!

Can you try to create an SD-WAN policy route instead of the static route?

Check out the following document for more info on SD-WAN policy routing:

SD-WAN policy routing

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Brandon McGouldrick over 3 years ago in reply to FormerMember

Thank you for the response! I read the documentation an put in place what I think would be a "Blackhole route" for connections with destination port 3400.

I enable sd-wan-policy-route for system generated traffic and reply packets.

I also set SD-WAN Routing to #1 precedence.

I put this new SD-WAN Route in place:

I still have the DNAT and Firewall rules enabled. The counters are not showing any activity, it is like the Red Service is not affected by any of the rules, policies, or routes.

When I run a port scan externally for 3400 it still shows as open. SD-WAN policy routing does not seem to be working for this.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Brandon McGouldrick

Hi Brandon McGouldrick,

Can you show us the screenshot of the service definition that you’re using with the DNAT rule?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FormerMember over 3 years ago in reply to Brandon McGouldrick

Hi Brandon McGouldrick,

Can you show us the screenshot of the service definition that you’re using with the DNAT rule?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Brandon McGouldrick over 3 years ago in reply to FormerMember

DNAT rule:

Service Definition:

Blackhole host (does not exist on our network):

Blackhole gateway:

Thanks,

Brandon
Cancel
Vote Up 0 Vote Down

Cancel
+1 FormerMember over 3 years ago in reply to Brandon McGouldrick

Hi Brandon McGouldrick,

Thank you for the screenshots.

The source port needs to be the port range from 1:65535.

Please change the source port from 3400 to port range 1:65535 and let us know if that helps.

Thanks,
Cancel
Vote Up +1 Vote Down

Cancel
0 Brandon McGouldrick over 3 years ago in reply to FormerMember

Port 3400 is no longer visible! I believe this is going to work. I am running my PCI scan now!

Thanks!

Brandon
Cancel
Vote Up 0 Vote Down

Cancel