Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adidasnmotion
New Contributor

PCI Scan fails because Qualys scanner can't scan the ssl-vpn login page

We have an issue where our PCI scans from a third party (Qualys) are failing.  Their support tell us the following:

This vulnerability is because the scanner found tcp port 443 open to the public internet but the https service could not be used for a scan. If I connect to this port in my browser ([link]https://xxx.xxx.xxx.xxx)[/link] I can load a Forticlient VPN login page with https. If I can see this page over https then you will need to permit the scanner to have the same access to https so it can scan the VPN login page.

How can we exempt Qualys scans to our ssl-vpn login page?

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

Do you happen to limit the source IPs for SSL VPN (CLI "set source-address" under "config vpn ssl settings")? Then, you just need to add the source IP (NATed IP) where the scanner is coming from.

adidasnmotion

We don't limit the source IP's for SSL VPN.  Its accessible from anywhere.  A tech from the pci compliance vendor can connect to the page in a web browser, but when they use their scanning tools on the page the firewall apparently blocks the scan.

Toshi_Esumi
Esteemed Contributor III

Then nothing else you can do other than insisting the problem is on their end since a browser can access. None of our customer's, including ours, PCI auditors don't have any problem scanning IPs, on which SSL VPN is set up without source restrictions.

adidasnmotion

Does the ssl-vpn login page have IPS applied to it?  If so, how would we exempt the qualys scan there?

Toshi_Esumi
Esteemed Contributor III

IPS works when you applied a profile to policies. Do you have any applied to the SSL VPN policies? But they scan it without logging in like the admin GUI HTTPS interface. Shouldn't be a matter.

ajmueller

I am having the same issue (along with the same canned response from the PCI scan tech).  Were you able to solve the issue?

Labels
Top Kudoed Authors