https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/68096#M39797 <P>What is the exact statement of problem for this issue in the PCI report?</P> <P>&nbsp;</P> <P>I think they misunderstand what the service running here is, or the issue is with they way you have VPN access configured.</P> <P>&nbsp;</P> <P>Certainly you can run web services and still be PCI compliant.</P> <P>&nbsp;</P> <P>I think they believe you are exposing the web mgmt interface of the firewall to the open internet. &nbsp;This would be flagged as a problem. &nbsp;The scanner cannot know what the content of the web portal is and is probably just assuming this is the firewall mgmt portal because of the address.</P> <P>&nbsp;</P> <P>I would push back and explain exactly what the service is. &nbsp;I would think you are compliant without any changes.</P> Fri, 13 Nov 2015 10:41:09 GMT pulukas 2015-11-13T10:41:09Z https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/67902#M39719 <P>We are employing GlobalProtect VPN on our PA, which also happens to be our intranet gateway (NAT) to the Internet. Technically speaking, the setup works very well. Because port 443 is typically open on most firewalls, we can connect to the VPN virtually anywhere. Unfortunately, our PCI compliance scan (public side of our PA) flagged the open HTTPS port as a problem that needed fixing.</P> <P>&nbsp;</P> <P>Disabling the GlobalProtect portal disables the downloading of the GlobalProtect client (which is okay with us), but naturally the TCP port 443 is still listening. Is there a way to configure the VPN service or craft a policy rule that would keep port 443 open for VPN but close it to port scans? In essence, we want to satisfy PCI requirements with the least impact to our VPN configuration.</P> Tue, 10 Nov 2015 16:44:46 GMT https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/67902#M39719 jasonbailey 2015-11-10T16:44:46Z https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/67914#M39723 <P>You can't run GlobalProtect on port 443 but to hide from scan (unless you check logs from where scan comes from and block those IP's <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ).</P> <P>You can't have any port open at all or you can't have any port open on same ip where traffic goes out from?</P> <P>You can run GP on some other IP for example.</P> <P>Or get other subnet from your ISP to run GP on completely diferent IP range.</P> <P>Or run GP on alternative port but this would mean reconfiguring all your clients also.</P> Tue, 10 Nov 2015 19:55:12 GMT https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/67914#M39723 Raido_Rattameister 2015-11-10T19:55:12Z https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/68096#M39797 <P>What is the exact statement of problem for this issue in the PCI report?</P> <P>&nbsp;</P> <P>I think they misunderstand what the service running here is, or the issue is with they way you have VPN access configured.</P> <P>&nbsp;</P> <P>Certainly you can run web services and still be PCI compliant.</P> <P>&nbsp;</P> <P>I think they believe you are exposing the web mgmt interface of the firewall to the open internet. &nbsp;This would be flagged as a problem. &nbsp;The scanner cannot know what the content of the web portal is and is probably just assuming this is the firewall mgmt portal because of the address.</P> <P>&nbsp;</P> <P>I would push back and explain exactly what the service is. &nbsp;I would think you are compliant without any changes.</P> Fri, 13 Nov 2015 10:41:09 GMT https://live.paloaltonetworks.com/t5/general-topics/pci-compliance-and-port-443/m-p/68096#M39797 pulukas 2015-11-13T10:41:09Z