PCI compliance and port 443

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PCI compliance and port 443

L1 Bithead

We are employing GlobalProtect VPN on our PA, which also happens to be our intranet gateway (NAT) to the Internet. Technically speaking, the setup works very well. Because port 443 is typically open on most firewalls, we can connect to the VPN virtually anywhere. Unfortunately, our PCI compliance scan (public side of our PA) flagged the open HTTPS port as a problem that needed fixing.

 

Disabling the GlobalProtect portal disables the downloading of the GlobalProtect client (which is okay with us), but naturally the TCP port 443 is still listening. Is there a way to configure the VPN service or craft a policy rule that would keep port 443 open for VPN but close it to port scans? In essence, we want to satisfy PCI requirements with the least impact to our VPN configuration.

2 REPLIES 2

Cyber Elite
Cyber Elite

You can't run GlobalProtect on port 443 but to hide from scan (unless you check logs from where scan comes from and block those IP's 🙂 ).

You can't have any port open at all or you can't have any port open on same ip where traffic goes out from?

You can run GP on some other IP for example.

Or get other subnet from your ISP to run GP on completely diferent IP range.

Or run GP on alternative port but this would mean reconfiguring all your clients also.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L7 Applicator

What is the exact statement of problem for this issue in the PCI report?

 

I think they misunderstand what the service running here is, or the issue is with they way you have VPN access configured.

 

Certainly you can run web services and still be PCI compliant.

 

I think they believe you are exposing the web mgmt interface of the firewall to the open internet.  This would be flagged as a problem.  The scanner cannot know what the content of the web portal is and is probably just assuming this is the firewall mgmt portal because of the address.

 

I would push back and explain exactly what the service is.  I would think you are compliant without any changes.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2899 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!