PCI compliance

A growing cause of frustration for us is PCI compliance scans. It seems each PCI compliance company is a little different, and our efforts to create enough exceptions on the firewalls, while still maintaining proper security, works for some compliance companies, but not all. If we just block the scan, some companies place a note in the customer account indicating the scan was properly blocked by a firewall, while other compliance companies require us to allow the scan. I feel like I’m reducing the security of the firewall in order to permit the scan, only to then be told the firewall isn’t secure enough.

For the compliance companies that require the firewall to allow the scan, often times, the Fireboxes are flagged with SSL issues due to using self-signed certificates for VPN, even when we have SSLVPN disabled. When we do have SSLVPN enabled, we generally only use self-signed certificates because it is just VPN, not a webserver for public use.

Anybody have any thoughts/strategies on the matter?


  • My best recommendation is to stick with a single PCI compliance company.

    I had 2 of these a long time ago. The people who did it were ones with only a little experience (sort of like new auditors), and were using a checklist prepared by their company.

    Thus they couldn't explain why something was "bad" - it just was, because their "book" said so.

    You can get some public certs, but I think that the only way you can get around most of the firewall self signed certs is to have your own CA, and replace the firewall ones with ones from your own CA.

    Looking forward to others' comments on this.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    In my experience, a lot of the compliance scanning companies are just using something like Nessus to scan, and don't have much, if any understanding of the report they're actually handing out. If you can find one that actually explains what each issue is and shows an understanding of it, I'd stick with them.

    The majority of the issues that we see at WatchGuard are:
    -Self signed certificate/CA. The firewall generates its own certificate for the web server and SSLVPN. Most PCI scans require certs from trusted 3rd party CAs. If the company is on a budget, you can get short duration (less than 6 month) certs from "letsencrypt," and 1+ year certs from other sources seem to start at about a hundo USD ($100 or so.) Personally, I'd suggest looking into a wildcard certificate (which costs a bit more,) but you can use it on multiple servers (like exchange, OWA, your internal web server, and the firewall) with just that one cert.

    -VPNs or other resources not being secured with two factor authentication (2FA.) Take a look at AuthPoint (watchguard.com/authpoint) and sign up for a free 5 user trial.

    -Random vulnerabilities/CVEs -- make sure your firewall is on the latest version of firewire prior to the scan.

    -Vulnerabilities on other servers behind the firewall that are publicly available via NAT/SNAT. Make sure those servers are patched, up to date, and consider protecting them with VPN, Access portal, and/or a proxy.

    If you do get a compliance report failure, we can help. Simply open a case and attach the report you get from the company. Our team can take a look at it and help decipher what they've given you.

    Finally, remember that you can report things are mitigated. For example, if you wanted to use an internal CA instead of getting one from an 3rd party, you can report back that this "hit" is mitigated because the certificate is issued from a trusted provider inside of your network, and external hosts not part of your network have no reason to trust the firewall. This will only work in some circumstances, but is a way of reporting that you're aware of the risk and have done X, Y, Z, to ensure it's OK.

    -James Carson
    WatchGuard Customer Support

  • I use certs from Namecheap (which this link will take you to: https://www.shareasale.com/r.cfm?b=467188&u=1681285&m=46483) and I use their wildcard cert. Their wildcard certificate's regular price is $71/year, and a 3-domain cert is regularly $27/year. They are frequently on sale as they are now, currently for $40 and $20 respectively.

    I found that the key to using any vendors' certs for anything more than just ONE Firebox is to generate the CSR on something other than the Firebox itself, for example, generate it on a Windows server. If a CSR is generated on the Firebox, then the resulting cert can be used ONLY on that Firebox because the cert cannot be exported with its private key in a PFX file for use anywhere else. I generate my CSR on my Windows 2019 domain controller, get it from Namecheap and install it, then export it with the private key as a PFX file. I can import that PFX file into many different Fireboxes, network switches, other servers, my web site, pretty much anywhere I want.

    Gregg Hill

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Greg is correct, the firewall will not expose the private key if you generate it on the firewall itself. For most users this isn't an issue, but it could be for some.

    This KB goes over doing it in other places, including OpenSSL, WG Management server, and Windows Server

    (How do I create a certificate signing request (CSR)?)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.