After create "Mobile VPN with IKEv2" Tenable gives Scan detect PCI DSS Compliance error

Hi Team,

We have configured the Mobile VPN IKEv2 due to the slowness of SSL VPNs. But once configured Tenable gave "Scan detects PCI DSS Compliance: Remote Access Software Has Been Detected on"

Then we went through the XML configuration and we notices that there are default policies such as ""WG Default IKEv2 Gateway" & "Allow-IKE-to-Firebox"

We contacted the Watchguard regarding this and they said we need to disable the default IPsec policy.

Then we disabled the policy on our DEV environment and we notice that "Allow-IKE-to-Firebox" went to disable status but not ""WG Default IKEv2 Gateway" "

"WG Default IKEv2 Gateway" is still enabled, we can't find how to disable the "WG Default IKEv2 Gateway" IKE policy in GUI

"WG Default IKEv2 Gateway" policy cannot be seen on other firewalls which didn't configure Mobile VPN IKEv2

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @prashan

    There are various "hidden" policies on the firewall that are controlled by options on the firewall itself.

    If your PCI/DSS compliance software is saying that you can't have remote access software, any VPN will count as such.

    The Allow IKE to firebox rule (the firebox's built in IPSec policy) terminates IPSec traffic that traverses the firewall on the firewall. Since the firewall is an IPSec endpoint, this makes sense. The specific finding in your case appears to be that the firewall is accepting traffic from ANY source IP, which is necessary for mobile VPN (since you generally don't know what IP you will be coming from.)

    In order for the IKEv2 VPN to work, the IPSec policy must be on, or it must be disabled and a alternate policy created.

    You can read more about the IPSec option here:
    (About Global VPN Settings)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html

    The actual policies for user access (for once the VPN is terminated and the users need to be able to access resources) are handled via:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_vpn_policies_c.html

    I would suggest researching if your specific PCI/DSS requirements even allow having a mobile VPN, and if so, what types are acceptable for that purpose. If you are being flagged in a report for simply having IKE on, it's unlikely that any setting change you make here will satisfy that finding.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.