Meraki MX cannot meet the requirements of PCI Approved Scanning Vendor

StayGB
Comes here often

Meraki MX cannot meet the requirements of PCI Approved Scanning Vendor

To navigate a PCI compliance audit the PCI approved scanning vendor has requested that we open our MX to L3 inbound to their IPv4 blocks so they can scan the devices within our network. Meraki support has stated that the MX only supports 1:1 NAT or port forwarding, but as far as I am aware, none of these options will achieve what is required by the ASV. There is at present only IPv6 inbound layer three firewall.

 

I cannot believe that a Cisco Meraki MX cannot accommodate PCI scanning so I would greatly appreciate some wisdom on how this could be accomplished.

5 REPLIES 5
Brash
Head in the Cloud

Inbound firewall rules can be opened upon request via Meraki Support

Solved: Meraki MX Inbound Firewall Rules - The Meraki Community

That said, I'm not sure how exactly that would benefit for scanning devices within your network.
How exactly do they intend to scan the devices in your network?

StayGB
Comes here often

I was extremely concerned by the request to open our firewall permanently and disable (or at least whitelist those blocks) for IDS.

 

I have already directly requested that Meraki Support adds this to this device. In their response they ignored this and clearly did not wish to comply with my request for whatever reason!

Owen
Getting noticed

Assuming you have an internal VLAN with publically routed IP addressing you'll need the no-NAT and the inbound firewall rule features enabled to get that working.

StayGB
Comes here often

Not the NoNAT again. This has been a Beta firmware feature for as long as I can remember. Surely it cannot be recommended to secure PCI cardholder network devices behind a firewall running Beta firmware! Clearly Meraki cannot be satisfied with the security of the feature otherwise it would have not remained in Beta for all this time.

 

If we are forced to use Beta firmware to provide essential features, which by definition are not supported / recommended in production environments, then what are we paying our subscriptions for?

Owen
Getting noticed

I agree with you.The MX product line has stagnated.

The simple fact is that Meraki MX devices aren't suitable for all deployments as a firewall. They certainly have their place and for many customers they fit very well in certain sections of the network but they can't be installed everywhere.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels