cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PCI VA Scan results and port traffic

Highlighted
Here to help

PCI VA Scan results and port traffic

We recently had all 28 of our network scanned for vulnerabilities as part of our annual PCI audit.  We have the same model MX and the same firewall rules in place on all 28 networks.  The findings were interesting.  Almost exactly half of the networks failed the scan due to vulnerabilities for TCP traffic on port 80.

 

port 80 fails.JPG

 

 

 

 

 

 

 

 

If my firewall rules are all the same, and the devices on the network are 95% the same, why would half of the networks fail the scans and the other half pass?

 

Why doesn't IDS or IPS see the port scanning and block it?

 

I'm sure there are a million variables that could cause the pass/fail variances between theoretically identical network configs, despite that any ideas would be helpful.

 

 

6 REPLIES 6
Highlighted
Kind of a big deal

Re: PCI VA Scan results and port traffic

Your scan is probably being triggered by the Local Status Page on the MX. 

 

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M...

 

You can disable it under Network-wide > General if you're not using them. 

 

There was a security vuln with these pages last year as well. Are all your MX on the same version? 

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki

Highlighted
Kind of a big deal

Re: PCI VA Scan results and port traffic

Are there webserver or webservices behind those networks that failed? Vulnerability could be found with those applications/services and not the MX, if it allowing the traffic needed.

Highlighted
Kind of a big deal

Re: PCI VA Scan results and port traffic

This was a scan from the outside right?  And the MX's have a NAT from the outside to a server on the inside?

 

As @SoCalRacer says, this is probably an issue on those servers.

Here to help

Re: PCI VA Scan results and port traffic

@PhilipDAth yes scan from the outside, no NAT to server on the inside, in fact no servers on this network.

Highlighted
Here to help

Re: PCI VA Scan results and port traffic

no web servers or failing web services

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.