How to solve pci compliant on cloudfare

hi guys

we have configured tls v1.2, always https, added waf rule blocking all port except 80/443. but pci scan and report compliant as below:

Description: TCP Source Port Pass Firewall
host: 104.26.9.70
Result:
The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

how to solve this pci compliant? thanks

regards

1 Like

The threat doesn’t pass through the firewall and 104.26.9.70 isn’t your origin so this finding can simply be ignored.

2 Likes

Hi cscharff
Thanks. but the pci is not compliant, and the host ip is hosted in Cloudflare. How coud we solve this problem.

Are you saying that your site is hosted on Cloudflare? Files and all?

We use Cloudflare dns and cdn, 104.26.9.70 is not the origin server ip. It’s a Cloudflare edge ip.

Then their Result is inaccurate:

The host responded 4 times to 4 TCP SYN probes sent to destination port 24567 using source port 53. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

They’re not testing against the host. They’re testing against a multi-service proxy that’s not going to pass those requests to the host.

2 Likes

+1.
I have the same problem. I had blocked all non-standerd ports using this WAF rule.
not (cf.edge.server_port in {80 443})
still this issue persist for me!

It’s not an issue. Tell the auditor it is by design. If your origin isn’t listening on other ports or if you are blocking requests to the origin with a firewall rule it isn’t an issue. The other option is to buy Argo at ~= 5k a month. But since no one else needs to do that perhaps pushing back on the testing service for flagging bullsh*t might be a better choice.

2 Likes

I’m having the same issue.
Did somebody find a workaround?

For those who claim this is not an error, please note that if a PCI Scan does not pass, means that the site is not compliant. It’s not about convincing somebody, it’s a regulated scan report that banks require.

image

As evidenced in OP’s screenshot - you are perfectly within your rights to raise a false positive or provide justification to supposed ‘failures’.

These sort of scans are pretty succinctly described in this quote - testing shared infrastructure’s ports will always result in noise.

I referred some articles on the internet. I got an overview of the Problem. " firewall allows you to connect/send sync to its port (“24567”) from the client’s port 53. So there is now filtering of incoming client ports." This is what i understood from the articles.

But In my case the specified port (“24567”) is not open. I still have the issue : (

I also have the same issue. Tried to submit a false positive but they are not accepting it.

Did anyone find a fix for this issue? I scanned the same site 3 months ago and this was not an issue.

  1. Pause Cloudflare (lower right corner of Overview page)
  2. Wait five minutes
  3. Run scan again
1 Like

Thanks, that didn’t seem to work unfortunately, still getting the same fail reasons.

When you say pause, should I leave it paused while the scan runs, or pause then enable after 5 minutes and then run the scan?

You pause Cloudflare so that the scanner can reach your server directly, so it will stay paused during the scan.

You can enable it again after the scan.

4 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.