So after going around the horn with SonicWall support we received the final answer from tech support: If you use the GroupVPN (and not site-to-site VPN) the damn firewall will always advertise weak cyphers even if you don’t use them. It doesn’t matter if you upgrade firmware, configure SSL Certs, use stronger encryption method modes, etc. The SonicWall will ALWAYS still advertise the weak cyphers and your PCI compliance scan will fail. SonicWall can’t fix it and they have no intention of fixing it. Their official stance is that the PCI compliance scan is faulty. All models of SonicWall firewalls have this limitation. I guess that puts the nail in the coffin for us. SonicWall is garbage. What kind of firewall can’t shut down a port scan from seeing something you don’t want it to see?
All the SonicWall hate here, Global VPN is deprecated. Use SSLVPN. Or you could go Windows and deploy Always-On VPN.
We move customers to SSL vpn in those circumstances.
Their official stance is that the PCI compliance scan is faulty.
I think it’s absolutely correct that the Sonicwall implementation is bad AND the PCI scan criteria are faulty.
Sonicwall has a long history of ineptitude, especially post Dell acquisition.
Qualys has a history of “ahead of their time” minimum requirements specifically intended to present scan “findings” that keep them relevant and their sales up. The requirements aren’t wrong so much as excessive for PCI.
I had trustwave pci scans saying cloudflare ssl failed. Completely stupid.
The kind that’s primary selling point is: “Your boss/client recognizes our name, but we’re cheaper than Cisco.”
Applications don’t need to see their FIN ACKs or their sockets close. Didn’t you know?
We just tell the auditors we use a secure passphrase, pass every time. Other options is to use certificates or get the customer to buy SSL VPN licenses.
Have you tried using certificates instead of passphrases?
Are you a dog hater? Everyone likes poodles right?
Edit: seriously thought, not being able to disable less secure suites sucks. SonicWall doesn’t let you do that at all?
What SAQ do you fall under for PCI Compliance?
just got finished with a months long process with this.
try to get to a second level support person and ask them about it.
what a few of my customers did is run a straight line from the card unit to the sonicwall and vlan it.
we provided a business case and network diagram, then attested that the machine was secure.
your mileage may vary.
Sonicwall has been producing certain hotfix firmware to fix PCI related compliance issues, at least that has been my experience. Additionally, we haven’t used Global VPN either, its all SSL-VPN/Sonicwall Mobile Connect for customers we have. Even then Qualys, Trustwave and the like, you can usually contest the finding.
Why not spool a second lan up and wan ip for just PCI?
I am so glad I convince all my employers to switch to pfSense…
That is EXACTLY why we moved to Sophos. We had a new client with 90+ stores, all running Sonicwalls and all running very lazy vpn technologies, and whoa boy when we did an eval, MOST OF THEM could be logged into with their default PWs.
8 months later we converted ALL to Sophos XG series and locked them all down to a few command and control servers. After 16, we upgraded them to Cloud Control and haven’t looked back. We get a PCI scan monthly and an email from the CEO about 20 minutes after each scan showing black holes with only ICMP as a response with, “THANK YOU!!!”. Every. Time.
Bye Sonicwall, you were good during your time. Were.
Yeah that’s because it’s a deprecated VPN method left in for backward compatibility. Also, it’s called Globalvpn not group VPN so maybe figure out what you’re screaming about first. This is your fault as an admin for continuing to use it and not moving users to sslvpn if it is a pci issue for you. Aggressive mode VPN tunnels from ANY firewall left turned on will fail compliance for pci as well, it opens the same udp 500 Ike port that the globalvpn uses. Keep in mind Not everyone has to be pci compliant. Learn some shit before you start screaming.
Absolutely this… Deprecated may be a strong word, but there is no reason to use Global VPN in almost 2019 unless you have serious legacy product interaction needs. We’ve deployed only SSL VPN for years. It is far easier to support and we have far less hurdles like this to deal with.
Ssl VPN still fails on sonic walls because it still advertises the weak ciphers even if they’re not in use. It’s frustrating and they have no fix other than “don’t need a group VPN, only use point to point and scope IPs”
Is there a source on that? I haven’t paid attention and their site still actively advertises a deprecated feature which is weird to do.