Chapter 7 – PCI DSS Compliance

Running PCI DSS compliance checks

FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global and/or VDOM level. The compliance check determines whether the FortiGate is compliant with each PCI DSS requirement by displaying an ‘X’ next to the non-compliant entries in the GUI logs.

 

The FortiGate runs at least 50 compliance checks that report on the status of a number of things including:

  • Checking that out of stet ICMP packets are dropped
  • The TCP end timeout is set
  • SSH and SSL deep inspection with web filtering drops traffic from servers with invalid server certificates
  • Verifying that IPS signatures, Application Control signatures, and Antivirus signatures are up to date
  • Determining if Spyware/Malicious sites are being blocked by a web filtering policy
  • Verifying that administrators are locked out after 3 login failures

 

For a complete list of compliance checks go to Log & Report > Compliance Events.

 

Configuring PCI DSS compliance checking

Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.

Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.

You can also configure compliance checking and set up the schedule from the CLI:

config system global

set compliance-check {disable| enable}

set compliance-check-time <time>

end

Use the following command to run on-demand compliance checking:

execute dsscc

 

PerVDOM compliance checking

If you have multiple VDOMs enabled compliance checking can be run separately for each VDOM.

Begin from the Global view by going to System > Advanced > Compliance and turning on compliance checking and configuring a daily time to run the compliance check. This compliance check daily schedule will be used to run compliance checks on individual VDOMs where compliance checking is enabled them.

You can also enable global compliance checking from the CLI:

config global

config system global

set compliance-check {disable| enable}

set compliance-check-time <time>

end

Then log onto each VDOM for which to enable compliance checking and go to to System > Advanced > Compliance, and turn on compliance checking . You can also select Run Now to run a compliance check on that VDOM on demand.

 

From the CLI edit a VDOM and use the following command to enable compliance checking for that VDOM. The following example shows how to enable compliance checking for the root VDOM:

 

config vdom edit root

config system settings

set compliance-check enable end

From the CLI you can also log into a VDOM and use the following command to run on-demand compliance checking:

execute dsscc

From a VDOM GUI go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.