[Solved]How to whitelist ip's on EdgerouterX for PCI compliance?

Toggle sidebar Toggle sidebar
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
So I want to say that I am by no means an expert in networking and I'm having an issue with PCI compliance using Trustwave and I was hoping some could help me with this. Trustwaves scan keeps failing us and according to this article I need to whitelist their ip's on our router in order for their scanner to complete. All our terminals are wired back to the Edge router so there is no wireless involved.

Here's what I have done but have not been successful.
1.Under firewall/nat groups I created a new group named trustwave and added the ip's listed in the article above.
UhhWl28.png


2.Under firewall policies I created a new ruleset called trustwave. I set it as the first policy and to accept any action from the group trustwave.
hTQg5xZ.png


From this point on I am lost. I keep trying to get the scan to pass but every time I get failed. Does anyone have any suggestions because I am lost.
 
Carson Dyle

Carson Dyle

Diamond Member
Jul 2, 2012
8,173
524
126
n/m. I was assuming this was some type of limited access network, such as for a POS system. Is it just an office network?
 
Last edited:
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
It's not an office network. Our credit card terminals are connected to the router. We recently updated our terminals to be chip compliant(PCI compliant)and Trustwave wants to scan the network but I'm not sure how to whitelist their ips in the EdgerouterX gui. Here's the report that Trustwave sends me. I've edited out the important parts.
thS55Fa.png

PDgJbPx.png

mTnK1rH.png

x9mSoUT.png
 
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
39,166
19,879
146
The first parts in the link indicate that removing the host and initiating a rescan may correct this issue. Have you already done that?

The reasoning is that customers (you) may not have statically assigned IP's from their ISP.

Next, how is the ER-X configured on the WAN side?

additional questions:

Is the ER-X new to the config?
did this ever work with the ER-X?
 
PliotronX

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
I've only ever added to WAN_LOCAL (guides state to use WAN_IN but that never seems to work). Also if on DSL, the destination interface needs to be pppoe0 rather than ethX.
 
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
39,166
19,879
146
PliotronX said:
I've only ever added to WAN_LOCAL (guides state to use WAN_IN but that never seems to work). Also if on DSL, the destination interface needs to be pppoe0 rather than ethX.
Click to expand...
Yea, gonna need a wan config to assist more.
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
I want to apologize for not getting back to you guys sooner. It has been very busy at work over the past week. I did take some screen caps of how my Local_wan is configured. I hope they help if not just let me know what you need. To answer a few questions. YES the ER-X is new to the config and NO it has not worked from the beginning.
Now onto the pics.
nnfgN0A.png

DembbkO.png

lrQbRXc.png
 
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
39,166
19,879
146
What's between the ER-x and internet?

What's the actual WAN config, should be on the first dashboard screen. IP, subnet etc...
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
ch33zw1z said:
What's between the ER-x and internet?

What's the actual WAN config, should be on the first dashboard screen. IP, subnet etc...
Click to expand...
The only thing between the ER-X and the internet is the fiber modem issued by MTCO who is our provider. I really struggle with networking so I hope this screen cap is the one you are looking for. If it's not please let me know.
78u5q2b.png
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
ch33zw1z said:
Also, found this: https://community.ubnt.com/t5/EdgeRouter/What-is-WAN-IN-vs-WAN-LOCAL/td-p/1098853

Put the rules on WAN IN
Click to expand...
Cool. Thanks for the link. I'll take a look at it and see if it helps. I suppose if worse comes to worse and I can't figure this out I can always sign up over at the UBNT forums and ask to. That's tough though because everyone over their always talks in acronyms and then I have to google the acronym to find out what they are talking about.
Anyway, thanks for the help so far I appreciate it.
 
ch33zw1z

ch33zw1z

Lifer
Nov 4, 2004
39,166
19,879
146
bbhaag said:
Cool. Thanks for the link. I'll take a look at it and see if it helps. I suppose if worse comes to worse and I can't figure this out I can always sign up over at the UBNT forums and ask to. That's tough though because everyone over their always talks in acronyms and then I have to google the acronym to find out what they are talking about.
Anyway, thanks for the help so far I appreciate it.
Click to expand...
NP, that's what we're here for. And by helping you, I get to learn as well.
 
bruceb

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
Much more info at this link here:
https://community.ubnt.com/t5/UniFi...-to-whitelist-IPs-from-Trustwave/td-p/2239068
This last clip is from the last post of that link above:
Re: How to whitelist IPs from Trustwave
We also use Trustwave PCI Compliance. All you need to do is allow ICMP from the Trustwave IPs to the WAN local. They dont need to actually port forward to the endpoint system. I have battled with Trustwave about this since there is a reason we block ICMP from the public side of the world, but apparently they need to see your Public IP in order to verify the scan is getting to the right place.
 
  • Like
Reactions: ch33zw1z
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
bruceb said:
Much more info at this link here:
https://community.ubnt.com/t5/UniFi...-to-whitelist-IPs-from-Trustwave/td-p/2239068
This last clip is from the last post of that link above:
Re: How to whitelist IPs from Trustwave
We also use Trustwave PCI Compliance. All you need to do is allow ICMP from the Trustwave IPs to the WAN local. They dont need to actually port forward to the endpoint system. I have battled with Trustwave about this since there is a reason we block ICMP from the public side of the world, but apparently they need to see your Public IP in order to verify the scan is getting to the right place.
Click to expand...
I read through that post and I tried to set it up as described by the last poster but it still failed. Under Local_Wan I added the group Trustwave which includes the ip's from the article above. What should I set as my destination though? Eth0, PPPOE0, or something else?
VrjvTEk.png

JufvCsf.png

gutZLdG.png
 
bruceb

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
What that post said is you need to allow your Modem / Router to respond to an Incoming ICMP (Ping) Request .. I find most routers have that disabled by default, which is good for not being able to be found by scoundrels on the net. I also turn off ICMP Ping Incoming on each of my computer firewalls.
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
bruceb said:
What that post said is you need to allow your Modem / Router to respond to an Incoming ICMP (Ping) Request .. I find most routers have that disabled by default, which is good for not being able to be found by scoundrels on the net. I also turn off ICMP Ping Incoming on each of my computer firewalls.
Click to expand...
Yeah I read the post but it's so vague. I've allowed ICMP on the Wan_Local but it still fails...sigh. Ya know what I know cursing isn't allowed in the tech forums but I am sick of this shit. Fuck it I give up. Thanks for the help guys but networking was never my strong point and I am done trying to figure this out.
ki0CC7C.png
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
Ok I know I said f-it and gave up but the computer nerd in me just couldn't. I was frustrated and in a knee jerk reaction I made the last post above. Sorry about that guys I know you're just trying to help me out.
So I finally got to the bottom of the icmp issue and allowing Trustwave to scan my network but now I have another issue revolving around TLS1.0 and certain algorithms.
How do I disable TLS1.0 on my EdgerouterX? A simple web search has provided little beyond some post on the UBNT forums and it looks to be cli based....I hate the cli but if that is what it takes I will figure it out. Here's a new screencap. As you can see the first four results are causing a failed status. Again thank you to everyone for the help.
iF55v6y.png
 
X

XavierMace

Diamond Member
Apr 20, 2013
4,307
450
126
That kind of change will be CLI based.

Code: 
set service gui older-ciphers disable
set service ssh protocol-version v2

But that should do the trick.
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
XavierMace said:
That kind of change will be CLI based.

Code: 
set service gui older-ciphers disable
set service ssh protocol-version v2

But that should do the trick.
Click to expand...
Thank you for the response. I am very new to the cli. I see at the top right of the EdgeOS there is a cli button. If I click on that it bring up another window asking for a user id and password. Are you saying if I enter my user id and password then copy and paste the command you provided that will solve some of my issues?
 
bbhaag

bbhaag

Diamond Member
Jul 2, 2011
7,143
2,577
146
Well it looks like I have finally gotten a pass rating. As best I can tell it was allowing Trustwave to scan my network using the protocol icpm and then disabling the older TLS1.0 cipher on the Edgerouter X. Thanks everyone. I really do appreciate the help and feedback that was provided.
tgylsZb.png
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom