AnsweredAssumed Answered

PCI Scan Fails SSL Certificate Check on Checkpoint Firewall AND  Weak IPsec Encryption Settings

Question asked by Simmie Orbit on Apr 29, 2014



PCI compliance Scan Fails SSL Certificate Check on Checkpoint Firewall and Weak IPsec Encryption Settings on my client Checkpoint R77 firewall cluster. 

The firewall has a SSL connectivity to the VPN gateway for the intial setup of the the IPsec tunnel each time a user needs to connect.  Following a successful SSL session, the client sets up an IPSec tunnel with the gateway in which user authentication is done. The VPN gateway has a certificate generated from it's own internal CA which it presents to the clients in the SSL session.  This is where the PCI scan is failing with the following symptoms:

1.  "SSL Certificate - Self-Signed Certificate"

2.  "SSL Certificate - Signature Verification Failed Vulnerability"


Also the encryption algorithm on the Checkpoint R77 are AES and 3DES.


I am thinking that this may be a false positive given that, with SSL connecivity alone, I don't think an attacker may be able to do anything.  The subject would still need to be authenticated using the method described above in order to gain access to our network.


I requested a false postive but the scan still fails and they need to have a clean/pass ASV {attestation report} for the bank ongoing PCI certification.


Need a swift responce.

Thanks in advance.


Best regards,







{Ref. to piesam229}