Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Keep failing PCI audit because of sweet32 attack detacted

I have just installed two new TZ270 SonicWall firewalls at a customer site running the newest version of the 7.0 OS. Both offices have Internet access from the cable company. To connect the two offices together I have configured an IPSec SSL VPN. The VPN is configured with the encryption type AES-256 and authentication type SHA384.

For PCI compliance and independent audit company needs to run periodical scans against both firewalls. I keep failing the compliance scan due to the firewall being vulnerable to the sweet32 attack within ISAKMP. I have read a few SonicWall KBs but they all reference the 6.x OS which does not pertain to the TZ270.

Could someone please tell me what configuration I need to make within 7.0 to fix the sweet32 attack detection?

Thank you everyone for your help with this issue.


Category: Entry Level Firewalls


  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Nentwich

    Block the all 64bit ciphers like DES & 3DES and if not resolved the problem, Contact the Technical Support & they will guide you.

  • NentwichNentwich Newbie ✭

    @Ajishlal how do I block the 64 bit ciphers? Can you share a link which outlines the steps to block these ciphers?



  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited August 2021

    So you said "IPSec SSL VPN" which isn't a thing. An IPSec VPN tunnel between locations and SSL VPN for remote client access are two different things.

    Are you running the latest firmware version (or at least 7.0.1-1456)? Have you tried replicating the results using NMap?

    Have you tried disabling SSLVPN services (if its on)?

    The PCI Scan result will tell you what IP address and port are the problem.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Nentwich

    Follow the below screen shot & better to get sonicwall support if you are not familiar in cipher suits.

Sign In or Register to comment.