TZ 500 - "Hidden" use of IKE Aggressive Mode

bKSdsT

Hello,

(Haven't been able to find any other answers / potentials from other research so using this route.)

I'm currently undergoing PCI Compliance Vulnerability Scans & I've satisfied all requirements except one: "Port 500 - Aggressive Mode supported." This is reoccurring now from x3 scans.

After the first: I discovered a site-to-site VPN actually using "Aggressive Mode" and made changes to "Main Mode" instead.

After the second: I discovered "WAN GroupVPN" supposedly utilizes "Aggressive Mode" and that it doesn't seem like it can be altered or that default VPN policy itself can be deleted - so I simply disabled it ("WLAN Group VPN" was disabled already & I left it so.)

After the third: there are no signs of IKE "Aggressive Mode" being used anywhere yet the most recent Vulnerability Scan still has it flagged as an unsatisfactory vulnerability.

Is it possible it's still being used somewhere OR perhaps the PCI Compliance Vulnerability Scan simply just "sees" that the TZ 500 is capable of supporting it?

Thank you for your time,

-bKSdsT

preston

Hi @bKSdsT, if you are only using Main mode VPNs and Not the WAN Group VPN

1 ) Create an Address Object for each of the WAN Destination IP of the VPN Policies, (the Gateway IPs)

2) put the objects in a new Address object group

3) then go to Access Rules WAN to WAN and put this group in the Source section on the Default Incoming IKE Rule(s) there may be several depending if you are using Route Based or Policy Mode Site to Site VPNs,

i.e. there will be one from ANY to All WAN Interfaces for IKE and in mine as I'm using Route Based VPN there is another from ANY to X1 Interface IP ( the WAN Interface selected in my Route Based VPN Policy )

4 ) Run the the PCI test again it should now not see the IKE