Monthly Archives: April 2017

Sophos XG Firewall PCI Compliance Woes

Recently I deployed a Sophos XG firewall to replace my very much aging Microsoft Forefront TMG 2010 firewalls. For the most part, after lots of back and forth with Sophos tech support, I got it working correctly for things like Outlook Anywhere, Web and Mobile Access, protecting internal websites, and general web filtering. Everything seemed fine until our monthly PCI compliance scans came along and we failed miserably. TLS 1.0 was enable, HTTP Track/Trace was enabled, and 64 bit cyphers were enabled for each external IP that we were hosting a site on. I contacted Sophos and long story short there is currently no way to fix these through the UI (v16)….all required manually editing the appache httpd file on the box. So here is how to do it.

First telnet into your XG, log in, then go to 5 Device Management then 3 Advance Shell. Type in the following:

# mount -no remount,rw /
# vi /usr/apache/conf/httpd.conf

You should now be able to edit the file. Press “I” once to enter insert mode. Find the SSLCipherSuite line and remove any sections (between the colons) that have 3DES in them. For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Now find the SSLProtocol list, usually right below the cyphers and remove support for whichever protocol by adding it with a minus. Here is the original line:

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Lastly for the tracking add a new line under these:

TraceEnable off

Hit ESC then :w and enter to write the file then :q and enter to quit. Then restart the services and mark things what I’m assuming is read only:

# service apache:restart -ds nosync
# service WAF:restart -ds nosync
# mount -no remount,ro /

Keep in mind any Outlook 2010 clients you have in the field might try to connect using TLS 1.0 and will fail with a cryptic proxy server error. You can follow this site to hopefully fix that: https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/