Skip to Content

PCI compliance of port 8013

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article provides information on PCI compliance of port 8013.

Scope

FortiGate.

Solution

It is relatively common for a PCI compliance scan on port 8013 to fail due to the use of a local self-signed certificate on the FortiGate.

Port 8013 is used for FortiClient Telemetry (Security Fabric and compliance) and CAPWAP (due to the consolidation of features into one option since v6.2.3).

For more information regarding the consolidation, refer to the following document: New features or enhancements

Since it is using a local self-signed certificate (FortiGate factory default local certificate), it is expected to fail if the PCI compliance scan on the interface which has the ‘Security Fabric’ option enabled on the system interface. Unlike the GUI page, replacing the local certificate of security fabric is not possible for now.

Workarounds:

Take one of the following workarounds based on respective requirements:

  1. If no FortiAPs are used on the interface, disable the ‘Security Fabric’ option because CAPWAP service is not required.
  2. If FortiAPs are used on the interface. Configure a local-in policy that forces the FortiGate to respond to a specific range of IPs on port 8013 so that it disallows the PCI scanning to pass through.

Note: FortiClient Telemetry should not be impacted because this service is moved to FortiClient EMS.