55261_Risk Assessment: Invalid or Self-Signed SSL on the Firewall...

Expand / Collapse

Subject: Risk Assessment: Invalid SSL on the Firewall

Type of Security Control: Administrative 


The purpose of this procedure is to define the actions to be taken when a self-signed SSL on a firewall fails a vulnerability or PCI scan.  

Impact: Medium 

Applies to: External

Applicable Compliance Statements: N/A


  • A signed SSL by a CA that will cover the hostname of the firewall
  • Access to the firewall
  • A vulnerability or PCI scan result

Service Level Agreements: 

  • Within 8 hours of ticket creation, typically.


  1. When a vulnerability or PCI scan fails for a self-signed SSL on a firewall, the steps below should be taken to remediate the issue.  If this is a PCI scan, you must perform the actions below.  If this is a vulnerability scan, there is no governing body to report to so the scan can either be accepted as is (there is no dispute option) or the issue can be addressed. 
  2. The customer will open a ticket via the customer portal asking to have the SSL on the firewall updated. Preferably, a wildcard certificate for any domain should be provided in a ticket to add this SSL to the firewall.  This can be in PFX format or another format but must include the certificate and private key.
  3. Once DataBank receives the ticket, the SSL will be installed on the firewall by support.  This will overwrite the default self-signed SSL on the firewall. 
  4. After the SSL is installed on the firewall, a DNS CNAME will be setup in DNS.  For example, if the SSL is for *.domain.tld, a CNAME would need to be setup to point to the address of the firewall such as firewall.domain.tld.  Ultimately the actual CNAME record value does not matter as long as it is covered by the SSL (in the case of a wildcard, it should be).  
  5. Next, the new CNAME record should be provided to the scan vendor to update the scan scope to firewall.domain.tld in the above case.  When the next scan is run against the firewall, this should clear the result.
  6. Note that when a connection is made to VPN via AnyConnect, the address should now be firewall.domain.tld in order to not get SSL connection errors in your client.
  7. End.

Owner: Chief Information Security Officer
Questions: Chief Information Security Officer
Effective Date: 01/01/2019
Last Reviewed Date: 08/29/2019
Last Reviewed by: DataBank Security
Next Review Date: 08/2020

Rate this Article:

Category: Security

Last Modified:Thursday, August 29, 2019 12:16 PM

Rated 3 stars based on 1 vote

Article has been viewed 19,130 times.

Email Article Email Article

Social Bookmarks Social Bookmarks