FirewallIQ
๐Ÿ” Sample report โ€” Cisco ASA / FTD audited against PCI DSS v4.0. This is real output from the FirewallIQ engine. Run your audit โ†’
2 score

At Risk

EDGE-FW-01 exhibits multiple critical compliance failures against PCI DSS v4.0, including unrestricted any-to-any access policies on both interfaces, Telnet enabled inbound from the internet, SNMPv2c with community strings, and critically weak IKEv1/DES/MD5/DH-Group-1 VPN crypto. Management plane controls are broadly deficient with HTTP accessible from any external host and SSH running version 1. Immediate remediation is required across nearly every audited control domain before this device can be considered PCI DSS compliant.

5 critical 4 high 3 medium
Critical Permit IP Any Any on Both Inbound and Outbound ACLs PCI DSS v4.0 1.3.1 / 1.3.2
Evidence
access-list OUTSIDE_IN extended permit ip any any
access-list INSIDE_OUT extended permit ip any any
Remediation
no access-list OUTSIDE_IN extended permit ip any any
no access-list INSIDE_OUT extended permit ip any any
access-list OUTSIDE_IN extended deny ip any any log
access-list INSIDE_OUT extended deny ip any any log
Critical Telnet Enabled on Outside Interface from Any Host PCI DSS v4.0 2.2.7
Evidence
telnet 0.0.0.0 0.0.0.0 outside
Remediation
no telnet 0.0.0.0 0.0.0.0 outside
no telnet 0.0.0.0 0.0.0.0 inside
Critical ASDM / HTTP Management Accessible from Any External Host PCI DSS v4.0 2.2.7
Evidence
http server enable
http 0.0.0.0 0.0.0.0 outside
Remediation
no http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
Critical IKEv1 VPN with DES Encryption, MD5 Hash, and DH Group 1 PCI DSS v4.0 1.2.6 / 4.2.1
Evidence
crypto isakmp policy 10
 encryption des
 hash md5
 group 1
Remediation
no crypto isakmp policy 10
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 86400
Critical No Logging of Denied Traffic and Insufficient Log Severity PCI DSS v4.0 10.2.1 / 10.4
Evidence
logging trap warnings
Remediation
logging trap informational
logging host inside <SIEM-IP>
logging facility 23
High SSH Version 1 Enabled PCI DSS v4.0 2.2.7
Evidence
ssh version 1
Remediation
ssh version 2
High SNMPv2c with Community Strings โ€” No Authentication or Encryption PCI DSS v4.0 2.2.1 / 2.2.2
Evidence
snmp-server community [REDACTED] RO
snmp-server community [REDACTED] RW
Remediation
no snmp-server community [REDACTED] RO
no snmp-server community [REDACTED] RW
snmp-server group SNMPV3GROUP v3 priv
snmp-server user SNMPV3USER SNMPV3GROUP v3 auth sha <authpass> priv aes 128 <privpass>
High No AAA Authentication Configured PCI DSS v4.0 8.3 / 8.4
Evidence
Not present in the provided configuration
Remediation
aaa-server TACACS group tacacs+
 server-private <TACACS-IP> key <secret>
aaa authentication ssh console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa accounting command TACACS
High No Anti-Spoofing Controls Configured PCI DSS v4.0 1.4.3
Evidence
Not present in the provided configuration
Remediation
interface GigabitEthernet0/0
 ip verify reverse-path interface GigabitEthernet0/0
Medium Service Password-Encryption Disabled PCI DSS v4.0 2.2.1
Evidence
no service password-encryption
Remediation
service password-encryption
Medium NTP Server Configured Without Authentication PCI DSS v4.0 10.4
Evidence
ntp server 192.168.1.100
Remediation
ntp authentication-key 1 md5 <ntp-key>
ntp authenticate
ntp trusted-key 1
ntp server 192.168.1.100 key 1
Medium SSH Idle Timeout Exceeds PCI DSS Session Management Requirements PCI DSS v4.0 8.3
Evidence
ssh timeout 60
Remediation
ssh timeout 15
console timeout 15

Ready to audit your firewall?

Paste your running config and get a report like this in under 60 seconds.
Cisco ASA, FortiGate, Palo Alto, and 6 more platforms. PCI DSS, HIPAA, NIST 800-53, CIS.

Run your audit See pricing

7-day money-back guarantee ยท No contracts ยท Cancel anytime