I am trying to get our network to pass a PCI-compliance scan. Our hardware setup is: WAN -> AT&T modem (in passthrough) -> Sonicwall -> Win Server 2012r2 acting as domain controller / HDCP.
After solving some AT&T-related problems, the PCI scan is now failing because the host is not found. I have confirmed that the scan is hitting the correct IP address, and I'm trying to whitelist Trustwave's server's so they get the expected result rather than no response at all.
Under the Sonicwall's Firewall settings, I added a bunch of range address objects for the Trustwave IPs, assigning them to the "WAN" zone, then added them all to an address group. When I create an access rule for the scan, I'm not sure exactly what setup I should be using. It's currently set as:
Allow
From: WAN
To: LAN
Source Port: Any
Service: Any
Source: Trustwave Scan (Address Group)
Destination: Any
Schedule: Always On
Is this correct? I'm not sure if LAN is the proper zone to direct it to, but my thinking was that if I did that the connection requests would be hitting the domain controller and getting denied, thus passing the tests.
Any input would be greatly appreciated.