How to troubleshoot a live system reported as “No Host Alive” during External Scanning for PCI

Document created by George Tabet on Sep 10, 2010Last modified by eschamp on Nov 11, 2010
Version 4Show Document
  • View in full screen mode

Issue:

How to troubleshoot a live system reported as “No Host Alive” during External Scanning for PCI.

 

Solution:

The "No Host Alive" message means we did not detect a live system at that IP Address when performing the Discovery phase of our Scan. The Discovery Phase tests 30 common ports to see if we receive a response, thereby validating that the system is alive, at which point we then move onto the scanning phase. If we don’t receive a response on those 30 common ports, we list the system as Not Alive.

 

To remediate this situation there are several different options: A) Enable ICMP to the system which should allow the system to be discovered alive,  and B) Notify Qualys Support of the unique port available to the internet, which can be added to the discovery list of your subscription.

 

The easiest of these solutions is to simply enable ICMP to the system on the firewall, which should be easy to modify and not introduce adverse security concerns.

 

Here are the Ports we check during our initial discovery phase:

 

PCI Scan - Host Discovery

TCP:   21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445

UDP:   53, 111, 135, 137, 161, 500

ICMP:   On

 

Lastly, since PCI does require both Internal and External scanning, if a system cannot be scanned from the External perspective, it should still be scanned and secured Internally, thereby providing the required security of the cardholder data environment.

 

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

Attachments

    Outcomes