In recent years, Fortra has acquired three brands (Digital Defense Frontline VM, Alert Logic, and Beyond Security) that are certified as PCI Approved Scanning Vendors (ASV). We are consolidating our scanning into a single Fortra Vulnerability Management (Fortra VM) solution to give customers the best features and capabilities from each of our PCI ASV scanning products. Beyond Security customers were previously migrated and have been using Fortra VM capabilities for PCI scanning for over a year now with great success.
We are now starting the process of migrating Alert Logic Managed Detection & Response (MDR) and Cloud Defender customers to using the self-service PCI ASV capabilities (external network/web application scanning, disputes, and reports) available in Fortra VM at no additional cost.
Note: On April 2, 2024, all Alert Logic MDR and Defender customers will be automatically migrated to the self-service PCI ASV capabilities in Fortra VM at no additional cost.
Below you will find several questions and answers, broken down by the following categories:
Migration
Question | Answer |
When will my account be migrated? |
In March 2024, we enabled specific customers to migrate to the PCI ASV capabilities in Fortra VM at no additional cost. These customers were presented with a wizard in the Alert Logic console that stepped them through setting up their Fortra platform credentials and migrating their existing PCI scan schedules into Fortra VM. On April 2, 2024, all Alert Logic MDR and Defender customers will be automatically migrated to the self-service PCI ASV capabilities in Fortra VM at no additional cost. |
Will this be an effortless migration process? |
The migration process was designed to be straightforward and effortless for customers. Alert Logic conducted several pre-migration staging activities to ensure that customer environments were prepared. Your “External – PCI” scan policies in the Alert Logic console were transferred over to Fortra VM if the status was enabled or was disabled but had run during the previous 90 days. Also, the schedule status and most settings (scan targets, frequency, start time, timezone) were retained. As a precaution to prevent duplicate or unexpected scanning, all PCI ASV scan policies in Alert Logic were disabled after the completed migration. After migration, you can log into Fortra VM to verify the settings and status of your scan groups. Historical data from previous PCI ASV scans, disputes, and reports will still be accessible in the same location in the Alert Logic console. For more details on the migration process, refer to the Migrate to Fortra VM for PCI ASV Scanning documentation. |
Can I opt out of the migration? |
No. Alert Logic PCI ASV certification status will expire in April 2024. As a result, all Alert Logic customers will be required to migrate by April 2, 2024 and use the PCI ASV scanning capabilities in Fortra VM in Q2 2024 and beyond. On April 2, 2024, all remaining Alert Logic MDR and Defender customers will be automatically migrated to the self-service PCI ASV capabilities in Fortra VM at no additional cost. On April 3, 2024, PCI ASV features will be disabled in the Alert Logic console. |
Can I switch to PCI ASV scanning in Fortra VM early? |
Starting in March, specific Alert Logic MDR and Cloud Defender customers who actively use PCI ASV scanning will be eligible to migrate their accounts using a wizard in the Alert Logic console. On April 2, 2024, all remaining Alert Logic MDR and Defender customers will be automatically migrated to the self-service PCI ASV capabilities in Fortra VM at no additional cost. |
Will any of my data be migrated to Fortra VM for me? |
All your active PCI ASV scan policies in the Alert Logic console (current status is enabled or disabled but run in the last 90 days) will be migrated and their status and settings (scan targets, frequency, start time, timezone) will be retained. They will appear as scan groups in Fortra VM. However, notification setting will not be preserved during the migration process. Historical data from previous PCI ASV scans, disputes, and reports will still be accessible in the same location in the Alert Logic console after the migration. |
Are we being migrated to the Frontline PCI Pro program? |
No. Fortra VM has been updated with a self-service subscription that provides the following PCI ASV features to Alert Logic MDR and Cloud Defender customers at no additional cost:
Fortra also offers a PCI Pro solution that provides a fully-managed PCI Scanning program at an additional cost. For more information, refer to the Frontline PCI Pro overview. |
Will all existing functionalities be the same? |
The PCI ASV capabilities in Fortra VM are at parity with or offer improvements to the previous Alert Logic PCI ASV features. However, Fortra VM provides additional features, options, and flexibility to:
For a detailed comparison of PCI ASV features previously available in Alert Logic to features currently available in Fortra VM, refer to this document. |
Will I receive access to other Fortra VM products? |
No, Alert Logic MDR and Cloud Defender customers will only have access to specific PCI ASV scanning features and capabilities. For information on additional Fortra vulnerability management or penetration testing offerings, refer to our solutions overview. |
Which of my users will have access to the PCI ASV feature in Fortra VM. |
Your active users in the Alert Logic console will have access to Fortra VM based on their current user role:
Notification Only users will not be migrated to Fortra VM. |
After the migration is complete, how do I access the PCI ASV scanning in Fortra VM? |
After your account is migrated, the navigation options and pages for PCI ASV Scanning and PCI Disputes in the Alert Logic console will be updated to redirect users to the PCI ASV features in the Fortra VM console. Also, you can navigate directly to the Fortra VM console. Fortra single login credentials are required to access the PCI ASV scanning features in the Fortra VM. Users can authenticate using Fortra credentials to access the Alert Logic console and the Fortra VM console. For information on Fortra single login and identity provider, refer to this article. |
After the migration is complete, will PCI ASV scans immediately start running in Fortra VM. |
All your active PCI ASV scan policies in Alert Logic (current status is enabled or disabled but run in the last 90 days) were migrated and their settings and status will be retained. Scan policies that were disabled in Alert Logic are disabled in Fortra VM and will not run until they are enabled. Scan policies that were enabled in Alert Logic are enabled in Fortra VM and will run based on the specified scan interval and start time. For any PCI ASV scan in Fortra VM to run successfully, you need to ensure your firewalls allow traffic from these originating IP address ranges (US = 3.146.42.96/27 and EU/UK = 13.50.164.192/27. |
What will happen to the PCI scanning module in Alert Logic MDR and Alert Logic Cloud Defender? |
If you migrate to Fortra VM before April 2, 2024, all PCI ASV scan policies will be disabled for your account to avoid duplicate scans. On April 3, 2024, the PCI ASV features in the Alert Logic console are disabled for all customers. Historical data will still be available to view in the Alert Logic console. |
Scans
Question | Answer |
Will PCI scans still originate from the same IP space? |
No. The external network and web application scans will originate from the following IP address ranges allocated to Fortra VM specifically for Alert Logic customers:
You need to ensure your firewalls allow traffic from these originating IP address ranges. |
Which of my existing scan schedules will be migrated? |
All your active PCI ASV scan policies in the Alert Logic console were migrated and appear as scan groups in Fortra VM. The PCI scan policy was migrated if its current status is enabled or if it is disabled but has run in the last 90 days. |
Are there any differences in how to create or manage schedules? |
You can create a scan group for Fortra VM with the “Auto Generate WAS Scans” option to ensure the external network scan and WAS scan execute in the same manner, where the external VM scan runs first, and the results are used to define the scope and initiate the web application scan. Unlike the Alert Logic console, you now have the flexibility to run separate VM and WAS scans, as well as select specific VM and WAS scans when generating the PCI ASV reports. |
Are there any new limitations being introduced in terms of number of targets that can be scanned? |
The self-service subscription for Alert Logic MDR and Cloud Defender customers has limits for up to 500 IPs for external network scans and 25 URLs for web application scans. |
Will the web application scan still automatically run after the external network scan? |
Your Alert Logic PCI ASV scan policies were migrated to Fortra VM as scan groups with the “Auto Generate WAS Scans” option enabled. The “Auto Generate WAS Scans” option ensures that scans are executed in the same manner as Alert Logic, where the external VM scan runs first, and the results are used to define the scope and initiate the web application scan. |
Can I control or adjust the scan speed? |
Yes. You can configure the Scan Speed (slow, normal, quick, fast or very fast) for external network scanning in Fortra VM. By default, the Scan Speed is set at "normal" for all your migrated scan schedules. For Scan Speed definitions, refer to this online help manual. Also, Fortra VM provides customizable options in tuning policies for your scheduled web application scans. |
Can I still stop or pause a PCI scan? |
Yes. You can view VM and WAS scans that are actively running and have the option to stop, pause or resume them. For specific details on managing scans, refer to the Manage Scan Activity section in the Fortra VM PCI ASV Guide for Alert Logic Customers. |
Disputes
Question | Answer |
Are there any differences in how to submit PCI disputes or how disputes are processed? |
When there is a failed PCI ASV scan, the customer can object to or dispute the findings. In the Alert Logic console, the dispute process is based on the scan policy, where all disputed vulnerabilities for a given scan are grouped and managed together. In Fortra VM, the PCI disputes are submitted and managed at the vulnerability level. Customers can submit the dispute, details, and supporting evidence in the Fortra VM console. The PCI Dispute team will respond within 48 hours and then process the disputes, attempt to verify the dispute remotely, engage customers by adding informative comments or requesting additional documentation, and ultimately deny or accept the dispute request. You cannot dispute if the scan is over 90 days and mist run a new scan. Accepted disputes expire at the end of the current quarter or 90 days from the scan, whichever is less. However, you are allowed to re-dispute using the last submission. Disputes are included in the scan report, and customers are not allowed to change the report. For specific details on disputing vulnerabilities, refer to the Dispute Vulnerabilities section in the Fortra VM PCI ASV Guide for Alert Logic Customers. |
Will my previous PCI disputes be migrated into Fortra VM? |
No. However, you can still access historical data in the Alert Logic console. |
Can I still attach files or evidence to PCI disputes? |
Yes. You can select the reason for the dispute, as well as add comments or file attachments to the dispute. For specific details on upload files to disputes, refer to the Upload Files for PCI Disputes section in the Fortra VM PCI ASV Guide for Alert Logic Customers. |
PCI ASV Scan Reports
Question | Answer |
Is the PCI ASV certificate information changing? |
Yes, the ASV certificate number will change for Alert Logic customers. The new certificate number for Fortra is #3763-01-18. On the PCI Security Standards Council website, this certificate is currently listed under HelpSystems LLC but is in the process of being updated to Fortra. |
Will the same PCI ASV reports be available? |
Yes, Fortra VM provides the Attestation of Scan Compliance, Executive Summary, and Vulnerability Details, as well as a detailed CSV. Also, the PCI Documentation Requirements Report and PCI Required Remediation Report are available. |
Are Special Notes still automatically generated? |
Some vulnerabilities from your PCI ASV scans are not failing but require a special note. Unlike the Alert Logic console, the special notes are not automatically generated in Fortra VM. However, Fortra VM allows you to filter for the vulnerabilities that require Special Notes and enter the required declarations that will appear in Section 3b of the official PCI Compliance reports. For specific details on add special notes, refer to the Add 3b Special Notes section in the Fortra VM PCI ASV Guide for Alert Logic Customers. |
Are there any differences in how to create or manage reports? |
You have more flexibility to select specific scans or scan groups when generating the PCI Compliance Reports. You can generate as many reports as you want and warnings will be presented with detailed reasons why the PCI Compliance Report will not be considered passing (e.g. failing vulnerabilities, missing domains). However, to generate the official PCI report with the ASV certification stamp, you must:
For specific details on create PCI reports, refer to the Create Official PCI Compliance Report section in the Fortra VM PCI ASV Guide for Alert Logic Customers. |
Comments
0 comments
Please sign in to leave a comment.