Our security team has been scanning our access points with Qualys and have returned a "non-CVE" finding for firewall bypass (QID: 34000) relating to source port of the TCP session. I saw some other non-CVE findings on the ArubaOS Hardening guide, but did not see this one mentioned.
Raw scan to 20/tcp with source port 80/tcp returns TCP RST:
➜ ~ sudo nmap -sS -p 20 -g 80 <AP IP>
Password:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 14:25 EDT
Nmap scan report for<AP IP> (<AP IP>)
Host is up (0.046s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
Raw scan to 20/tcp using random source port results in silent discard:
➜ ~ sudo nmap -sS -p 20 -g 12345 <AP IP>
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 14:25 EDT
Nmap scan report for<AP IP> (<AP IP>)
Host is up (0.24s latency).
PORT STATE SERVICE
20/tcp filtered ftp-data
Nmap done: 1 IP address (1 host up) scanned in 2.87 seconds
Any reason for the discrepancy?