Open ports may appear in the report due to several reasons, mainly due to other clients needs.
These ports can be used only for HTTP/HTTPS traffic. All of the traffic that passes through them is well monitored by Incapsula. All non-HTTP/S traffic is disregarded.
When you run a PCI compliance test on your domain, which is referring to Incapsula proxies, the open port list might point out ports that are open on our proxy machines. These ports are not open to your origin server(s) unless requested, making them completely irrelevant to your website.
The scanner uses the public DNS configuration of your website, hence returning the public IP addresses of our proxies and runs the test on them.
Have you considered bringing this information to your PCI Scanning vendor's attention?
We have thousands of customers that are running the same PCI scan. Many fail for the same reason, Open Ports. Providing them with our signed PCI compliance certificate and explaining to them that as a CDN we have many ports open for a range of customers should be acceptable. That is how a Cloud WAF & CDN works.
By default, Incapsula is unable to close these ports or provide you with an alternative way of scanning your website. As long as our CNAME and A Record are scanned, these are our Data Centers, and the open ports in question serve thousands of customers and their many sites, applications, and API endpoints. If you require only specific ports open for your site(s), please inquire about our Dedicated Network option, which allows you more granular control.
We will be more than happy to explain this to your PCI scanning vendor ourselves if you wish.