Open ports may appear in the report due to several reasons, mainly due to other clients needs.
These ports can be used only for HTTP/HTTPS traffic. All of the traffic that passing through them is well monitored by Incapsula. All non-HTTP/S traffic is disregarded.
When you run a PCI compliance test on your domain which is referring to Incapsula proxies, the open port list might point out ports that are open on our proxy machines. These ports are not open to your origin server(s) unless requested, making them completely irreverent to your website.
The scanner uses the public DNS configuration of your website, hence returning our records (which represents our proxies) and runs the test on them.
Have you considered bringing this information to your PCI Scanning vendor's attention? We have thousands of customers that are running the same PCI scan (and fail for the same reason, Open Ports). Providing them with our signed PCI compliance certificate and explaining to them that as a CDN we have many ports open for a range of customers should be acceptable. That is how a Cloud WAF & CDN works.
Incapsula is unable to close these ports or provide you with an alternative way of scanning your website. As long as our CNAME and A Record are scanned, these are our Data Centers, and the problematic open ports in question serve thousands of customers.
We will be more than happy to explain this to your PCI scanning vendor ourselves if you wish.