Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to block UDP port 500

DisconnectedDisconnected Newbie ✭
edited March 18 in Mid Range Firewalls

I have a TZ600 with IPSEC tunnels to two branch locations (other end points are also TZ series). I'm using IKEv2 and shared secrets. On a PCI compliance scan of my main firewall, UDP port 500 is showing open.


How can I close this?

I attempted to address by creating two Address objects:

  • VPNudp500AccessSite1 (external IP of branch1 firewall)
  • VPNudp500AccessSite2 (external IP of branch2 firewall)

I then created the below address group that I put these two objects in

  • UDP500AccessGroupForVPN

After this, I went to the access rules and edited the default VPN rules for the IKE service and changed the 'Any' source to UDP500AccessGroupForVPN. (in theory I'm thinking this will restrict WAN access to ISAKMP ports on the main firewall to only the branch IP addresses).

An internet-based port scanned showed UDP 500 still open|filtered.

I know I can go into diag.html to fully edit the default VPN rules by selecting "Enable the ability to remove and fully edit auto-added access rules" and thus allow me to also restrict the destination, etc..

But I'm further confused by my results because when I disable IPSEC vpn completely (not just a tunnel) I still see UDP 500 is open|filtered (green visual indicator is using nmap) while TCP 500 shows filtered (red indicator)... thus I'm not sure why UDP 500 wouldn't show closed, or at least filtered.

Additionally, neither L2TP nor SSL VPNs are enabled

What am I missing?

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    SaravananSaravanan Moderator
    Accepted Answer

    Hi @DISCONNECTED,

    Thank you for visiting SonicWall Community.

    Could you please check if the WANGroup VPN meant for GVC is enabled? Disabled the complete VPN feature by unchecking the box, Enable VPN and the run the test. The test would show UDP 500 is filtered.

    Likewise access rules, to deal with NAT policies use the checkbox Enable the ability to disable auto-added NAT policy on the diag page of SonicWall to alter the default NAT policies.

    Hope this helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Answers

  • DisconnectedDisconnected Newbie ✭
    edited March 18

    Additionally I've noted that though I've changed the access rules, the Nat policies remained the same. I don't see how I can edit the IKE NAT policies. Suggestions?

  • DisconnectedDisconnected Newbie ✭
    edited March 19

    Hi Saravanan,

    Thanks for your assistance.

    • The WANGroup VPN was & continues to remain disabled.
    • When I disable the VPN completely I still get 500/udp open|filtered isakmp

    This open/filtered confuses me. With the VPN off it completely removes any associated access rules or NAT policies. (Speaking of which, thanks for the heads up for the override for this on the diag.html page).

    The best result I've been able to achieve is the 500/udp open|filtered isakmp

    Associated Access rules:

    Associated Nat Policies (I disabled the auto created ones)

    I've also tried various changes to the IPSEC tunnels. Currently I'm running IKEv2 and 3rd party certificates at each end for authentication and I'm getting the above nmap/zenmap results. Note that the Ports/Host image is the same scan indicating 500/udp open|filtered isakmp.


    Port 500 is being flagged by a PCI compliance scan, so I want to ensure I get it closed.

  • DisconnectedDisconnected Newbie ✭
    edited March 19

    All this said, I went ahead and ran the PCI compliance scan and they are no longer detecting UDP port 500.


    Thus issue solved.


    Thanks

  • SaravananSaravanan Moderator

    Hi @Disconnected,

    Glad to hear that the issue is sorted out now. How did you get to fix the issue? Was it the PCI scan showing approximate result after disabling VPN or you did any specific config change w.r.t VPN on SonicWall?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • DisconnectedDisconnected Newbie ✭

    Hi Saravanan,

    Thanks for requesting clarification. I apologize it was lacking.

    The issue was fixed by leaving the settings as seen above with the access rules & the NAT rules.

    As mentioned, in zenmap (graphical nmap) I saw the Open|filtered on "Nmap Output" tab, and "Open" on the "Ports/Hosts" tab (both referencing ISAKMP UDP 500). So I was reluctant to run the PCI scan with these results, but out of ideas as to what else I could change to improve the results I was getting via ZENMAP.

    So what happened?

    The next PCI scan came back as "Failed". However, the cause was now due to the 'host was not detected'. To resolve, I enabled ping on the WAN interface & initiated a final PCI scan which confirm a successful PCI compliant scan.


    I didn't run the PCI compliance scan with the main VPN setting disabled. (Though I had tested it with ZENMAP with the VPN disabled). The result I was getting the same as with result as posted (Open|Filtered) on the "Nmap Output" tab and Open on the Ports/Hosts tab.

  • SaravananSaravanan Moderator

    Hi @DISCONNECTED,

    Thanks for your detailed explanation. Appreciate your efforts...

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • EdH1839EdH1839 Newbie ✭

    Being new to Sonicwalls I am still a bit confused. Is there a simple solution to ensuring the Sonicwall will pass PCI compliance when the failure is Port: Udp/500 remote access service detected? I am NOT running any VPN services. Thanks!

  • DisconnectedDisconnected Newbie ✭

    Hi,

    Since your stating the failure is udp port 500, then it sounds like VPN may be enabled (though your not using it).

    Check" Manage" (top of page)> "VPN" (Left side header) "VPN Global Settings" (Top page header)

    Ensure "Enable VPN" is NOT checked.

Sign In or Register to comment.