How to block UDP port 500
I have a TZ600 with IPSEC tunnels to two branch locations (other end points are also TZ series). I'm using IKEv2 and shared secrets. On a PCI compliance scan of my main firewall, UDP port 500 is showing open.
How can I close this?
I attempted to address by creating two Address objects:
- VPNudp500AccessSite1 (external IP of branch1 firewall)
- VPNudp500AccessSite2 (external IP of branch2 firewall)
I then created the below address group that I put these two objects in
After this, I went to the access rules and edited the default VPN rules for the IKE service and changed the 'Any' source to UDP500AccessGroupForVPN. (in theory I'm thinking this will restrict WAN access to ISAKMP ports on the main firewall to only the branch IP addresses).
An internet-based port scanned showed UDP 500 still open|filtered.
I know I can go into diag.html to fully edit the default VPN rules by selecting "Enable the ability to remove and fully edit auto-added access rules" and thus allow me to also restrict the destination, etc..
But I'm further confused by my results because when I disable IPSEC vpn completely (not just a tunnel) I still see UDP 500 is open|filtered (green visual indicator is using nmap) while TCP 500 shows filtered (red indicator)... thus I'm not sure why UDP 500 wouldn't show closed, or at least filtered.
Additionally, neither L2TP nor SSL VPNs are enabled
What am I missing?