USG20W-VPN UDP Port 500 open

Fitness_Bill
Fitness_Bill Posts: 3  Freshman Member
First Comment
edited April 2021 in Security

I have a USG20W-VPN that is failing PCI Compliance. The scan shows UDP Port 500 as being open. I checked my NAT and security policy and there are no VPN rules setup. I even added a security policy to deny any traffic from the WAN to Port 500. I am using the expert mode through the web interface. I do not use any of the VPN functions of the router. I am not able to remove the IKE service that uses the UDP 500 port. How do I close this port so I can pass my PCI scan?

Thanks for the help,

Bill

All Replies

  • lalaland
    lalaland Posts: 91  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary

    Hello Fitness_Bill,?

    Just go to "service group" and remove IKE(udp 500) from service group "Default_Allow_WAN_To_ZyWALL" , because the service group is for wan to zywall security policy. it's allowed by default.

    Service group

    3.png


    Security policy

    2.png


  • Fitness_Bill
    Fitness_Bill Posts: 3  Freshman Member
    First Comment

    I made the changes above and removed the IKE from both the IPv4 and IPv6 wan to Zywall. When I go out to and use websites to check the port it says TCP is filtered and the UDP is open/filtered.

  • Fitness_Bill
    Fitness_Bill Posts: 3  Freshman Member
    First Comment

    I went so far to remove all references to IKE and Port 500. Once there were no references to port 500 I removed the service from the list. 

    Host is up.

PORT    STATE         SERVICE

500/tcp filtered      isakmp

500/udp open|filtered isakmp

    This is what I got when I ran the scan using https://www.ipfingerprints.com/portscan.php

    I was only checking Port 500

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited January 2020

    Hi @ Fitness_Bill,

    The scan result is right for UDP. Since no response packets received.


    You can refer this article of a well known scan program - NMAP.

    https://nmap.org/book/scan-methods-udp-scan.html#scan-methods-ex-udpscan-scanme2

    Table 5.3. How Nmap interprets responses to a UDP probe

    "Unfortunately, firewalls and filtering devices are also known to drop packets without responding. So when Nmap receives no response after several attempts, it cannot determine whether the port is open or filtered."

    The Internet is better guarded now, so Nmap changed in 2004 (version 3.70) to report non-responsive UDP ports as open|filtered instead.


    If you want the test result is "filtered".

    Change your firewall rule action from "deny" to "reject".

    The firewall will reply a "ICMP port unreachable" response.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)