USG20W-VPN UDP Port 500 open

Fitness_Bill
Fitness_Bill Posts: 3
First Comment
edited April 2021 in Security

I have a USG20W-VPN that is failing PCI Compliance. The scan shows UDP Port 500 as being open. I checked my NAT and security policy and there are no VPN rules setup. I even added a security policy to deny any traffic from the WAN to Port 500. I am using the expert mode through the web interface. I do not use any of the VPN functions of the router. I am not able to remove the IKE service that uses the UDP 500 port. How do I close this port so I can pass my PCI scan?

Thanks for the help,

Bill

All Replies

  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    Hello Fitness_Bill,?

    Just go to "service group" and remove IKE(udp 500) from service group "Default_Allow_WAN_To_ZyWALL" , because the service group is for wan to zywall security policy. it's allowed by default.

    Service group


    Security policy


  • I made the changes above and removed the IKE from both the IPv4 and IPv6 wan to Zywall. When I go out to and use websites to check the port it says TCP is filtered and the UDP is open/filtered.

  • I went so far to remove all references to IKE and Port 500. Once there were no references to port 500 I removed the service from the list.

    Host is up.
    
    PORT    STATE         SERVICE
    
    500/tcp filtered      isakmp
    
    500/udp open|filtered isakmp
    

    This is what I got when I ran the scan using https://www.ipfingerprints.com/portscan.php

    I was only checking Port 500

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2020

    Hi @ Fitness_Bill,

    The scan result is right for UDP. Since no response packets received.


    You can refer this article of a well known scan program - NMAP.

    Table 5.3. How Nmap interprets responses to a UDP probe

    "Unfortunately, firewalls and filtering devices are also known to drop packets without responding. So when Nmap receives no response after several attempts, it cannot determine whether the port is open or filtered."

    The Internet is better guarded now, so Nmap changed in 2004 (version 3.70) to report non-responsive UDP ports as open|filtered instead.


    If you want the test result is "filtered".

    Change your firewall rule action from "deny" to "reject".

    The firewall will reply a "ICMP port unreachable" response.

Security Highlight