This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking UDP 500 to external networks without impacting a site-to-site tunnel

Hello, we’ve had an external PCI compliance scan done on our network. It brought up UDP port 500 being in an open state and visible from external networks. We don’t have any active SSL VPNs besides a site-to-site tunnel going to one of our other branches. 

Is there anyway to configure a rule to block complete external access to port 500 while keeping the communications in tact for the site-to-site tunnel? Our end goal is to ensure that the tunnel is not visible from the outside. We’ve attempted to create a black hole IP address for port 500, however this caused a conflict with our existing tunnel and had to deactivate it.



This thread was automatically locked due to age.
Parents
  • Hi Jeremy,

    Thank you for reaching out to Sophos Community.

    Have you tried creating two consecutive Firewall Rules?

    1st Rule. Allowing UDP Port 500 to only allowed recipients

    2nd Rule. Blocking UDP Port  500 from any sources and any services.

    If you're not using an IPsec then configure your SSL VPN to any regular port

    You may refer to the following thread also 

    community.sophos.com/.../how-do-i-close-udp-port-500

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Erick,

    Thanks for the quick reply back. We haven't been able to get to the point to begin working on the exclusion to allow UDP 500 to the second site's firewall/network as we cannot block UDP 500 in general. I'll provide a screenshot of an example of the rule that we've created to block UDP port 500 altogether. Theoretically based on the rule description, this should be blocking all traffic to UDP port 500, even the site-to-site tunnel since the exclusion hasn't been created yet. However, UDP port 500 is still being reflected as "Open" through Nmap and the site-to-site tunnel is still functioning correctly. 

    We've also tried the rule with leaving the source zone set to "WAN" with no difference

  • Hi,

    please review the log viewer firewall with a filter on UDP 500 to find which firewall rule is allowing the traffic out or in. The rule blocking the traffic will need to be immediately below your rule allowing the traffic.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    please review the log viewer firewall with a filter on UDP 500 to find which firewall rule is allowing the traffic out or in. The rule blocking the traffic will need to be immediately below your rule allowing the traffic.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data