Blocking UDP 500 to external networks without impacting a site-to-site tunnel

Question

Hello, we&rsquo;ve had an external PCI compliance scan done on our network. It brought up UDP port 500 being in an open state and visible from external networks. We don&rsquo;t have any active SSL VPNs besides a site-to-site tunnel going to one of our other branches. 
 Is there anyway to configure a rule to block complete external access to port 500 while keeping the communications in tact for the site-to-site tunnel? Our end goal is to ensure that the tunnel is not visible from the outside. We&rsquo;ve attempted to create a black hole IP address for port 500, however this caused a conflict with our existing tunnel and had to deactivate it.

rfcat_vk · Answer

Hi, 
 please review the log viewer firewall with a filter on UDP 500 to find which firewall rule is allowing the traffic out or in. The rule blocking the traffic will need to be immediately below your rule allowing the traffic. 
 Ian

Erick Jan · Answer

Hi Jeremy, 
 Thank you for reaching out to Sophos Community. 
 Have you tried creating two consecutive Firewall Rules? 
 1st Rule. Allowing UDP Port 500 to only allowed recipients 
 2nd Rule. Blocking UDP Port 500 from any sources and any services. 
 If you're not using an IPsec then configure your SSL VPN to any regular port 
 
 You may refer to the following thread also 
 community.sophos.com/.../how-do-i-close-udp-port-500

Blocking UDP 500 to external networks without impacting a site-to-site tunnel

Top Replies