Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1477 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block or Blackhole UDP 500 for all except one IP

Nathan Johnson

I have an IPSec VPN to a third party vendor that is required by the vendor to have.  I also have to do PCI scans (TrustWave).  Trustwave keeps failing me because of UDP 500 is open.  What I'm trying to achieve is have the XG respond to port 500 from the peer IP of the third party VPN, but drop/ignore/reject/blackhole responses to/from any other IP/host.  So far what I've done is create a firewall rule to allow IKE traffic to/from the third party IP and then created a rule directly under that to block all IKE traffic.  I then run a scan from Trustwave, and it fails because of port 500.  I then created a rule directly under the allow only the third party IP rule to DNAT it to a bogus IP, and I got the same failing result.  So it appears either that's not the way to do it, or perhaps it's not possible at all.  Does anyone know if what I'm trying to do is possible or have any other suggestions?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    Could you please provide the screenshots of the firewall rules that you have configured to drop UDP 500 and let us know the firmware version number on your firewall?  

    The blackhole DNAT rule should forward UDP 500 to the bogus IP address, but if you add any in the source, it also might drop UDP 500 from the peer firewall. To avoid that, you might try to add the IP address of the source that you are initiating the scan? 

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi  

    Thank you for reaching out to the Community! 

    Could you please provide the screenshots of the firewall rules that you have configured to drop UDP 500 and let us know the firmware version number on your firewall?  

    The blackhole DNAT rule should forward UDP 500 to the bogus IP address, but if you add any in the source, it also might drop UDP 500 from the peer firewall. To avoid that, you might try to add the IP address of the source that you are initiating the scan? 

    Thanks,

Children