I know I can go into diag.html to fully edit the default VPN rules by selecting "Enable the ability to remove and fully edit auto-added access rules" and thus allow me to also restrict the destination, etc.īut I'm further confused by my results because when I disable IPSEC vpn completely (not just a tunnel) I still see UDP 500 is open|filtered (green visual indicator is using nmap) while TCP 500 shows filtered (red indicator). (in theory I'm thinking this will restrict WAN access to ISAKMP ports on the main firewall to only the branch IP addresses).Īn internet-based port scanned showed UDP 500 still open|filtered. I then created the below address group that I put these two objects inĪfter this, I went to the access rules and edited the default VPN rules for the IKE service and changed the 'Any' source to UDP500AccessGroupForVPN. VPNudp500AccessSite2 (external IP of branch2 firewall).VPNudp500AccessSite1 (external IP of branch1 firewall).I attempted to address by creating two Address objects: On a PCI compliance scan of my main firewall, UDP port 500 is showing open. I have a TZ600 with IPSEC tunnels to two branch locations (other end points are also TZ series).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |