Incoming UDP traffic

M270 with v12.7.2

I'm starting to see a flood of dropped incoming traffic on port 33440/udp from external to our public IP address.

How do I not show this (and/or all incoming UDP traffic) in Traffic Monitor?

Comments

  • For a specific UDP port, list or range of ports, you can create a custom packet filter for the port(s), add it as a policy, set to Deny, with Logging disabled.
    For all UDP ports, add the predefined UDP packet filter, as above.

  • edited April 14

    Back in January, I added the predefined UDP packet filter and set it to deny / no logs. I see no more UDP denied packets in the log.

    I just realize I have IKEv2 VPN configured but my users can still connect. IKEv2 uses UDP ports according to the article:

    By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.

    I'm confused why blocking all incoming UDP packets does not affect IKEv2 connection.

  • Fireware has some hidden policies which take precedence over user added policies.
    Some are for incoming IKE & IKEv2.

  • Got it. Thanks for your quick reply.

  • And, you can disable this one in VPN Settings -> "Enable IPSec built-in policy"

  • but that'll break IKEv2 VPN connection. We use that.

  • Yes.
    My point was that there in fact is a way to turn off this hidden firewall policy, IF desired.
    This is the only hidden policy which I happen to know of which can be turned off.

  • I suppose "Enable IPSec built-in policy" default setting is off. It gets checked/enabled if we configured (IKEv2, L2TP or IPSec) VPNs, right?

  • No, by default it is ON.

    From the docs:

    Disable or Enable the Built-in IPSec Policy

    The Firebox includes a built-in IPSec policy that allows IPSec traffic from Any-External to Firebox. This hidden policy enables the Firebox to function as an IPSec VPN endpoint for Branch Office VPN and Mobile VPN with IPSec tunnels. The built-in IPSec policy has a higher precedence than any manually created IPSec policy. The built-in IPSec policy is enabled by default. To disable this policy, clear the Enable built-in IPSec Policy check box. Do not disable the built-in policy unless you want to create another IPSec policy to terminate a VPN tunnel at a device other than the Firebox, such as a VPN concentrator on the Firebox trusted or optional network.

    If you clear the Enable built-in IPSec Policy check box, you must create IPSec policies to handle inbound VPN traffic to the Firebox and any other VPN endpoints.

  • The only tools which seem to use this port are shown here:
    https://www.speedguide.net/port.php?port=33440

    From the same source IP addr?

  • edited May 2

    I smell spam from where I'm sitting. I like spam but the real one that we cook. Can moderator delete the above spam (not Bruce's post btw) please and block the stinkin spammer?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @morpheus27
    Got it. Thank you.

    If you see one in the future, click the flag icon under the post and select spam. It flags it for moderation from our IT team that looks over the forum system.

    -James Carson
    WatchGuard Customer Support

  • Got it. Now I know how to report spam.

Sign In to comment.