Windows Server 2012 R2 - 3 servers
QID - 34020 - UDP Source Port Pass Firewall
I see the solution, but there are not direct instructions on how to resolve. Any help will be appreciated.
The Threat section of this QID reads: Your firewall policy seems to allow UDP packets with a specific source port (for example, port 53) to pass through while it blocks UDP packets to the same destination ports but with a random source port.
I'd like to start by looking at the Result section of this QID in the scan results. This will tell me what ports are causing this QID to be flagged by Qualys.
Next I'll review my firewall rules to see what source UDP ports are being allowed. If my applications don't need these source UDP ports to be open, I'd have them blocked on the firewall.
The default scan settings (Scans> Option Profiles) perform the scan on a small set of UDP ports. To know about all such UDP ports that may make me vulnerable to QID 34020, I'd like to perform a scan on a larger UDP port set.
Is this referring to the Server's firewall settings? Do I make the change the server? This came up for 3 servers in our environment. But we have 1,000's that are fine.
The following UDP ports responded with either an ICMP (port closed) or a UDP (port open) to our probes using source port of 53, but they did not respond when a random source port (28966) was used; 111 (closed), 17 (closed), 1701 (closed), 11000 (closed), 4156 (closed), 3700 (closed), 1434 (closed), 7 (closed)
Retrieving data ...