C8000v Version 17.15.1a on VMWare

Does anyone have an Edge device transport hardening guide to meet PCI4.0 compliance?

The 3rd party performing our PCI 4.0 certification said their scans against the public IP fail us on one item:

"Your firewall policy seems to allow UDP packets with a specific source port to pass through while it blocks UDP packets to the same destination ports but with a random source port."
Which relates to this:
From <https://success.qualys.com/discussions/s/question/0D52L00004TnwxRSAR/qid-34020-udp-source-port-pass-firewall>

We've asked TAC for a hardening guide, but need to resolve this asap.
Statements in docs and this forum indicate SD-WAN is PCI compliant, I assume that means 'out of the box' ?

According to the tester having 'some' ports flagged open/filtered is a concern for the certification. A packet capture on the device shows it is not responding.

Edit: I had the nmap command and output incorrect from the vendors concern.
Their provided nmap example is as follows:
nmap -sU -p 111,101,137,21862,135,3527,13,1812,7,1434 -Pn -g 63082 <ip>

sudo nmap -sU -Pn --source-port 53 -p 7,13,53,111,135,137,1434,1701,1812,3527,21862 <ip>

PORT STATE SERVICE
7/udp closed echo
13/udp closed daytime
53/udp closed domain
101/udp open|filtered hostname
111/udp closed rpcbind
123/udp open|filtered ntp
135/udp closed msrpc
137/udp closed netbios-ns
1434/udp closed ms-sql-m
1812/udp closed radius
3527/udp closed beserver-msg-q
21862/udp closed unknown

What is interesting is that on subsequent scans the open|filtered ports are different. 

Regards,
John