Vigor2862Ln 3.9.0_BT

Dear All,
I tried limiting access to 4431 to my IP but it is still showing as open in a remote (via VPN) nmap scan (and failing a PCI scan)… Why?
In SSL VPN >> General Setup I have changed the SSL VPN port to 4431
In VPN and Remote Access >> Remote Access Control Setup NO services are enabled.
No NAT Open Ports or Port Redirection does anything with 4431.
No Firewall rule allows 4431

How do I use Firewall >> Diagnose ?
I cannot get it to show a 'processed' for anything with Mode TCP (v4) direction "From WAN"..
Src IP / port - a combination I know is allowed in e.g. 1.2.3.4 / 22222
Dst IP / port - a combination I know is allowed to from above 192.168.0.123 / 22
It always says "the packet is not handled by the firewall"... even if 1.2.3.4 / 22222 is port redirected to 192.168.0.123 / 22 and works (OK, not defined in firewall, but...)
I want to find what is allowing 4431 to be open.. would a command line query be better?
AHH.. setting SSL VPN port to 443 (default) showed both 443 & 4431 open.
Rebooted.. still both 443 & 4431 !!

Help Please..