Hello,
If it is an ISG1000 or ISG2000 or NS5200 or NS5400, you can use following command:
set cpu-protection blacklist id (source-IP or range/subnet) (destination-IP or range/subnet) protocol 17 dst-port 500
e.g.
set cpu-protection blacklist id 1 1.1.1.0/24 2.2.2.1/32 protocol 17 dst-port 500
If it is a branch device (i.e SSG5, SSG20, SSG300 or SSG500 series), then unfortunately upstream device needs to block this.
Regards,
Rushi