Staff

Technical Tip: Disabling PPTP (TCP/1723) exposure on FortiGate public interfaces

Forum|Forum|4 months ago
February 2, 2026
0 replies
447 views

Description

This article describes how to:

Confirm whether PPTP features are enabled (server or client behavior).
Disable PPTP exposure on the Internet-facing interface(s).
(Optional hardening) Block PPTP on the local-in plane using local-in-policy.
Validate the change and collect quick troubleshooting evidence.

Scope

FortiGate.

Solution

Some vulnerability scanners report TCP/1723 (PPTP) as 'open' on FortiGate public interfaces. In FortiGate, this can happen even if already created firewall policies denying TCP/1723, because firewall policies control transit traffic, while PPTP scans are often targeting services terminating on the FortiGate itself (local-in traffic).

PPTP is a legacy VPN technology and is widely considered weak compared to modern alternatives (e.g., IPsec/IKEv2, SSL-VPN, ZTNA). If PPTP is not in use, disable it:

Reduces attack surface on the WAN/public IP.
Prevents recurring audit/scan findings for TCP/1723.
Avoids accidental enablement and unexpected exposure.

Note: PPTP typically uses TCP/1723 (control) plus GRE (IP protocol 47) (tunnel). To fully suppress PPTP exposure, consider both.

Step 1: Check if PPTP client settings are enabled on the WAN interface:

show full-configuration system interface <wan_interface_name>

Step 2: Check if the PPTP server (dialup) is enabled globally:

show full-configuration vpn pptp

Step 3: Disable PPTP server:

config vpn pptp
set status disable
end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded