Technical Tip: How to block open ports
Description
This article describes how to block open ports on the FortiGate.
Scope
FortiGate.
Solution
Below are some example ports/protocols that are opened by design.
Ports.
500 & 4500 - VPN
1144 - AeroScout
3799 - RADIUS dynamic Auth
520 - RIP
3784 - BFD Control Protocol
Protocols.
2 - IGMP (Internet Group Management)
89 - OSPFIGP
112 - VRRP
103 - PIM (Protocol Independent Multicast)
To identify open TCP and UDP ports on the FortiGate, use the command below to list ports and the associated FortiOS process.
diagnose sys tcpsock <----- TCP listening ports.
0.0.0.0:10400->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=54539 process=197/authd
0.0.0.0:10500->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=54545 process=197/authd
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=3895 process=211/voipd
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=3888 process=211/voipd
...
diagnose sys udpsock <----- UDP listening ports.
127.0.0.1:1024->127.0.0.1:701 state=established txq=0 rxq=0 uid=0 inode=3395335 process=216/hatalk
127.0.0.1:1025->127.0.0.1:701 state=established txq=0 rxq=0 uid=0 inode=3418783 process=376/updated
0.0.0.0:2055->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=2878 process=246/flcfgd
0.0.0.0:53->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=52246 process=235/dnsproxy
...
More on this topic can be found in the following KB article: View-which-ports-are-actively-open-and-in-use.
If the port is not visible by the above command, search the configuration for the port number using the following CLI command:
show full | grep -f <port_number>
It will show where the port is being used as well.
Example as per the attached screenshot for SAML port 1001.
For example, if the RIP protocol is not used, create a service for the specific port and create a local in policy with the corresponding service.
Blocking ports manually.
To block any port, follow the steps below to add a local-in policy to deny traffic.
- Create a service with the port.
config firewall service custom
edit "RIP"
set category "General"
set udp-portrange 520
next
end
-
Add a local-in policy referencing the service:
config firewall local-in-policy
edit <index>
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "RIP"
set schedule "always"
next
end
Local-in policies are used to close open ports or otherwise restrict access to FortiGate. If misconfigured, a local-in policy can block administrator SSH or HTTPS access.
Note: In the above local-in-policy, it is possible to block multiple services using the same rule, following the format below:
config firewall local-in-policy
edit <index>
set service "RIP" "BGP" "OSPF"
next
end
Note:
From v7.6.0, it is possible to create a local in policy from the GUI itself under Policy & Objects -> Local-In Policy -> Create New.
Related documents: