Technical Tip: How to disable TCP ports 8008, 8010, 8015, and 8020 on VIP

Description

This article describes how to disable the FortiGuard used ports 8008, 8010, and 8020 from being exposed externally when using static NAT.

Explanation regarding these ports:

• Port 8008 is used by the FortiGate to authenticate with FortiGuard when an HTTP override request occurs (FortiGuard web filter HTTP override authentication).
• Port 8010 is used by FortiGate to authenticate with FortiGuard when an HTTPS override request occurs (FortiGuard web filter HTTPS override authentication).
• Port 8015 is used by the FortiGate to authenticate with FortiGuard when a HTTPS override request occurs in flow mode (FortiGuard web filter https override authentication).
• Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.

Also for other ports used by FortiGuard or others, we can use the solutions below.

When static NAT is configured to publish service port other than HTTPS with proxy inspection-mode UTM enable results in opening ports 8008, 8010, and 8020.  Port 8015 is opened if flow-based inspection mode is used. (FortiGuard) to external, below is the sample of configuration :

config firewall vip
    edit "Email_Web"
        set extip 10.56.243.92
        set extintf "any"
        set mappedip "10.1.0.67"
    next
end

config firewall policy

    edit 2
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "SMTP"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set emailfilter-profile "default"         
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

Scope

FortiGate.

Solution

1. Create a new certificate ssl-ssh-profile called 'custom' or any preferred name with HTTPS disabled.

config firewall ssl-ssh-profile
    edit "custom"
        config https
            set status disable
        end
        config ftps
            set ports 990
            set status deep-inspection
        end
        config imaps
            set ports 993
            set status deep-inspection
        end
        config pop3s
            set ports 995
            set status deep-inspection
        end
        config smtps
            set ports 465
            set status deep-inspection
        end
        config ssh
            set ports 22
            set status disable
        end
end

2. Apply the newly created ssl-ssh-profile above to affect policy:

config firewall policy

    edit 2
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "SMTP"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "custom"<-
        set emailfilter-profile "default"
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

If the same VIP is hosting HTTPS service, an additional firewall policy is required above the existing policy as in the below example.

config firewall policy
    edit 3
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

Solution 2:

1. Create a Firewall policy with set match-vip enabled and specific custom service:

config firewall service custom

    edit "8010"
       set tcp-portrange 8010
    next

config firewall policy
    edit 6
        set name "blockvip"
        set uuid c95523f6-0cc2-51ec-9088-bd948d796fe5
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "8010" <-
        set logtraffic disable
        set match-vip enable <-
    next

 
Refer to Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination for more information on the option 'set match-vip enable'.

It is possible to check on the debug flow matching the denied Firewall Policy:

id=20085 trace_id=1 func=iprope_fwd_auth_check line=803 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-6"
id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 6)"<-

Note:

After closing the VIP ports 8008, 8010, 8015, and 8020 make sure the tests are done from a computer that is not behind another FortiGate as FortiGate will intercept the traffic causing a false positive result.

If it requires to be done behind another FortiGate, it is necessary to disable those ports by 'set close-ports enable temporarily' and disable it back once testing is completed.

If the firewall is running in NGFW mode and the port has been changed to 9015:

    config webfilter fortiguard
        set ovrd-auth-port-https-flow 9015<-
    end

The device located behind the firewall which is accessible at  https://1.1.1.1:8015, is blocked by Web Filter Block Override.

From the test, port 8015 should be open in the following cases:

1. NGFW mode.
2. Flow-mode web filter override/warning/authentication is enabled.
3. Embed image is disabled and:

• SSL inspection is enabled in flow mode with a web filter or Application Control
• SSL deep inspection is enabled in flow mode with at least one of the flowing UTM profiles:
  • DLP sensor with HTTPS scan.
  • File filter profile with HTTPS scan.
  • AV profile with antivirus scan enabled.

For more information regarding the use of the command set match-vip, see these articles:

Technical Tip: DENY Policy for Virtual IP Firewall Policy

Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy