Skip to main content
abarushka
Staff
abarushka
Staff
August 27, 2019

Technical Tip: List of open ports due to UTM inspection in proxy

  • August 27, 2019
  • 0 replies
  • 24373 views

Description

 

This article describes why some ports are opened once traffic hits the firewall policy with UTM profiles in proxy inspection mode, even though they are closed on the server side.

 

Scope

 

Any supported version of FortiGate.

Solution

 

Topology.
Scenario A:

The user is protected by FortiGate and runs a port scan (for example, NMAP) against the server on the internet.

 

 
Scenario B:
The server is protected by FortiGate (the server has a public IP address, and VIP is not used), and the user is running a port scan (for example, NMAP) against the server.

 
During a security audit, the engineer may find some ports open even though they are closed on the server side or even if the server does not exist. This may occur because traffic hits the firewall policy with UTM security profiles in proxy mode.
 
If the UTM security profile is in proxy mode, there will be 2 sessions established between the user and FortiGate and between FortiGate and the server. FortiGate will send a (SYN ACK) packet to the client immediately without waiting for a (SYN ACK) packet from the server.
 
See the diagram below:
 
 
A list of inspected/open ports can be set under the following:
 
In the CLI:
 
config firewall profile-protocol-options
 
In the GUI:
Go to Policy & Objects -> Proxy Options or Policy & Objects -> Protocol Options in v7.4 and above.
 
All ports configured will be scanned, and FortiGate will send (SYN ACK) packets for all selected ports regardless of whether they are open on the server side.
 
 
Moreover, extra ports can be opened when deep inspection is in effect.
The list of open ports can be configured under the following:
 
In the CLI:
 
config firewall ssl-ssh-profile
 
In the GUI:
 
Go to Security Profiles -> SSL/SSH Inspection.
 
All ports set will be scanned, and FortiGate will send (SYN ACK) packets for all selected ports regardless of whether they are open on the server side.
 

 
 

The `diagnose sys tcpsock` command lists all TCP ports on which the FortiGate is listening (listening sockets), along with the responsible processes.

However, the presence of a socket in "listen" state does not necessarily imply that the device is accepting external connections on those ports.

 
See examples below. Output may differ depending on the environment.

No UTM in proxy inspection mode or UTM in flow inspection mode:
 
nmap <server IP addres> -Pn
Not shown: 993 filtered ports
PORT     STATE  SERVICE
53/tcp   open   domain
113/tcp  closed  ident
541/tcp  open    uucp-rlogin
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
 
UTM in proxy inspection mode without deep inspection and default 'Proxy Options':
 
nmap <server IP addres> -Pn
Not shown: 987 filtered ports
PORT     STATE  SERVICE
21/tcp   open     ftp
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open    pop3
113/tcp  closed  ident
115/tcp  open    msrpc
143/tcp  open    imap
541/tcp  open    uucp-rlogin
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
 
UTM in proxy inspection mode with deep inspection:
 
nmap <server IP addres> -Pn
Not shown: 993 filtered ports
Not shown: 982 filtered ports
PORT     STATE  SERVICE
21/tcp   open     ftp
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open    pop3
113/tcp  closed  ident
143/tcp  open    imap
443/tcp  open    https
465/tcp  open    smtps
541/tcp  open    uucp-rlogin
990/tcp  open    ftps
993/tcp  open    imaps
995/tcp  open    pop3s
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
8010/tcp open   xmpp

 

From v6.4 and above, the 'Proxy Option' changes to 'Protocol Option'. If the firewall policy uses the default Protocol Option with proxy-based inspection, the following ports will be shown as open when doing a port scan:

 

image.png

 

It is possible to create a custom protocol option to disable these port inspections.

 

When flow inspection is in effect, FortiGate will not send a (SYN ACK) packet to the client before receiving a (SYN ACK) packet from the server.

Note:

FortiGate does not respond to traffic destined to these internal ports, although the socket state indicates listening, unless these ports are configured or enabled for other purposes, such as FortiGate GUI administration or FTP Virtual IP configuration (In case of port 21 detected by the scanner).

    Terms & ConditionsAccessibility statement