Skip to main content
wcruvinel
Staff
wcruvinel
Staff
May 28, 2025

Technical Tip: Regularly audit and restrict open ports on FortiGate public interfaces

  • May 28, 2025
  • 0 replies
  • 2152 views
Description

This article describes the risks of keeping unnecessary TCP or UDP ports open on FortiGate public IPs.

It also explains how to check which ports are open or exposed to the Internet and how to block those that are not needed.

Regularly monitoring and reviewing these ports and blocking any that are not truly necessary helps improve security and reduce the risk of unauthorized access, denial-of-service attacks, or system compromise.
Scope FortiGate.
Solution

Common Open Ports and Associated Risks:

Leaving the following ports open on FortiGate public IPs significantly increases the attack surface.
These ports are frequently targeted by automated internet-wide scans and attacks.

 

High-Risk Ports and Services:

 

Port
Protocol
Service
Risk Summary
21 TCP FTP Plaintext credentials, brute-force attacks, and directory traversal vulnerabilities.
22 TCP SSH Brute-force/dictionary attacks, remote root access risk, and high CPU usage under scanning.
23 TCP Telnet Unencrypted, exploited by botnets (e.g., Mirai), and an outdated protocol.
80 TCP HTTP Vulnerable web interfaces, XSS/SQLi attacks, and HTTP flood DoS.
443 TCP HTTPS/SSL VPN SSL VPN brute-force, CVEs (e.g., CVE-2018-13379), TLS renegotiation DoS.
179 TCP BGP Brute-force/crash FortiGate through session spoofing or denial-of-service attacks.
3389 TCP RDP Entry point for ransomware, brute-force, and remote code execution.
5060 UDP/TCP SIP (VoIP) SIP flood, SPIT, brute-force registration attempts.
2000 TCP Cisco SCCP VoIP DoS, unnecessary exposure, adds surface for attacks.

 

Technical Impact on FortiGate:

  • High CPU usage:
    Each unsolicited connection attempt (especially on HTTPS, SSH, SIP) consumes resources due to:

    • Session state tracking.

    • TLS/SSH handshakes.

    • Deep packet inspection.

    • This can lead to CPU spikes that impact protocols processed in software (for example, PPPoE), potentially causing resource exhaustion or triggering conserve mode.

  • Service degradation:

    • SSL VPN users disconnected.

    • GUI/Admin unreachable.

    • Delays and dropped sessions.

    • DoS on management or VoIP services.

 

Examples of how to check exposed ports, the consequences, and how to mitigate them:

  1. Checking exposed ports on FortiGate (Linux Kali was used).

 

nmap <IP FortiGate>


scan.jpg

 

  1. If a malicious actor has this information, see how a simple hping3 flood can affect the service in case the FortiGate is not properly hardened. (used Linux Kali).

To test denial-of-service attacks for ethical testing, simulating traffic patterns, and crafting custom TCP/IP packets for protocol analysis, a tool such as hping3 can be used to generate traffic.

 

https://linux.die.net/man/8/hping3

 

sudo hping3 -S -p 2000 --flood <IP FortiGate>

 

flood.gif

 

  1. See Hardening for key steps to harden and maintain the highest possible security for the FortiGate:

 

  1. The following are more recent articles that explain how to restore GUI accessibility and mitigate conserve mode when it is caused by flood or scan attacks.

 

Conclusion:

Each unnecessary TCP/UDP port that is open/exposed represents a potential entry point for exploitation.

Regular scanning, restriction, and closure of unnecessary ports are critical measures for maintaining a secure and resilient environment.


These actions not only help prevent data breaches but also contribute to consistent performance, even under scanning or attack attempts.


Implementing preventive security controls is more cost-effective than responding to incidents. FortiGate hardening should be prioritized.
      Terms & ConditionsAccessibility statement