Skip to main content
Drax658
Drax658
New Member
May 6, 2025
Question

Fortigate negotiating on port 853 despite DNS over TLS is disabled

  • May 6, 2025
  • 2 replies
  • 1995 views

Hello,

 

We have implemented a vulnerability scanner in our organization, which has detected, among other things, that our FortiGates are listening on port 853 and are presenting themselves with a certificate, which is called "Fortinet_Factory" in the Fortigate web UI. Could you tell me if it is normal that this port is open despite the fact that DLS over TLS is disabled on the device? What other service could be listening on this port? The policy of my organization is to remove all vulnerabilities, so a vulnerability related to the fact that a certificate is not recognized or that a negation has occurred using a set of ciphers considered by the scanner as insecure must be eliminated. Thank you in advance for your help

2 replies

adambomb1219
SuperUser
adambomb1219
SuperUser
May 6, 2025

Is the FortiGate running as a DNS server?

    Drax658
    Drax658Author
    New Member
    May 7, 2025

    Yes, it is running as a primary DNS server for all devices in my organizations.

      adambomb1219
      SuperUser
      adambomb1219
      SuperUser
      May 19, 2025

      Ouch... Why?

      sw2090
      SuperUser
      sw2090
      SuperUser
      May 6, 2025

      if you have apple devices behind your FGT and use the FGT as DNS you will need DSL over TLS :)

      If not you could disable it in the DNS Settings.

        Terms & ConditionsAccessibility statement