Skip to main content
nonpe
nonpe
Explorer
December 23, 2025
Solved

Is It Possible to Implement Port Knocking on FortiGate Firewall?

  • December 23, 2025
  • 1 reply
  • 498 views

Hello,

In one of the company’s offices, we are planning to completely replace the hardware equipment, which includes the following:
FortiGate-120G Hardware
I am looking for advice and community experience regarding the possibility of implementing a port knocking mechanism on a FortiGate firewall.
My goal is to restrict access to specific services and dynamically allow connections only after a predefined sequence of connection attempts (port knocking).
I have reviewed the official documentation and forum discussions, but I would appreciate clarification from those with hands-on experience:
1. Is native port knocking supported on FortiGate?

Scenario:
• 4 ports in a specific sequence
• 2–3 seconds timeout between each attempt
• Final goal: open a real port (e.g. SSH, RDP, Web) only for that IP

Step-by-step process

1️. Initial state
• The firewall completely blocks the real port (e.g. SSH 22).
• It only listens for connection attempts on the knocking ports.

Example ports:
• Port 1 → 4000
• Port 2 → 5000
• Port 3 → 6000
• Port 4 → 7000

2️. First knock
• The client attempts to connect to port 4000.
• The firewall does not respond, but records the IP.
• A 2–3 second timer is started.

The IP moves to state: stage1

3️. Second knock (within 2–3 s)
• The same IP attempts to connect to port 5000.
• If it occurs within the allowed time, the firewall accepts the step.
• The timer is restarted.

The IP moves to stage2

If it takes longer than 3 seconds → the sequence is reset

4️. Third knock (2–3 s)
• Connection to port 6000.
• Same timing control.

The IP moves to stage3

5️. Fourth knock (2–3 s)
• Connection to port 7000.
• If the order and timing are correct:

The IP is authorized
The IP is added to a list such as:
• allowed_clients (with a limited time)

6️. Opening the real port
• The firewall opens the real port (for example SSH 22)
• Only for that IP
• For a limited time (e.g. 30–60 seconds or more)

After that time:
• The port is closed again
• Port knocking must be repeated


2. If not, are there recommended workarounds (e.g. automation, scripts, external systems, or security policies)?
3. Are there FortiGate-native alternatives that achieve a similar security outcome?
Any insights, best practices, or real-world examples would be greatly appreciated.


Thank you in advance for your time and support.

Best answer by xshkurti

@nonpe 
FortiOS does not natively support "Port Knocking".

The only way to achieve this "4-port sequence" is to offload this task to external scripting:

  1. Configure FortiGate: set up 4 "Knock" policies (Port 4000-7000) that Deny traffic but Log it.

  2. Syslog Server: Send all logs to a Linux server (or Raspberry Pi) running a script (Python/Bash).

  3. The Logic (External):

    • The script reads the syslog stream in real-time.

    • It detects src_ip hitting Port 4000 -> 5000 -> etc.

    • It manages the 2-3s timers internally.

  4. The Action (API):

    • Once the sequence is valid, the script sends a REST API request to the FortiGate.

    • API Command: Add src_ip to a Firewall Address Group (e.g., "Authorized_Knockers").

    • Cleanup: The script sends another API call 60 seconds later to remove the IP.

The native way to achieve better security is ZTNA.
Port knocking is often considered "security by obscurity." The enterprise-grade alternative in the Fortinet ecosystem is Zero Trust Network Access (ZTNA). It achieves your exact goal (opening services only to authorized users) but securely.

 

How ZTNA works for your scenario:

  1. Initial State: All ports (SSH/RDP) are closed on the firewall VIP.

  2. The "Knock": The user tries to access the resource (e.g., SSH) via the FortiClient ZTNA proxy.

  3. Verification: FortiGate checks the device certificate, user identity, and posture (e.g., "Is Antivirus on?").

  4. Access: If valid, FortiGate dynamically proxies the connection through. No sequence needed.

1 reply

xshkurti
Staff
xshkurtiAnswer
Staff
December 23, 2025

@nonpe 
FortiOS does not natively support "Port Knocking".

The only way to achieve this "4-port sequence" is to offload this task to external scripting:

  1. Configure FortiGate: set up 4 "Knock" policies (Port 4000-7000) that Deny traffic but Log it.

  2. Syslog Server: Send all logs to a Linux server (or Raspberry Pi) running a script (Python/Bash).

  3. The Logic (External):

    • The script reads the syslog stream in real-time.

    • It detects src_ip hitting Port 4000 -> 5000 -> etc.

    • It manages the 2-3s timers internally.

  4. The Action (API):

    • Once the sequence is valid, the script sends a REST API request to the FortiGate.

    • API Command: Add src_ip to a Firewall Address Group (e.g., "Authorized_Knockers").

    • Cleanup: The script sends another API call 60 seconds later to remove the IP.

The native way to achieve better security is ZTNA.
Port knocking is often considered "security by obscurity." The enterprise-grade alternative in the Fortinet ecosystem is Zero Trust Network Access (ZTNA). It achieves your exact goal (opening services only to authorized users) but securely.

 

How ZTNA works for your scenario:

  1. Initial State: All ports (SSH/RDP) are closed on the firewall VIP.

  2. The "Knock": The user tries to access the resource (e.g., SSH) via the FortiClient ZTNA proxy.

  3. Verification: FortiGate checks the device certificate, user identity, and posture (e.g., "Is Antivirus on?").

  4. Access: If valid, FortiGate dynamically proxies the connection through. No sequence needed.

    nonpe
    nonpeAuthor
    Explorer
    December 24, 2025

    Thank you for your prompt and comprehensive response, and for outlining the available optional solutions. Your support is greatly appreciated.

    Terms & ConditionsAccessibility statement