Skip to main content
unknown1020
unknown1020
Explorer III
May 28, 2024
Question

web services posts on fortigate

  • May 28, 2024
  • 4 replies
  • 1963 views

Good morning friends, a question.

 

I have several web services posts on fortigate. According to a report, I see that the attack events are related to the http port.

 

What considerations should I have before removing the http port in the publication?

 

Is it simply changing the port in the VIP? Or is it also required to make changes to the web servers?

4 replies

hbac
Staff
hbac
Staff
May 29, 2024

Hi @unknown1020,

 

If you don't want port 80 to be exposed, you can remove the VIP that forward port 80.

 

Regards, 

    unknown1020
    unknown1020Author
    Explorer III
    June 5, 2024

    Hello, thank you for responding, but the port change must be made in the VIP and also on the server, right?

    AEK
    SuperUser
    AEK
    SuperUser
    May 29, 2024

    Hi Unknown

    You can change to HTTPS but this will not prevent attacks. Best solution to block the attacks is to use a separate WAF appliance between FG and the back-end server.

    If the server is just for test purpose or you can't use a separate WAF than you may use FortiGate's WAF profile with a virtual server object.

    AEK
      DPadula
      Staff & Editor
      DPadula
      Staff & Editor
      June 6, 2024

      As mentioned by AEK changing the port number is not a solution.
      Besides the WAF have a look on DoS policies inside the FGT as well. Might help you to prevent some of the attacks.
      https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/771644/dos-policy

        unknown1020
        unknown1020Author
        Explorer III
        June 6, 2024

        Thanks for the response, a question, when configuring DOS Policy, could that configuration increase the firewall CPU consumption? I have planned to first put it in monitor mode to view the events, then apply the respective locks.

        AEK
        SuperUser
        AEK
        SuperUser
        June 6, 2024

        I think DoS policy will consume the same CPU either in monitor mode or in block mode. As per my experience with it it doesn't consume significant processing (nothing visible).

        AEK
          DPadula
          Staff & Editor
          DPadula
          Staff & Editor
          June 6, 2024

          Hi @unknown1020

           

          A good strategy is to record a base line regarding memory, CPU and sessions on busy and normal business days for the firewall operation.
          Having that it will help you in the future to identify if a feature (not only DoS Policies) or any change on the network has affected the environment.

           

          As mentioned by my colleague AEK I don't think enabling DoS policy will add significant CPU usage.

          Of course, every feature that you enable will always consume an amount of CPU and memory even it is not in use. As a good practice always disable features that you don't need. 

           

          Cheers

            Terms & ConditionsAccessibility statement