FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rphulekar
Staff
Staff

Article

Description

By default, FortiGate units do not accept remote administrative access except by HTTPS connections on TCP port 443 to the default internal network interface for that FortiGate model. Restricting administrative access by default helps to ensure that only you can change your firewall policy and other security configurations. It also improves security of the FortiGate unit itself by reducing the number of ports that potential attackers can discover by network probes and port scans, a common method of discovering open ports for denial of service (DoS) attacks.

TCP port 113 (Ident/Auth) is an exception to this rule. By default, FortiGate units receiving an ident request on this port respond with a TCP RST, which resets the connection. This prevents delay that would normally occur if the requesting host were to wait for the connection attempt to time out.

This port is less commonly used today. If you do not use this service, and you prefer to make your FortiGate unit invisible to probes, you can disable TCP RST responses to ident requests and subject those requests to firewall policies, and thereby close this port.

Components
  • All FortiGate units
  • FortiOS 2.8 MR11 or greater, 5.0, 5.2, 5.4
Steps or Commands

To disable TCP RST responses to ident/auth requests

  1. On the FortiGate unit, connect to the CLI.

  2. For each network interface that should not respond to ident requests on TCP port 113, enter the following CLI commands:

    config system interface
                    edit 
                    set ident-accept enable
                    next
                    end

    For example, to disable ident responses on a network interface names port1, you would enter the following commands:

    config system interface
                    edit port1
                    set ident-accept enable
                    next
                    end

    TCP 113 is closed.

 

 

Related Articles

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

Contributors