FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
frottier
Staff
Staff
Article Id 191523

Description

 
This article describes how to view which ports are actively open and in use by FortiGate. FortiOS proposes several services such as SSH, WEB access, SSL VPN, and IPsec VPN.
 
There is a CLI command and an option in the GUI which will display all ports that are offering a given service.
 
Scope
 
FortiGate.


Solution

 
In the CLI, type the following command to verify TCP ports:
 
# diagnose sys tcpsock | grep 0.0.0.0
0.0.0.0:709->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1000->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1001->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1002->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1003->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1004->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1005->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1006->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:80->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1011->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1012->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:53->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1013->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:22->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1014->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:23->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1015->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1016->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1017->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1018->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:2650->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:443->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1019->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:7900->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0
0.0.0.0:1020->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0
0.0.0.0:541->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0
 
In the CLI, type the following command to verify UDP ports:
 
# diagnose sys udpsock| grep 0.0.0.0
 
0.0.0.0:2055->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=16442 process=1287/flcfgd
0.0.0.0:53->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=6907 process=1278/dnsproxy
0.0.0.0:123->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=16418 process=1272/ntpd
0.0.0.0:161->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=4382 process=1265/snmpd
0.0.0.0:20949->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=3629 process=1239/syslogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=14741 process=1328/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=18624 process=1329/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=5087 process=1326/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=5066 process=1327/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=4993 process=1260/miglogd
0.0.0.0:520->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=5393963 process=1214/ripd
0.0.0.0:25246->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=17735 process=1292/extenderd
0.0.0.0:2736->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=15694 process=1295/dnsproxy
0.0.0.0:8887->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=18839 process=1282/cw_acd
0.0.0.0:710->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=4363 process=1266/dhcpcd
Open ports can also be enabled and viewed via the GUI:

Activate the Local In Policy view via System -> Features Visibility, and toggle on Local In Policy in the Additional Features menu.

jiahoong112_0-1669710787743.png

 

 
Go to Policy & Objects -> Local In and there is an overview of the active listening ports.

jiahoong112_1-1669710849188.png
 

Related Article:

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products