| Description | This article describes one of the reasons why security port scanning over the internet passes through, even though FortiGate does not respond. |
| Scope | FortiGate. |
| Solution |
Well known open port numbers such as tcp-2000, tcp-8013, tcp-8008, tcp-8010, tcp-8015 and etc as shown in the link below:
Some of the port scanning tools will show positive results, for example, 10.47.3.36 is the public IP of FortiGate. Zenmap port scanning tool always shows discovered open port results as shown in the screenshot below:
The window's Command Prompt also shows pass-through if telnet to FortiGate public IP as well:
Or it is only the first TCP handshake 'syn' packet received continuously from the port scanning tool, for which there is no response from FortiGate.
One of the reasons port scanning tools discover open ports is because there are some devices, such as a proxy or unknown devices doing the proxy inspection and opening the port on behalf of FortiGate, so it is not recommended to scan ports over the internet; instead, point-to-point, if the target is a FortiGate public IP address.
This is very common if the scan is being done from behind a different, local FortiGate. By default, all of the ports contained inside the built-in session-helpers will be picked up by the local FortiGate and show an open port. If the corresponding session-helper is deleted, this issue will no longer occur. See this article for more info: Technical Tip: How to close port TCP/UDP 5060 and TCP 2000. |
