FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that when UTM profiles such as web filter, antivirus, or application control are applied in the firewall policy, the firewall will open ports 8008, 8010, 8015, or 8020. This article describes the details of how each profile type opens those ports.
Scope
FortiGate.
Solution
The table below shows the port status when each UTM profile type is used.
Profile
8008
8010
8015
8020
None
close
close
close
close
AntiVirus
open
close
close
close
Web Filter
open
open
open
open
DNS Filter
close
close
close
close
Application Control
open
close
close
close
IPS
close
close
close
close
File Filter
close
close
close
close
When a TCP SYN packet is sent through the firewall on port 8008, 8010, 8015, or 8020 even to a non-existing IP in the destination LAN, but matches the firewall policy that has the UTM profiles applied. The firewall behaves like the below:
When no profile is applied, FortiGate does not send any SYN-ACK packets back, all 4 ports show as filtered.
When the Web filter profile is applied, FortiGate sends SYN-ACK back with the scanned IP as the source. All 4 ports show as open.
When AntiVirus or Application profile is applied, FortiGate sends SYN-ACK back with the scanned IP as the source, but only on port 8008, other 3 ports show as filtered.
Other profiles have no impact.
Even when the test result shows the port is open, the traffic does not leak through the policy on that port. If for security compliance reason those ports cannot show as in open state, they can be closed by the below command:
config webfilter fortiguard set close-ports enable end
