The table below shows the port status when each UTM profile type is used.
|
Profile
|
8008
|
8010
|
8015
|
8020
|
|
None
|
close
|
close
|
close
|
close
|
|
AntiVirus
|
open
|
close
|
close
|
close
|
|
Web Filter
|
open
|
open
|
open
|
open
|
|
DNS Filter
|
close
|
close
|
close
|
close
|
|
Application Control
|
open
|
close
|
close
|
close
|
|
IPS
|
close
|
close
|
close
|
close
|
|
File Filter
|
close
|
close
|
close
|
close
|
Here is the table for proxy-based policy:
|
Profile
|
8008
|
8010
|
8015
|
8020
|
|
None
|
close
|
close
|
close
|
close
|
|
AntiVirus
|
open
|
open
|
open
|
open
|
|
Web Filter
|
open
|
open
|
open
|
open
|
|
DNS Filter
|
open
|
open
|
open
|
open
|
|
Application Control
|
open
|
open
|
open
|
open
|
|
IPS
|
open
|
open
|
open
|
open
|
|
File Filter
|
open
|
open
|
open
|
open
|
When a TCP SYN packet is sent through the firewall on port 8008, 8010, 8015, or 8020 even to a non-existing IP in the destination LAN, but matches the firewall policy that has the UTM profiles applied. The firewall behaves like the below:
- When no profile is applied, FortiGate does not send any SYN-ACK packets back, all 4 ports show as filtered.
- When the Web filter profile is applied, FortiGate sends SYN-ACK back with the scanned IP as the source. All 4 ports show as open.
- When an AntiVirus or Application profile is applied, FortiGate sends SYN-ACK back with the scanned IP as the source, but only on port 8008, the other 3 ports show as filtered.
- Other profiles have no impact.
Even when the test result shows the port is open, the traffic does not leak through the policy on that port. If for security compliance reasons those ports cannot show as an open state, they can be closed by the below command:
config webfilter fortiguard
set close-ports enable
end
In multi-VDOM mode, the setting is in Global VDOM:
config global
(global)# config webfilter fortiguard
set close-ports enable
end
