Description
This article describes how to block port scanning attempt or a specific port scanning application, which is a popular tool for network administrators and attackers alike. As the name implies, it can scan a network for open ports and IPs, providing a basic map of the infrastructure. Attackers can use this to then design an exploit.
Scope
FortiGate.
Solution
There are two choices to protect a network from being scanned.
- Block the 'Portmap' signature in application control, and then apply application control on all internet-facing policies.
Blocking applications with custom signatures. - Configure an IPv4 DoS Policy to block TCP and UDP port scan.
To configure an IPv4 DoS Policy to block TCP or UDP port scans on a WAN port, follow these steps:
- Navigate to Policy & Objects -> IPv4 DoS Policy in the FortiGate GUI.
- Create a new IPv4 DoS Policy.
Set 'tcp_port_scan' and 'udp_scan' to Block, as shown in the above image.
- Once the policy is created, blocked scan attempts can be viewed in Log & Report -> Security Events -> Anomaly within the FortiGate GUI. The visibility of these attempts depends on the configured threshold set to trigger blocking:
Related article:
