Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rain
Staff
Staff

Created on ‎12-16-2024 09:09 AM Edited on ‎12-16-2024 09:12 AM By Moderator

Article Id 364706

Technical Tip: How to block external port scan using a static and/or DHCP public IP address on a FortiGate.

Description This article describes how to block an external Port Scan of the public IP address or a private IP address being NAT on use on the upstream port of the FortiGate to Internet. 
Scope FortiOS.
Solution

One of the first steps to perform a brute force attack or attack a service is to know what port is in use for each service. In this case, if the configuration (such as an SSL VPN configuration) is using the TCP port 8443, there is no way to know that this port is in use and open until a port scan is performed.

 

In order to perform a port scan, the most common tool is NMAP.  This scan can be performed to private IP addresses and public IP addresses, and most of the services on a FortiGate use a public IP address or a private IP address being NAT translated.

 

As is shown on this scan using NMAP, the public IP address of this FortiGate is being NAT translated from a private IP address. This FortiGate does not have a static public IP address, but is reachable from the public address. The scan also shows the same result if the ISP upstream port is using a static IP public address.

 

NMAP01.png

 

On this scan, NMAP found one port in use: 8443 (used on this FortiGate for SSL VPN service). This is the first step to try to brute force the port and a service on it using HTTPS, because NMAP also identifies something using HTTPS.

 

NMAP02.png

 

From this scan, an attacker could try to brute force the port, and the logs on a FortiGate could be inflated by having a lot of failed attempts at accessing this port and the SSL VPN portal.

 

NMAP03.png

 

NMAP04.png

 

In order to avoid and block this port scan, follow these steps:

 

  1. Enable the DoS feature on the GUI. (Go to System -> Feature Visibility -> Enable DoS Policy).

NMAP05.png

 

 

  1. Go to the DoS Policy section and create a new policy. (Go to Policy & Objects -> DoS Policy -> Select Create new).

 

 

NMAP06.png

 

 

  1. Name the new policy (e.g. Scan Block), choose it to be the incoming interface the WAN port or the port being used as the upstream to the internet (e.g. the WAN port), choose 'all' on Source Address, Destination Address and Services. In the L4 Anomalies section, choose to block 'tcp_port_scan' to block TCP protocol scan; for UDP protocol scan, block 'udp_scan'. 

 

NMAP07.png

 

 

  1. With this change, the scan of ports on the Public IP address is now blocked at the TCP/UDP protocol level. Upon another test with NMAP, the ports will not be shown as open. They will be closed, even if the port is in use and also open for services. In order to see the records of scan attempts and also the sessions being clear, go to Log & Report -> Security Events:

 

NMAP08.png
157
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.