One of the first steps to perform a brute force attack or attack a service is to know what port is in use for each service. In this case, if the configuration (such as an SSL VPN configuration) is using TCP port 8443, there is no way to know that this port is in use and open until a port scan is performed.

In order to perform a port scan, the most common tool is NMAP.  This scan can be performed to private IP addresses and public IP addresses, and most of the services on a FortiGate use a public IP address or a private IP address being NAT translated.

As is shown on this scan using NMAP, the public IP address of this FortiGate is being NAT translated from a private IP address. This FortiGate does not have a static public IP address but is reachable from the public address. The scan also shows the same result if the ISP upstream port is using a static IP public address.

On this scan, NMAP found one port in use: 8443 (used on this FortiGate for SSL VPN service). This is the first step to try to brute force the port and service on it using HTTPS because NMAP also identifies something using HTTPS.

From this scan, an attacker could attempt to brute-force the port, and the logs on a FortiGate could be inflated by numerous failed attempts to access this port and the SSL VPN portal.

To avoid and block this port scan, follow these steps:

1. Enable the DoS feature on the GUI. (Go to System -> Feature Visibility -> Enable DoS Policy).
   
   

To enable this through the CLI:

config system settings

    set gui-dos-policy enable

end

2. Go to the DoS Policy section and create a new policy. (Go to Policy & Objects -> DoS Policy -> Select Create new).

3. Name the new policy (e.g. Scan Block), choose it to be the incoming interface the WAN port or the port being used as the upstream to the internet (e.g. the WAN port), choose 'all' on Source Address, Destination Address and Services. In the L4 Anomalies section, choose to block 'tcp_port_scan' to block TCP protocol scan; for UDP protocol scan, block 'udp_scan'. 

4. With this change, the scan of ports on the Public IP address is now blocked at the TCP/UDP protocol level. Upon another test with NMAP, the ports will not be shown as open. They will be closed, even if the port is in use and also open for services. To see the records of scan attempts and also the sessions being clear, go to Log & Report -> Security Events:

As another option, the port scanning can be blocked with the 'Portmap' signature with the Application Control Security Profile, and then apply application control on all internet-facing policies. See Blocking applications with custom signatures - FortiGate 7.4.0 administration guide.