Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff

Created on ‎05-26-2020 02:14 AM Edited on ‎09-01-2025 10:19 PM By Moderator

Article Id 189671

Technical Tip: How to block open ports

Description


This article describes how to block open ports on the FortiGate.

 

Scope

 

FortiGate.

Solution


Below are some example ports/protocols that are opened by design.

Ports.

 

500 & 4500 - VPN
1144 - AeroScout 
3799 - RADIUS dynamic Auth
520 - RIP
3784 - BFD Control Protocol

 

Protocols.

 

2 - IGMP (Internet Group Management)
89 - OSPFIGP
112 - VRRP
103 - PIM (Protocol Independent Multicast)

 

To identify open TCP and UDP ports on the FortiGate, use the command below to list ports and the associated FortiOS process.

 

diagnose sys tcpsock <----- TCP listening ports.
0.0.0.0:10400->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=54539 process=197/authd
0.0.0.0:10500->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=54545 process=197/authd
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=3895 process=211/voipd
0.0.0.0:5060->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=3888 process=211/voipd

...


diagnose sys udpsock <----- UDP listening ports.
127.0.0.1:1024->127.0.0.1:701 state=established txq=0 rxq=0 uid=0 inode=3395335 process=216/hatalk
127.0.0.1:1025->127.0.0.1:701 state=established txq=0 rxq=0 uid=0 inode=3418783 process=376/updated
0.0.0.0:2055->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=2878 process=246/flcfgd
0.0.0.0:53->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=52246 process=235/dnsproxy
...

 

More on this topic can be found in the following KB article: View-which-ports-are-actively-open-and-in-use.

 

If the port is not visible by the above command, search the configuration for the port number using the following CLI command:

 

show full | grep -f <port_number>

 

It will show where the port is being used as well.

Example as per the attached screenshot for SAML port 1001.

 

OPEN PORT 1001.png

 

For example, if the RIP protocol is not used, create a service for the specific port and create a local in policy with the corresponding service.

Blocking ports manually.

To block any port, follow the steps below to add a local-in policy to deny traffic.

  1. Create a service with the port.

config firewall service custom
    edit "RIP"
        set category "General"
        set udp-portrange 520
    next

end

 

  1. Add a local-in policy referencing the service:

config firewall local-in-policy

    edit <index>

        set intf "any"

        set srcaddr "all"

        set dstaddr "all"

        set service "RIP"

        set schedule "always"

    next

end

 

Local-in policies are used to close open ports or otherwise restrict access to FortiGate. If misconfigured, a local-in policy can block administrator SSH or HTTPS access.

Note: In the above local-in-policy, it is possible to block multiple services using the same rule, following the format below:

 

config firewall local-in-policy

    edit <index>

        set service "RIP" "BGP" "OSPF"

    next

end


Note:
From v7.6.0, it is possible to create a local in policy from the GUI itself under Policy & Objects -> Local-In Policy -> Create New.

spoojary_0-1726529536662.png

 

spoojary_1-1726529592871.png

 

Related documents:

FortiOS Ports

Ports and Protocols

21900
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.