Description

This article describes how to block open ports on the FortiGate.

Scope

FortiGate.

Solution

Below are the ports/protocols that are opened by design.

Ports.

500 & 4500 - VPN
1144 - Fusion Script
3799 - RADIUS dynamic Auth
520 - RIP
3784 - BFD Control Protocol

Protocols.

2 - IGMP (Internet Group Management)
89 - OSPFIGP
112 - VRRP
103 - PIM (Protocol Independent Multicast)

For example, if the RIP protocol is not used, create a service for the specific port and create a local in policy with the corresponding service.

From CLI.

To block any port, follow the below steps to add a local policy to deny traffic.

Create service with the port.

config firewall service custom
    edit "RIP"
        set category "General"
        set udp-portrange 520
    next
end

 Add the local policy:

config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "RIP"
        set schedule "always"
    next
end

Local-in policies are used to close open ports or otherwise restrict access to FortiGate.

To identify all of the ports that are open on the FortiGate, the command below can be used:

diagnose sys tcpsock <----- For TCP traffic.

diagnose sys udpsock  <----- For UDP traffic.

More on this topic can be found in the following KB article: View-which-ports-are-actively-open-and-in-use.

If the port is not visible by the above command, use the following CLI command:

show full | grep -f <port_number>

It will show where the port is being used as well.

Example as per attached screenshot for SAML port 1001.

Note:
From v7.6.0, it is possible to create a local in policy from the GUI itself under Policy & Objects -> Local-In Policy -> Create New.