FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahv
Staff
Staff
Description
This article describes how to block open ports on the FortiGate.

Solution
Below are the ports/protocols that are opened by design.

Ports.
500 & 4500 - VPN
1144 - Fusion Script
3799 - RADIUS dynamic Auth
520 - RIP
3784 - BFD Control Protocol
Protocols.
2 - IGMP (Internet Group Management)
89 - OSPFIGP
112 - VRRP
103 - PIM (Protocol Independent Multicast)

For Example if the RIP protocol is not used , create a service for the specific port and create local in policy with corresponding service

From CLI.

To block any port, follow the below steps to add a local policy to deny traffic.

Create service with the port.
# config firewall service custom
    edit "RIP"
    set category "General"
    set udp-portrange 520
next
end
 Add the local policy.
# config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "all"
        set dstaddr "all"
        set service "RIP"
        set schedule "always"
    next
end
Local-in policies are used to close open ports or otherwise restrict access to FortiGate.

Contributors