Description
This article describes how to block open ports on the FortiGate.
Scope
FortiGate.
Solution
Below are the ports/protocols that are opened by design.
Ports.
500 & 4500 - VPN
1144 - Fusion Script
3799 - RADIUS dynamic Auth
520 - RIP
3784 - BFD Control Protocol
Protocols.
2 - IGMP (Internet Group Management)
89 - OSPFIGP
112 - VRRP
103 - PIM (Protocol Independent Multicast)
For Example, if the RIP protocol is not used, create a service for the specific port and create a local in policy with the corresponding service
From CLI.
To block any port, follow the below steps to add a local policy to deny traffic.
Create service with the port.
config firewall service custom
edit "RIP"
set category "General"
set udp-portrange 520
next
end
Add the local policy:
config firewall local-in-policy
edit 1
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "RIP"
set schedule "always"
next
end
Local-in policies are used to close open ports or otherwise restrict access to FortiGate.
To identify all of the ports that are open on the FortiGate, the command below can be used:
diagnose sys tcpsock <----- For TCP traffic
diagnose sys udpsock <----- For UDP traffic.
More on this topic can be found in the following KB article: View-which-ports-are-actively-open-and-in-use
Note:
From v7.6.0, it is possible to create a local in policy from the GUI itself under Policy & Objects -> Local-In Policy -> Create New.
