|
In this scenario, the configuration has been setup to block the TCP port 4433 for outgoing traffic. A new service object is created followed by the outbound firewall policy that references the specific service to block.
Access the FortiGate web interface:
- Go to Policy & Objects -> IPv4 Policy.
- Select Create New to set up a new firewall policy.
Adjust the following settings:
- Source Interface: Choose the interface where the traffic originates.
- Destination Interface: Pick the interface where the traffic is intended to go.
- Source Address: Enter the source IP address or range.
- Destination Address: Specify the destination IP address or range.
- Service: Select the particular service or port you want to restrict.
It is possible to customize the port by creating a new service as below:
Go to Policy & Object -> Services -> Create New.
Action: Set the action to Deny to block the traffic.
Save the new firewall policy.
In the CLI:
config firewall service custom
edit "custome-port"
set tcp-portrange 4433
next
end
config firewall policy
edit 4
set name "block_4433"
set srcintf "port3" <- LAN interface.
set dstintf "port1" <- WAN interface.
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "custome-port"
set action deny
set logtraffic all
next
end
In this example, policy is configured from LAN (port3) to WAN (port1).
Once the traffic reaches the FortiGate, it will be dropped by the policy. The debug and sniffer outputs for port 4433 are shown below.
Debug:
FGT-GRG # id=65308 trace_id=1 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:55925->142.250.203.238:4433) tun_id=0.0.0.0 from port3. flag [S], seq 568628668, ack 0, win 64240"
id=65308 trace_id=1 func=init_ip_session_common line=6127 msg="allocate a new session-00006729"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.5.31.254 via port1"
id=65308 trace_id=1 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=1 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 4)"
id=65308 trace_id=2 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:55925->142.250.203.238:4433) tun_id=0.0.0.0 from port3. flag [S], seq 568628668, ack 0, win 64240"
id=65308 trace_id=2 func=init_ip_session_common line=6127 msg="allocate a new session-00006739"
id=65308 trace_id=2 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-10.5.31.254 via port1"
id=65308 trace_id=2 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=2 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 4)"
Sniffer:
FGT-GRG # diagnose sniffer packet any "port 4433" 4 0 l
Using Original Sniffing Mode:
interfaces=[any]
filters=[port 4433]
2024-08-31 16:33:13.155302 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:14.170127 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:16.185680 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:20.185948 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
2024-08-31 16:33:28.217697 port3 in 10.10.10.2.55925 -> 142.250.203.238.4433: syn 568628668
^C
5 packets received by filter
0 packets dropped by kernel
The syn packet is not being sent out.
To block local traffic, the following document can be used:local-in-policy
Open ports can be checked with the commands:
diagnose sys tcpsock <----- For TCP traffic and:
diagnose sys udpsock <----- For UDP traffic .
If there is some specific port that needs to be checked, the grep function comes in handy. For this specific case about TCP port 4433, the following command should be used:
diagnose sys tcpsock | grep 4433
The lack of any output points out that the port is not open.
|
