Description
This article describes how to block BGP port 179 on the wan interface to help prevent scans from external networks.
This also applies in situations where port 179 is 'open' for IPs defined in an IP pool (even if not used).
Solution
In some scenarios, blocking all BGP services within the network may be necessary. In such cases, a local-in-policy can be used to block the unwanted BGP traffic on WAN interfaces.
The following example demonstrates how to block traffic for port 179 on wan1 interface.
config firewall service custom
edit "BGP"
set tcp-portrange 179
next
end
config firewall local-in-policy
edit 1
set intf wan1
set srcaddr all
set dstaddr all
set action deny
set service BGP
set schedule always
end
Note: If multiple WAN interfaces are present in the network, configure a Local-In Policy on each additional WAN interface as well. Local in policy configured only to block port 179 on WAN interface will not block BGP communication on Internal/Local LAN Interface. Only BGP communication using WAN interface will be blocked.
Starting from 7.6.0 and above, the Local-in Policy can also be configured via the GUI. See the documentation.
