Description
This article describes how to disable the FortiGuard used ports 8008, 8010, and 8020 from being exposed externally when using static NAT.
Explanation regarding these ports:
- Port 8008 is used by the FortiGate to authenticate with FortiGuard when an HTTP override request occurs (FortiGuard web filter HTTP override authentication).
- Port 8010 is used by FortiGate to authenticate with FortiGuard when an HTTPS override request occurs (FortiGuard web filter HTTPS override authentication).
- Port 8015 is used by the FortiGate to authenticate with FortiGuard when a HTTPS override request occurs in flow mode (FortiGuard web filter https override authentication).
- Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.
Also for other ports used by FortiGuard or others, we can use the solutions below.
When static NAT is configured to publish service port other than HTTPS with proxy inspection-mode UTM enable results in opening ports 8008, 8010, and 8020. Port 8015 is opened if flow-based inspection mode is used. (FortiGuard) to external, below is the sample of configuration :
Client ---(Internet)---- (10.56.243.92)-port1-[FGT]-port3-(10.1.0.92)-----Email/Web Server-(10.1.0.67).
config firewall vip
edit "Email_Web"
set extip 10.56.243.92
set extintf "any"
set mappedip "10.1.0.67"
next
end
config firewall policy
edit 2
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set action accept
set schedule "always"
set service "ALL_ICMP" "SMTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set emailfilter-profile "default"
set ips-sensor "default"
set logtraffic all
set fsso disable
next
Scope
FortiGate.
Solution
- Create a new certificate ssl-ssh-profile called 'custom' or any preferred name with HTTPS disabled.
config firewall ssl-ssh-profile
edit "custom"
config https
set status disable
end
config ftps
set ports 990
set status deep-inspection
end
config imaps
set ports 993
set status deep-inspection
end
config pop3s
set ports 995
set status deep-inspection
end
config smtps
set ports 465
set status deep-inspection
end
config ssh
set ports 22
set status disable
end
end
- Apply the newly created ssl-ssh-profile above to affect policy:
config firewall policy
edit 2
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set action accept
set schedule "always"
set service "ALL_ICMP" "SMTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "custom"<-
set emailfilter-profile "default"
set ips-sensor "default"
set logtraffic all
set fsso disable
next
If the same VIP is hosting HTTPS service, an additional firewall policy is required above the existing policy as in the below example.
config firewall policy
edit 3
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set action accept
set schedule "always"
set service "HTTPS"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "default"
set logtraffic all
set fsso disable
next
Solution 2:
- Create a Firewall policy with set match-vip enabled and specific custom service:
config firewall service custom
edit "8010"
set tcp-portrange 8010
next
config firewall policy
edit 6
set name "blockvip"
set uuid c95523f6-0cc2-51ec-9088-bd948d796fe5
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set schedule "always"
set service "8010" <-
set logtraffic disable
set match-vip enable <-
next
It is possible to check on the debug flow matching the denied Firewall Policy:
id=20085 trace_id=1 func=iprope_fwd_auth_check line=803 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-6"
id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 6)"<-
Note:
After closing the VIP ports 8008, 8010, 8015, and 8020 make sure the tests are done from a computer that is not behind another FortiGate as FortiGate will intercept the traffic causing a false positive result.
If it requires to be done behind another FortiGate, it is necessary to disable those ports by 'set close-ports enable temporarily' and disable it back once testing is completed.
If the firewall is running in NGFW mode and the port has been changed to 9015:
config webfilter fortiguard
set ovrd-auth-port-https-flow 9015<-
end
The device located behind the firewall which is accessible at https://1.1.1.1:8015, is blocked by Web Filter Block Override.
From the test, port 8015 should be open in the following cases:
- NGFW mode.
- Flow-mode web filter override/warning/authentication is enabled.
- Embed image is disabled and:
- SSL inspection is enabled in flow mode with a web filter or Application Control
- SSL deep inspection is enabled in flow mode with at least one of the flowing UTM profiles:
- DLP sensor with HTTPS scan.
- File filter profile with HTTPS scan.
- AV profile with antivirus scan enabled.
For more information regarding the use of the command set match-vip, see these articles:
Technical Tip: DENY Policy for Virtual IP Firewall Policy
Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy
