FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff
Article Id 193666

Description


This article describes how to disable the FortiGuard used ports 8008, 8010, and 8020 from being exposed to external when using static NAT.


Explanation regarding these ports
    Port 8008 is used by the FortiGate to authenticate with FortiGuard when an HTTP override request occurs (FortiGuard web filter HTTP override authentication)
    Port 8010 is used by FortiGate to authenticate with FortiGuard when an HTTPS override request occurs (FortiGuard web filter HTTPS override authentication)
    Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.

Also for other ports used by FortiGuard or others, we can use the solutions below.


When static NAT is configured to publish service port other than HTTPS with proxy inspection-mode UTM enable results in opening ports 8008, 8010, and 8020 (FortiGuard) to external, below is the sample of configuration :


Client ---(Internet)---- (10.56.243.92)-port1-[FGT]-port3-(10.1.0.92)-----Email/Web Server-(10.1.0.67)
 

# config firewall vip
    edit "Email_Web"
        set extip 10.56.243.92
        set extintf "any"
        set mappedip "10.1.0.67"
    next
end

# config firewall policy

    edit 2
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "SMTP"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set emailfilter-profile "default"         
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

 


Solution 1.


1) Create a new certificate ssl-ssh-profile call “custom” or any preferable name with HTTPS disable.

 

# config firewall ssl-ssh-profile
    edit "custom"
        config https
            set status disable
        end
        # config ftps
            set ports 990
            set status deep-inspection
        end
        # config imaps
            set ports 993
            set status deep-inspection
        end
        # config pop3s
            set ports 995
            set status deep-inspection
        end
        # config smtps
            set ports 465
            set status deep-inspection
        end
        # config ssh
            set ports 22
            set status disable
        end
end

2) Apply the newly created ssl-ssh-profile above to affect policy.

 

  #config firewall policy
    edit 2
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "SMTP"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "custom"  <---------
        set emailfilter-profile "default"
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

If the same VIP is hosting HTTPS service, an additional firewall policy is required above the existing policy as below example.

 

 #config firewall policy
    edit 3

        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next


 

Solution 2.

 

1) Create a Firewall policy with set match-vip enable and specific custom service

 

#config firewall service custom
    edit "8010"
       set tcp-portrange 8010
    next
#config firewall policy
    edit 6
        set name "blockvip"
        set uuid c95523f6-0cc2-51ec-9088-bd948d796fe5
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set schedule "always"
        set service "8010" <-----------
        set logtraffic disable
        set match-vip enable <------------
    next
       

It is possible to check on the debug flow matching the denied Firewall Policy:

 

id=20085 trace_id=1 func=iprope_fwd_auth_check line=803 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-6"
id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 6)" <--------------

 

Notes:

After closing the VIP ports 8008, 8010, 8015, and 8020 make sure the tests are done from a computer that is not behind another FortiGate as FortiGate will intercept the traffic causing a false positive result.

 

If it requires to be done behind another FortiFate, it is necessary to temporarily disable those port by 'set close-ports enable' and disable it back once testing is completed.

 

For more information regarding the use of the command set match-vip, check below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DENY-Policy-for-Virtual-IP-Firewall-Policy...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...