Description
This article describes how to disable the FortiGuard used ports 8008, 8010, and 8020 from being exposed to external when using static NAT.
Explanation regarding these ports
Port 8008 is used by the FortiGate to authenticate with FortiGuard when an HTTP override request occurs (FortiGuard web filter HTTP override authentication)
Port 8010 is used by FortiGate to authenticate with FortiGuard when an HTTPS override request occurs (FortiGuard web filter HTTPS override authentication)
Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.
Also for other ports used by FortiGuard or others, we can use the solutions below.
When static NAT is configured to publish service port other than HTTPS with proxy inspection-mode UTM enable results in opening ports 8008, 8010, and 8020 (FortiGuard) to external, below is the sample of configuration :
# config firewall vip
edit "Email_Web"
set extip 10.56.243.92
set extintf "any"
set mappedip "10.1.0.67"
next
end
#config firewall policy
edit 2
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set action accept
set schedule "always"
set service "ALL_ICMP" "SMTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "certificate-inspection"
set emailfilter-profile "default"
set ips-sensor "default"
set logtraffic all
set fsso disable
next
Solution 1
1) Create a new certificate ssl-ssh-profile call “custom” or any preferable name with HTTPS disable.
# config firewall ssl-ssh-profile
edit "custom"
config https
set status disable
end
# config ftps
set ports 990
set status deep-inspection
end
# config imaps
set ports 993
set status deep-inspection
end
# config pop3s
set ports 995
set status deep-inspection
end
# config smtps
set ports 465
set status deep-inspection
end
# config ssh
set ports 22
set status disable
end
end
2) Apply the newly created ssl-ssh-profile above to affect policy.
#config firewall policy
edit 2
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set action accept
set schedule "always"
set service "ALL_ICMP" "SMTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "custom" <---------
set emailfilter-profile "default"
set ips-sensor "default"
set logtraffic all
set fsso disable
next
If the same VIP is hosting HTTPS service, an additional firewall policy is required above the existing policy as below example.
#config firewall policy
edit 3
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set action accept
set schedule "always"
set service "HTTPS"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "default"
set logtraffic all
set fsso disable
next
Solution 2
1) Create a Firewall policy with set match-vip enable and specific custom service
#config firewall service custom
edit "8010"
set tcp-portrange 8010
next
#config firewall policy
edit 6
set name "blockvip"
set uuid c95523f6-0cc2-51ec-9088-bd948d796fe5
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Email_Web"
set schedule "always"
set service "8010" <-----------
set logtraffic disable
set match-vip enable <------------
next
You can check on the debug flow matching the denied Firewall Policy
id=20085 trace_id=1 func=iprope_fwd_auth_check line=803 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-6"
id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 6)" <--------------
For more information regarding the use of the command set match-vip, check below: