Technical Tip: List of open ports due to UTM inspection in proxy

abarushka · ‎08-27-2019

Description

This article describes why some ports are opened once traffic hits the firewall policy with UTM profiles in proxy inspection mode even though they are closed on the server side.

Scope

Any supported version of FortiGate.

Solution

Topology

Scenario A:

The user is protected by FortiGate and runs a port scan (for example, NMAP) against the server on the internet.

Scenario B:

The server is protected by FortiGate (the server has a public IP address and VIP is not used) and the user is running a port scan (for example, NMAP) against the server.

During a security audit, the engineer may find some ports open even though they are closed on the server side. This may occur because traffic hits the firewall policy with UTM security profiles in proxy mode.

If the UTM security profile is in proxy mode, there will be 2 sessions established between the user and FortiGate and between FortiGate and the server. FortiGate will send a (SYN ACK) packet to the client immediately without waiting for a (SYN ACK) packet from server. See the diagram below:

A list of inspected/open ports can be set under the following:

In the CLI:

firewall profile-protocol-options

In the GUI:

Go to Policy & Objects -> Proxy Options.

All ports configured will be scanned and FortiGate will send (SYN ACK) packets for all selected ports regardless of whether they are opened on the server side.

Moreover, extra ports can be opened when deep inspection is in effect.

The list of open ports can be configured under the following:

In the CLI:

config firewall ssl-ssh-profile

In the GUI:

Go to Security Profiles -> SSL/SSH Inspection.

All ports set will be scanned and FortiGate will send (SYN ACK) packets for all selected ports regardless of whether they are opened on the server side.

See examples below. Output may differ depending on the environment.

No UTM in proxy inspection mode or UTM in flow inspection mode:

nmap <server IP addres> -Pn
Not shown: 993 filtered ports
PORT     STATE SERVICE
53/tcp   open   domain
113/tcp closed ident
541/tcp open    uucp-rlogin
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http

UTM in proxy inspection mode without deep inspection and default 'Proxy Options':

nmap <server IP addres> -Pn
Not shown: 987 filtered ports
PORT     STATE SERVICE
21/tcp   open     ftp
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp open    pop3
113/tcp closed ident
115/tcp open    msrpc
143/tcp open    imap
541/tcp open    uucp-rlogin
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http

UTM in proxy inspection mode with deep inspection:

nmap <server IP addres> -Pn
Not shown: 993 filtered ports
Not shown: 982 filtered ports
PORT     STATE SERVICE
21/tcp   open     ftp
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp open    pop3
113/tcp closed ident
143/tcp open    imap
443/tcp open    https
465/tcp open    smtps
541/tcp open    uucp-rlogin
990/tcp open    ftps
993/tcp open    imaps
995/tcp open    pop3s
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
8010/tcp open   xmpp

From 6.4 and above, the 'Proxy Option' changes to 'Protocol Option'. If the firewall policy uses the default Protocol Option with proxy-based inspection, the following ports will be shown as opened when doing a port scan:

It is possible to create a custom protocol option to disable these port inspections.

When flow inspection is in effect, FortiGate will not send a (SYN ACK) packet to the client before receiving a (SYN ACK) packet from the server.