Technical Tip: Port 8015 is showing open for external scanners

amahdi · ‎03-31-2024

Description

This article describes a situation where a user is performing a regular network external scanning after upgrading the firewall to v7.0.14 and port 8015 is showing open although it was not showing open before the upgrade.

Scope

FortiGate.

Solution

Port 8015 is typically used by FortiGate to authenticate FortiGuard when an HTTPS override request occurs in flow mode.
Starting from v7.0.14, as long as the block page is enabled in one active UTM profile and the embedded image is disabled, or web filter override is configured, the IPS engine would listen to port 8015.

To resolve this issue, the user can do the following :

Change 'ovrd-auth-port-https-flow' to a different port to prevent FortiGate from responding to port 8015:

config webfilter fortiguard
    set ovrd-auth-port-http 8008
    set ovrd-auth-port https 8010
    set ovrd-auth-port-https-flow 8015 <----- Change to a different port.
    set ovrd-auth-port-warning 8020
end

Disable the SSL/SSH Certificate Inspection profile on the corresponding policy so the scanner will not be able to view the certificate and port 8015 will not show as open.
If disabling the SSL/SSH Certificate Inspection profile is not an option, an alternative solution is to enable optional filters under Virtual IP. Create custom services and then apply them to the Virtual IP. This will allow only the required ports and will block port 8015.

Furthermore, the CLI configuration of custom services and the mean the VIP is applied to the policy will block the TCP_8015.

config firewall service custom
edit "TCP_8015"
set color 22
set tcp-portrange 8015
next
end

config firewall policy
edit 2
set name "Block_8015_VIPs" << DENY rule
set srcintf "port1" <----> WAN
set dstintf "port3" <---> LAN
set srcaddr "all"
set dstaddr "Restricting-8015"
set schedule "always"
set service "TCP_8015"
set logtraffic all
set comments "Block_8015_VIPs"
next
end