Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skaneria
Staff
Staff

Created on ‎05-08-2020 01:53 AM Edited on ‎08-18-2025 07:03 AM By Moderator

Article Id 196078

Technical Tip: Port enforcement check

Description


By configuring port enforcement checks in application control, blocking applications running on non-standard TCP/IP ports is possible.

This article describes this feature.

 

Scope

 

FortiGate.

Solution


Most networking applications run on specific ports. For example, SSH runs on port 22, and Facebook runs on ports 80 and 443.

If the default network service is enabled in the Application Control profile, a port enforcement check is done at the application profile level, and any detected application signatures running on a non-standard TCP/IP port are blocked. This means that each application allowed by the app control sensor is only run on its default port.

To set a port enforcement, check from the CLI:

 

config application list
    edit "default_port"
        set enforce-default-app-port {enable | disable}
            config entries
                edit 1
                    set application 15896
                    set action pass
                next
            end
        next
    end

 

For example, when applying the above application control profile, FTP traffic with the standard port (port 21) is allowed, while the non-standard port (port 2121) is blocked.

To set the port enforcement, check from the GUI:

 

  1. Go to the Application control.
  2. Select the profile and select 'edit'.
  3. Under the options, enable the 'Block applications detected on non-default ports'.
     
 
  1. Go to the 'Application and Filter Overrides'.
  2. 'Create New' and select the application.
  3. Select 'add selected' and choose the action 'allow or monitor'.
  4. Select 'OK'.
 
Note: For monitor or allow action, the application will be blocked if detected on non-default ports (as defined in FortiGuard application signatures).
The block action still blocks all traffic for the application, regardless of port.

It is also essential to understand the distinction between this feature and the 'Network protocol enforcement feature' (NPE). The NPE feature does not block the application running on a non-default port, such as SSH running on port 222. The NPE feature is used to just enforce or bind the services, such as SSH, to the known port, such as 22.

To illustrate this, configure the port '22' with FTP instead of SSH as shown below.

 

59_40-FortiGate - Love.png

 

With this configuration in place, while attempting to do SSH on port 22, the action should be blocked as shown below.

 

working.png

 

For more information about Network protocol enforcement, refer to Network protocol enforcement - FortiGate 7.6.3 administration guide.

For policy based mode, refer to Add option to set application default port as a service port - FortiGate 7.2.0 new features.

10795
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.