Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎05-28-2025 03:10 AM Edited on ‎09-22-2025 05:24 AM By Moderator

Article Id 393915

Technical Tip: Regularly audit and restrict open ports on FortiGate public interfaces

Description

This article describes the risks of keeping unnecessary TCP or UDP ports open on FortiGate public IPs.

It also explains how to check which ports are open or exposed to the Internet and how to block those that are not needed.

Regularly monitoring and reviewing these ports and blocking any that are not truly necessary helps improve security and reduce the risk of unauthorized access, denial-of-service attacks, or system compromise.
Scope FortiGate.
Solution

Common Open Ports and Associated Risks:

Leaving the following ports open on FortiGate public IPs significantly increases the attack surface.
These ports are frequently targeted by automated internet-wide scans and attacks.

 

High-Risk Ports and Services:

 

Port
Protocol
Service
Risk Summary
21 TCP FTP Plaintext credentials, brute-force attacks, and directory traversal vulnerabilities.
22 TCP SSH Brute-force/dictionary attacks, remote root access risk, and high CPU usage under scanning.
23 TCP Telnet Unencrypted, exploited by botnets (e.g., Mirai), and an outdated protocol.
80 TCP HTTP Vulnerable web interfaces, XSS/SQLi attacks, and HTTP flood DoS.
443 TCP HTTPS/SSL VPN SSL VPN brute-force, CVEs (e.g., CVE-2018-13379), TLS renegotiation DoS.
179 TCP BGP Brute-force/crash FortiGate through session spoofing or denial-of-service attacks.
3389 TCP RDP Entry point for ransomware, brute-force, and remote code execution.
5060 UDP/TCP SIP (VoIP) SIP flood, SPIT, brute-force registration attempts.
2000 TCP Cisco SCCP VoIP DoS, unnecessary exposure, adds surface for attacks.

 

Technical Impact on FortiGate:

  • High CPU usage:
    Each unsolicited connection attempt (especially on HTTPS, SSH, SIP) consumes resources due to:

    • Session state tracking.

    • TLS/SSH handshakes.

    • Deep packet inspection.
      This can lead to CPU spikes, resource exhaustion, or conserve mode.

  • Service degradation:

    • SSL VPN users disconnected.

    • GUI/Admin unreachable.

    • Delays and dropped sessions.

    • DoS on management or VoIP services.

 

Examples of how to check exposed ports, the consequences, and how to mitigate them:

  1. Checking exposed ports on FortiGate (Linux Kali was used).

 

nmap <IP FortiGate>


scan.jpg

 

  1. If a malicious actor has this information, see how a simple hping3 flood can affect the service in case the FortiGate is not properly hardened. (used Linux Kali).

To test denial-of-service attacks for ethical testing, simulating traffic patterns, and crafting custom TCP/IP packets for protocol analysis, a tool such as hping3 can be used to generate traffic.

 

https://linux.die.net/man/8/hping3

 

sudo hping3 -S -p 2000 --flood <IP FortiGate>

 

flood.gif

 

  1. See this document: Hardening for key steps to harden and maintain the highest possible security for the FortiGate:

Technical Tip: Restrict IPSec VPN access to certain countries

Technical Tip: How to block unauthorized connections to IPsec VPN

Technical Tip: Hardening FortiGate SSL VPN - Best Practices for Enhanced Security

Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ...

Technical Tip: How to close port TCP/UDP 5060 and TCP 2000

Technical Tip: How to configure IPv4 DOS policy

Technical Tip: How to block IoT scans from Shodan

 

Conclusion:

Each unnecessary TCP/UDP port that is open/exposed represents a potential entry point for exploitation.

Regular scanning, restriction, and closure of unnecessary ports are critical measures for maintaining a secure and resilient environment.


These actions not only help prevent data breaches but also contribute to consistent performance, even under scanning or attack attempts.


Implementing preventive security controls is more cost-effective than responding to incidents. FortiGate hardening should be prioritized.
853
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.