Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎05-28-2025 03:10 AM Edited on ‎08-11-2025 01:47 AM By Community Manager

Article Id 393915

Technical Tip: Regularly audit and restrict open ports on FortiGate Public Interfaces

Description

This article describes the risks of keeping unnecessary TCP or UDP ports open on FortiGate public IPs.

It also explains how to check which ports are open or exposed to the Internet and how to block those that are not needed.

Regularly monitoring and reviewing these ports and blocking any that are not truly necessary helps improve security and reduces the risk of unauthorized access, denial-of-service attacks, or system compromise.
Scope FortiGate
Solution

Common Open Ports and Associated Risks:


Leaving the following ports open on FortiGate public IPs significantly increases attack surface.
These ports are frequently targeted by automated internet-wide scans and attacks.

 

High-Risk Ports and Services:

 

Port
Protocol
Service
Risk Summary
21 TCP FTP Plaintext credentials, brute-force attacks, directory traversal vulnerabilities
22 TCP SSH Brute-force/dictionary attacks, remote root access risk, high CPU under scanning
23 TCP Telnet Unencrypted, exploited by botnets (e.g., Mirai), outdated protocol
80 TCP HTTP Vulnerable web interfaces, XSS/SQLi attacks, HTTP flood DoS
443 TCP HTTPS/SSL VPN SSL VPN brute-force, CVEs (e.g., CVE-2018-13379), TLS renegotiation DoS
179 TCP BGP Brute-force/crash FortiGate through session spoofing or denial-of-service attacks.
3389 TCP RDP Entry point for ransomware, brute-force, remote code execution
5060 UDP/TCP SIP (VoIP) SIP flood, SPIT, brute-force registration attempts
2000 TCP Cisco SCCP VoIP DoS, unnecessary exposure, adds surface for attacks

 

Technical Impact on FortiGate:

  • High CPU usage:
    Each unsolicited connection attempt (especially on HTTPS, SSH, SIP) consumes resources due to:

    • Session state tracking

    • TLS/SSH handshakes

    • Deep packet inspection
      This can lead to CPU spikes, resource exhaustion, or conserve mode.

  • Service degradation:

    • SSL VPN users disconnected

    • GUI/Admin unreachable

    • Delays and dropped sessions

    • DoS on management or VoIP services

 

Examples of how to check exposed ports, the consequences, and how to mitigate them:

  1. Checking exposed ports on FortiGate (Linux Kali was used).

nmap <IP FortiGate>


scan.jpg

 

  1. If a malicious actor has this information, see how a simple hping3 flood can affect the service in case the FortiGate is not properly hardened. (used Linux Kali).

sudo hping3 -S -p 2000 --flood <IP FortiGate>

 

flood.gif

 

  1. See the FortiGate hardening guide for key steps to harden and maintain the highest possible security for the FortiGate:

Technical Tip: Restrict IPSec VPN access to certain countries

Technical Tip: How to block unauthorized connections to IPsec VPN

Technical Tip: Hardening FortiGate SSL VPN - Best Practices for Enhanced Security

Technical Tip: Use local-in policy to restrict unauthorized login attempts to administrative access ...

Technical Tip: How to close port TCP/UDP 5060 and TCP 2000

Technical Tip: How to configure IPv4 DOS policy

Technical Tip: How to block IoT scans from Shodan

 

Conclusion:

Each unnecessary TCP/UDP port that is open/exposed represents a potential entry point for exploitation.

Regular scanning, restriction, and closure of unnecessary ports are critical measures for maintaining a secure and resilient environment.


These actions not only help prevent data breaches but also contribute to consistent performance, even under scanning or attack attempts.


Implementing preventive security controls is more cost-effective than responding to incidents. FortiGate hardening should be prioritized.
599
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.