| Description | This article explains what takes place when NMAP (Network Mapper) scan is performed against a FortiGate with captive portal configured/deployed. |
| Scope | FortiOS |
| Solution |
NMAP (Network Mapper) is a network scanner used to detect hosts and services on a network; this is done by sending packets to the host/s and analyzing the response from the host/s. The main reason or the aim of a Network Administrator when scanning a network with NMAP, is to dig out or find port/s that is open on the network and could possibly be used or exploited by bad actors.
In a network where a captive portal is deployed on FortiGate, below is the likely result of the NMAP scan (the default NMAP scanning is done in this scenario, meaning NMAP scans for the first 1000 ports):
Here, the NMAP scan result reported 21/tcp, 23/tcp, 80/tcp, 443/tcp and 1000/tcp as OPEN.
If the captive portal configuration is removed or disabled on the FortiGate interface facing the NMAP scanner, the earlier reported OPEN ports are no longer seen as OPEN.
The explanation to why these ports appear as OPEN in the NMAP scan result (when in fact, they were not open and posed no security threat) is because ports 21/tcp, 23/tcp, 80/tcp, 443/tcp (ftp, telnet, HTTPS, HTTPS respectively) are used by authd (authentication daemon) for redirection.
If port 113 is seen as OPEN in the NMAP scan result, it could be closed with:
config system interface edit [port] set ident-accept enable/disable next end
Note: Using 'diag sys tcpsock' on the FortiGate, these ports could be visible in the CLI result or output, meaning that a process is listening on that port, but it does not imply that it is possible for any external user to connect to that port. |
