Technical Tip: View which ports are actively open and in use by FortiGate

frottier · ‎11-30-2016

Description

This article describes how to view which ports are actively open and in use by FortiGate. FortiOS proposes several services such as SSH, WEB access, SSL VPN, and IPsec VPN.

There is a CLI command and an option in the GUI that will display all ports that are offering a given service.

Scope

FortiGate.

Solution

In the CLI, type the following command to verify open/listening TCP ports:

diagnose sys tcpsock | grep 0.0.0.0

0.0.0.0:709->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1000->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1001->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1002->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1003->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1004->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1005->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1006->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:80->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1011->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1012->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:53->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1013->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:22->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1014->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:23->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1015->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1016->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1017->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1018->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:2650->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:443->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1019->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:7900->0.0.0.0:0->state=listen err=0 sockflag=0x2 rma=0 wma=0 fma=0 tma=0

0.0.0.0:1020->0.0.0.0:0->state=listen err=0 sockflag=0x8 rma=0 wma=0 fma=0 tma=0

0.0.0.0:541->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0

To list all open TCP connections originating from the FortiGate to other devices run the complete commands without the grep filter:

diagnose sys tcpsock

On current FortiOS versions, this command will also list the processes that are running behind the open port or the connection to a remote host or vice versa.

In the example below the SSHD process is responsible for the open connection.

10.191.20.201:22->10.191.31.254:43434->state=established err=0 socktype=0 rma=0 wma=0 fma=4096 tma=0 inode=24068028 process=23993/sshd

A similar command can be used to list IPv6 TCP connections:

diagnose sys tcpsock6

In the CLI, type the following command to list open/listening UDP ports:

diagnose sys udpsock| grep 0.0.0.0

0.0.0.0:2055->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=16442 process=1287/flcfgd
0.0.0.0:53->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=6907 process=1278/dnsproxy
0.0.0.0:123->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=16418 process=1272/ntpd
0.0.0.0:161->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=4382 process=1265/snmpd
0.0.0.0:20949->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=3629 process=1239/syslogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=14741 process=1328/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=18624 process=1329/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=5087 process=1326/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=5066 process=1327/miglogd
0.0.0.0:514->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=4993 process=1260/miglogd
0.0.0.0:520->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=5393963 process=1214/ripd
0.0.0.0:25246->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=17735 process=1292/extenderd
0.0.0.0:2736->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=15694 process=1295/dnsproxy
0.0.0.0:8887->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=18839 process=1282/cw_acd
0.0.0.0:710->0.0.0.0:0 state= txq=0 rxq=0 uid=0 inode=4363 process=1266/dhcpcd

And the same command without grep filter to list all currently open UDP connections originating from the FortiGate to remote hosts or vice versa:

diagnose sys udpsock

To list IPv6 connections run:

diagnose sys udpsock6

In rare cases, it might be useful to show more details gathered from the Linux kernel /proc filesystem.

Refer to the Linux documentation for more details.

The following commands can be used to dump raw details about TCP/UDP/ICMP/etc. This can be useful for support or development to debug an issue in more detail.

fnsysctl ls -al /proc/net/
fnsysctl cat /proc/net/tcp
fnsysctl cat /proc/net/tcp6
fnsysctl cat /proc/net/udp
fnsysctl cat /proc/net/udp6
fnsysctl cat /proc/net/icmp
fnsysctl cat /proc/net/icmp6
fnsysctl cat /proc/net/udplite
fnsysctl cat /proc/net/udplite6
fnsysctl cat /proc/net/raw
fnsysctl cat /proc/net/raw6
fnsysctl cat /proc/net/unix

Open ports can also be enabled and viewed via the GUI:
Activate the Local In Policy view via System -> Features Visibility, and toggle on Local In Policy in the Additional Features menu.

Go to Policy & Objects -> Local In and there is an overview of the active listening ports.

Related articles:

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

Interpreting TCP Ports FortiGate Listens ... - Fortinet Community

Technical Tip: View which ports are actively open and in use by FortiGate

You are leaving our website