FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andreas77_FTNT
Description
This document describes what TCP port 1000 is used for and how to disable it.

Some network scanners gives the information that TCP port 1000 is open.
The FortiGate will listen on TCP 1000 for all configured interfaces, if authentication keepalive is enabled.

It will also be used if captive portal or authentication on a policy is enabled.


Solution
There are two ways to approach this:

1) Disable keepalive and any form of authentication via the web portal of the FortiGate.

- Completely disable authentication keepalive feature, by simply running below command:

# config system global
    set auth-keepalive disable
end
- Disable captive portal on the interface (replace with correct port name):
edit “PortName "
    set security-mode captive-portal
end
- Disable any form of web authentication on the FortiGate.

It can be policies that are either using groups or users:
# config firewall policy
    edit <ID> >>>>> Need to replace with correct ID
        unset users
        unset groups
    end
Of course, the authentication keepalive page will not work anymore, but TCP 1000 will be closed.

2) Creating a local-in-policy.

Creating a local-in-policy will allow more granular control as closing the port for specific interfaces is possible.
First, create a custom service for tcp/1000:
# config firewall service custom
    edit "TCP/1000"
        set tcp-portrange 1000
end
Then, create the policy (replace 'PortName' with desired port)
# config firewall local-in-policy
    edit 1
        set intf “PortName”
        set srcaddr "all"
        set dstaddr "all"
        set service "TCP/1000"
        set schedule "always"
    next
end

Related Articles

Technical Tip: Authentication keepalive page

Contributors