Troubleshooting Tip: IPS enabled in VIP is incorrectly answering request to port 8015

MichaelTorres · ‎08-25-2024

Description

This article describes that FortiGate incorrectly answers the requests in port 8015 after enabling an IPS profile in a firewall Policy with VIPs.

Scope

FortiGate Technologies in implementation with VIPs or port scanning tests.

Solution

FortiGate answers requests in port 8015 when the IPS profile is enabled in the FortiGate, even when no packet from the outside to TCP port 8015 should reach the internal VIP address. This behavior leads to false positives in port-scanning and pen-testing tools which may report TCP port 8015 as 'open'.

Example configuration.

config firewall policy
edit 216
set uuid 4fcce3e2-e1a4-51ea-a0ce-d8a1865a680c
set srcintf "LAN"
set dstintf "INTERNAL1"
set action accept
set srcaddr "all"
set dstaddr "VIP_2.2.2.2"
set schedule "always"
set service "HTTP" "HTTPS" "8443" "PING" --> Port 8015 is not included in the services.
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "IPS_EXAMPLE"
set logtraffic all
next

In the debugs, it is possible to see the following behavior with the request being sent to the port 8015.

id=1088 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 policy-216, ret-matched, act-accept"

id=20085 trace_id=1088 func=__iprope_user_identity_check line=1814 msg="ret-matched"

id=20085 trace_id=1088 func=__iprope_check line=2272 msg="gnum-4e20, check-ffffffffa002d760"

id=20085 trace_id=1088 func=__iprope_check_one_policy line=2025 msg="checked gnum-4e20 policy-4294967295, ret-matched, act-accept"

id=20085 trace_id=1088 func=__iprope_check_one_policy line=2242 msg="policy-4294967295 is matched, act-accept"

id=20085 trace_id=1088 func=__iprope_check line=2289 msg="gnum-4e20 check result: ret-matched, act-accept, flag-00800008, flag2-00000000"

id=20085 trace_id=1088 func=__iprope_check_one_policy line=2242 msg="policy-216 is matched, act-accept"

id=20085 trace_id=1088 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-216"

id=20085 trace_id=1088 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-216"

id=20085 trace_id=1088 func=fw_forward_handler line=881 msg="Allowed by Policy-216: AV"

id=20085 trace_id=1088 func=av_receive line=434 msg="send to application layer"

As soon as the IPS profile is enabled in the firewall policy, a new entry is automatically created in the IPROPE Policies list.

To view IPROPE Policies run the command:

diagnose firewall iprope list

Then the entry FortiGate shows:

policy index=216 uuid_idx=4782 action=accept

flag (8010408): redir d_r master pol_stats

flag2 (4000): resolve_sso

flag3 (b0): !sp link-local best-route

schedule(always)

cos_fwd=255 cos_rev=255

group=00100004 av=00004e20 au=00000000 split=00000000

host=2 chk_client_info=0x0 app_list=0 ips_view=1

misc=0

zone(1): 232 -> zone(1): 99

source(1): 0.0.0.0-255.255.255.255, uuid_idx=3650,

dest(1): 2.2.2.2.-2.2.2.2, uuid_idx=4593,

vip(1): 9

service(1):

[6:0x0:1007/(0,65535)->(8015,8015)] flags:0 helper:auto

Solution.

This issue is documented on MANTIS ID 1000223. The fix will be included in versions: 7.0.16, 7.2.9, 7.4.4, 7.6.0.

Workaround.

Create and set a top priority deny policy to block traffic to VIP external IPs on ports 8008, 8010, and 8015.

Troubleshooting Tip: IPS enabled in VIP is incorrectly answering request to port 8015

You are leaving our website