- Nmap installation on Linux.
Nmap (Network Mapper) is an open-source utility for network exploration and security auditing. Its installation varies slightly depending on the Linux distribution used.
Debian-based distributions (Ubuntu, Mint, etc.).
Open a terminal and run the following commands to update the package list and install Nmap:
# sudo apt update
# sudo apt install nmap
Red Hat-based distributions (CentOS, Fedora, RHEL, etc.).
Open a terminal and run the following command to install Nmap using the dnf or yum package manager:
# sudo dnf install nmap
Or, if using yum:
# sudo yum install nmap
- Using Nmap for FortiSIEM diagnostics.
The primary use of Nmap in diagnosing a FortiSIEM appliance is to verify accessibility and the availability of necessary services (ports) for its correct operation, such as log reception, web interface access, or communications between its components.
Replace X.X.X.X with the IP address of the FortiSIEM to be diagnosed.
- Basic status check (Ping).
A basic ping can be performed to confirm that the FortiSIEM appliance responds at the network level (layer 3).
# nmap -sn X.X.X.X
The -sn (scan no-port) option performs a ping to verify if the host is up without scanning ports.
-
Scanning common ports.
Specific ports that are critical for FortiSIEM operation can be scanned. Below are common ports used by FortiSIEM for the web interface, inter-component communication, or event/log reception.
Example of scanning key ports:
# nmap -p 443,8443,514,22,5432 X.X.X.X
- 443: Web interface (HTTPS) if a proxy or load balancer is used.
- 514: Syslog log reception (TCP/UDP).
- 22: SSH access for administration.
- 5432: PostgreSQL database port (internal/inter-component communication).
Interpreting Results:
|
Port State
|
Meaning |
Diagnosis |
| open |
The port is open and a service is listening on it.
|
The service is active and accessible from the scanning machine.
|
| closed |
The port is accessible, but no application is listening.
|
The service is inactive or has not started.
|
| filtered |
A firewall or network filter is blocking access to the port.
|
Connectivity is blocked in the network (ACL, FortiGate, etc.).
|
-
Exhaustive scan of the most used ports.
For a more comprehensive diagnosis, a range of ports or the 1000 most common ports can be scanned:
# nmap X.X.X.X
Running nmap [IP] without port options scans the 1000 most common TCP ports by default.
-
Service and version scanning.
The argument -sV can be used to attempt to determine the version of the service listening on the open ports. This can be useful to verify if the reported service is indeed the expected one (e.g., a web server).
# nmap -p 8443 -sV X.X.X.X
The output should indicate the service (e.g., https) and its version if detectable.
Considerations:
- Nmap scans must always be performed from the Linux diagnostic machine within the same network segment or the same security zone as the FortiSIEM if the goal is to rule out intermediate firewall blocks.
- If Nmap reports a port as filtered, the cause is a network block. If it reports closed, the cause is on the FortiSIEM appliance itself (inactive service, not listening on that interface, or local firewall blocking it).
- Do not use Nmap to perform intensive scans against production equipment without prior authorization.
|
