Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aznabeel
New Contributor

Frotigate 100D v 5.2

Hi All,

 

I would like to inform that I am a new bee and I have following questions

 

1- What is the CLI command to identify open and closed post in Fortigate 100 D v 5.2

 

2-  I have checked with the Network admin in my company and he told me that he has not changed the default services settings. So if some one can guide me regarding what services should be enabled or disable as best practice.

 

Awaiting response.

 

Thanks in advance

 

Regards

 

Nabeel

2 REPLIES 2
sw2090
Honored Contributor

Nabeel,

 

What do you mean with 1)? Open/Closed Ports? 

Ports for services on a FGT are set with the corresponding interface. 

This  goes for e.g. http(s) for Webinterface, ssh for cli or also FMGACCESS which you need if you use a FortiManager and some more.

 

Ports for Services not on the FGT are basically set via either VIP (Portforwarding)  or Policy. 

This can be checked from outside the FGT with any Portscanner like unix's nmap or yaps.

 

To 2)

 

the default services settings on a FGT for FGT's internal services are quite open. 

I am not sure if you want to be able to get to the webinterface from WAN Side of your FGT.

I usually only allow ssh coming from WAN (Internet). Https is only available on internal interfaces (Internal subnet for the shop or our admin vpn) and so is SNMP. Http is deactivated. From the rest I only have enabled FMGACCESS hence we use a FortiManager here but it also is only available via our admin-vpn. Rest is off on the interfaces.

 

Per Factory Defaut btw all internal physcial ports (Port1-x or Internal1-x depending on FGT Model) are one (virtual) switch that has 192.168.1.99 as ip and there is one policy that allows everything to everything and one that denies the rest. So you might have to change this to what you need.

ALso there is a dhcp server active on that switch btw.

 

hth

Sebastian

 

 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Ashik_Sheik

Hi,

 

Just check below KB article , will help you to get open ports in the fortigate .

 

http://kb.fortinet.com/kb/viewContent.do?externalId=FD39969 

 

Regds,

 

Ashik

Ashu 

 

Ashu
Labels
Top Kudoed Authors