Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

(ASK) block NMAP


I want to ask, recently i configure fortigate 90 D with enable IPS in my policy from internal to Internet

i try to scanning with NMAP from outside networks, but NMAP still can scan my networks


so i want to ask, how to i prevent NMAP from scanning my networks? anyone can help me?


sorry for my bad english.


The scanning is out-to-in direction. Nothing to do with in-to-out policies. If the scanning can come through the FG, you must have polices with VIP or just routing into your internal network for out-to-in direction. Check those and filter them at the FG if it's routing in. If VIPs, narrow down the forwarding ports only the servers behind are serving. Those ports show as open obviously.


so i have create policy from outside to inside with enabled IPS for prevent NMAP scanning from my public ip ?

sorry for my bad english


Why would you create a new policy? If you don't have out-to-in policy at all, your network is mostly secure. Only ports somebody would see as open are those remote access to the outside IP on the FGT, such as SSH(22), HTTPS(443), and always BGP(179). You can close remote access ports by just disabling those access on the interface or list the source IPs you want to allow with local-in-policy or ACL. To close BGP port, options are only local-in-policy or ACL. Then you're clear for any security audit and penetration(PEN) tests.

But if you happen to have (you don't seem to have any now) internal servers for outside users, like email servers, web servers, FTP servers, etc. and want to protect them from scanning and subsequent attackes at FW level, you can try some methods described in online manual below.


Top Kudoed Authors