Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eager2learn
New Contributor

For a VIP is port 8008 internal closed and external opened

On a Fortigate 200D a VIP (Virtual IP) is created.

  Type NAT

  Source Address Filter: off   Port Forwarding: off   One external IP-address

  One Mapped IP-address

The Mapped (internal) IP-address is used by a Linux system with only port 22 (SSH) open. So port 8008 is closed.

From external (on the external IP-address) it is possible to login, with SSH, on the internal Linux system. From external (on the external IP-address) port 8008 is open. From external (on the external IP-address) it is possible to connect to port 8008.

But the end-point of the connection to port 8008 is not the internal Linux system. The program "nmap" shows (from out-site to the external IP-address) the lines below:

    Port     Protocol  State  Service  Version

    22        tcp           open   ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu

    8008    tcp           open   http        Fortinet FortiGuard block page

 

So is seems that the end-point of a connection from external to port 8008 is the FortiGate and not the internal Linux system.

How is that possible?

How can port 8008 be closed from the external internet?

 

7 REPLIES 7
Markus
Valued Contributor

This is for Blocking Page and Policy Override Authentication. You shouldn't close this Port.

https://docs.fortinet.com/uploaded/files/3020/fortinet-communication-ports-and-protocols-54.pdf

 


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
eager2learn

I will read that documentation.

On the Fortigate 200D, 23 VIP's are created. All on the same way. Only one VIP has port 8008 open, on the other VIP's port 8008 is closed.

Markus
Valued Contributor

Ok, thats strange. Did you have any UTM Profile applied to this VIP/Policy?


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
eager2learn

Yes, now I see.

The policy for this VIP (with port 8008 open) has the next Security Profiles:

  AntiVirus:          AV default

  IPS:                    protect_sftp_server

  Proxy Options:  PRX default

 

The policy's for the other VIP's have only the Security Profile:

 IPS:                    protect_sftp_server 

 

The reason is that the SFTP-server behind the VIP with port 8008 open cannot have a white-list (/etc/hosts.allow).

The SFTP-servers behind the other VIP's all have a white-list.

 

The VIP with more Security Profiles has an extra port open.

That is not what I expect.

 

 

Markus
Valued Contributor

This is a "normal" behavior as this port is used by Fortigate for UTM response There was a similar Post https://forum.fortinet.com/tm.aspx?m=124655

the solution was to create a local in policy (post 3) blocking this Port, but be aware that this blocks any response or override pages globaly


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
eager2learn

The last days I read something about UTM response. Sorry, but I still don't understand where port 8008 is used for. Send Fortigate new threat prevention information by this port to our Fortigate?

 

Markus
Valued Contributor

Maybe this can clarify your question TCP ports 8008 and 8010 are used for the FortiGuard block pages as well as the FortiGuard override pages. TCP Port 8008 is open when Web Filter profile with FortiGuard override feature enabled is applied to firewall policy. Port 8008 is also open when a proxy-based AV profile is applied to firewall policy

Source http://kb.fortinet.com/kb/documentLink.do?externalID=FD33190

 


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors