On a Fortigate 200D a VIP (Virtual IP) is created.
Type NAT
Source Address Filter: off Port Forwarding: off One external IP-address
One Mapped IP-address
The Mapped (internal) IP-address is used by a Linux system with only port 22 (SSH) open. So port 8008 is closed.
From external (on the external IP-address) it is possible to login, with SSH, on the internal Linux system. From external (on the external IP-address) port 8008 is open. From external (on the external IP-address) it is possible to connect to port 8008.
But the end-point of the connection to port 8008 is not the internal Linux system. The program "nmap" shows (from out-site to the external IP-address) the lines below:
Port Protocol State Service Version
22 tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu
8008 tcp open http Fortinet FortiGuard block page
So is seems that the end-point of a connection from external to port 8008 is the FortiGate and not the internal Linux system.
How is that possible?
How can port 8008 be closed from the external internet?
This is for Blocking Page and Policy Override Authentication. You shouldn't close this Port.
https://docs.fortinet.com/uploaded/files/3020/fortinet-communication-ports-and-protocols-54.pdf
________________________________________________________
--- NSE 4 ---
________________________________________________________
I will read that documentation.
On the Fortigate 200D, 23 VIP's are created. All on the same way. Only one VIP has port 8008 open, on the other VIP's port 8008 is closed.
Ok, thats strange. Did you have any UTM Profile applied to this VIP/Policy?
________________________________________________________
--- NSE 4 ---
________________________________________________________
Yes, now I see.
The policy for this VIP (with port 8008 open) has the next Security Profiles:
AntiVirus: AV default
IPS: protect_sftp_server
Proxy Options: PRX default
The policy's for the other VIP's have only the Security Profile:
IPS: protect_sftp_server
The reason is that the SFTP-server behind the VIP with port 8008 open cannot have a white-list (/etc/hosts.allow).
The SFTP-servers behind the other VIP's all have a white-list.
The VIP with more Security Profiles has an extra port open.
That is not what I expect.
This is a "normal" behavior as this port is used by Fortigate for UTM response There was a similar Post https://forum.fortinet.com/tm.aspx?m=124655
the solution was to create a local in policy (post 3) blocking this Port, but be aware that this blocks any response or override pages globaly
________________________________________________________
--- NSE 4 ---
________________________________________________________
The last days I read something about UTM response. Sorry, but I still don't understand where port 8008 is used for. Send Fortigate new threat prevention information by this port to our Fortigate?
Maybe this can clarify your question TCP ports 8008 and 8010 are used for the FortiGuard block pages as well as the FortiGuard override pages. TCP Port 8008 is open when Web Filter profile with FortiGuard override feature enabled is applied to firewall policy. Port 8008 is also open when a proxy-based AV profile is applied to firewall policy
Source http://kb.fortinet.com/kb/documentLink.do?externalID=FD33190
________________________________________________________
--- NSE 4 ---
________________________________________________________
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.