Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zack
New Contributor

Fortigate listening on port 8009

Hello My fortigate appears to be listening on port 8009 on our internet connected interfaces. Not cool. How do I turn that garbage off? I can;t find it anywhere in the GUI or CLI guide and I must be missing something.
(2) FortiGate 300A (clustered) 4.2.9 (1) Fortigate 310B 4.2.9 (1) Fortianalyzer 100C 4.2.4
16 REPLIES 16
jorge9090
New Contributor

Port 8009 is used to download the Forticlient software from the portal. Try searching the policy that enables it on your wan interfaces and disable it if you don' t need it. config firewall local-in-policy edit <policy_number> set status disable end Regards.
zack
New Contributor

There is no policy that enables this on the WAN interface - or any interface for that matter. I should not need to create a deny rule as the default deny all rule should cover it since there is no higher priority/ordered policy specifically allowing it. I think this is a service that needs to be disabled - as opposed to traffic that needs to be blocked...
(2) FortiGate 300A (clustered) 4.2.9 (1) Fortigate 310B 4.2.9 (1) Fortianalyzer 100C 4.2.4
emnoc
Esteemed Contributor III

8009
Just create a local firewire policy and custom service with a deny action config firewall service custom edit " port_8009_tcp" set protocol TCP/UDP/SCTP set tcp-portrange 8009 next end config firewall local edit 0 set intf " wan1" set srcaddr " all" set dstaddr " all" set service " port_8009_tcp" set schedule " always" next

PCNSE 

NSE 

StrongSwan  

jorge9090
New Contributor

Actually there is, but is applied by default in the local-in policies. You should see something like this on you firewall as well. As emnoc said, you can block the traffic with a policy specific to that port on your wan interfaces
zack
New Contributor

Son of a B*tch.... Well isn' t that just quaint... Thanks for the direction Jorge... props.. I wish they let me modify the local in policies - but no such love it appears... I love how it allows in traffic for routing protocols or vpn protocols I' m not even using too. That' s sweet! </sarcasm>
(2) FortiGate 300A (clustered) 4.2.9 (1) Fortigate 310B 4.2.9 (1) Fortianalyzer 100C 4.2.4
emnoc
Esteemed Contributor III

I wish they let me modify the local in policies
What do you mean " wish the let you modify" you can.See the 2nd post ( by me ), you have the ability to filter anyting that ' s local no different than a juniper SRX . if you think about it. the allowaccess and local-in-policy is the exact same things on juniper SRX ( system services ) but 100x more effective and easier imho ( Okay not 100X better but 10 times better ) if you would execute the sample policy provided, you will see that 8009 would be close on a followup scan.
I should not need to create a deny rule as the default deny all rule should cover it since there is no higher priority/ordered policy specifically allowing it.
fwiw, regular fwpolicies ipv4 or ipv6 has nothing todo with this.

PCNSE 

NSE 

StrongSwan  

zack
New Contributor

@emnoc Negative.... I can not modify or delete local in policies. The GUI will not let me. I' m clicking away and nothing is happening. Unfortunately your reference to Juniper is not applicable because this isn' t a Juniper system - nor do I have them in my infrastructure. I' ve also created a firewall policy (as suggested) that is an explicit deny from any address/interface to any address/interface for the 8009 port/service and it STILL responds to port scans from the internet. So that doesn' t work either.
(2) FortiGate 300A (clustered) 4.2.9 (1) Fortigate 310B 4.2.9 (1) Fortianalyzer 100C 4.2.4
emnoc
Esteemed Contributor III

Repeat after me cli cli cli cli It ( fortigate ) is the same or similar to a juniper SRX to some degree. So if it can be done in a SRX, it probably be done on a FGT but simpler. And uses the same concept ( per-se ) and the fortinet engineers took what juniper did and made it smarter. And the WebGUI is slicker and quicker :) So yes you can do EVERYTHING in the CLI actually more than what you can do in the WebGUI. I spend approx 90% of my days work in CLI mode. fwiw; I don' t know of one fortigate model that will NOT allow you to modify local-in-policies if it has support for in policies.

PCNSE 

NSE 

StrongSwan  

zack
New Contributor

CLI I was afraid you were going to say that... My comfort level is not so high there. I rely on the GUI as my primary form of administration of the firewalls I have. I get very disappointed when vendors make functionality only available in a cli interface. I' m a visual person and place much value on a fully functional well made gui... I' ll venture into what you suggest though since you were comprehensive in your post. I' m bummed out about the lack of gui support though.
(2) FortiGate 300A (clustered) 4.2.9 (1) Fortigate 310B 4.2.9 (1) Fortianalyzer 100C 4.2.4