Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chinyu
New Contributor

How do I block a specific port on the Fortigate?

I thought this would be easy, but I am not finding a specific option for doing so. We recently had a system update form a vendor, and they are suggesting we block http port 5985 and https port 5986 at the firewall. I am logged into the Fortigate right now and thought I would just find where ports are already blocked and add these two to the list, but I don't see anything like that.

My thought is that everything is implicitly denied unless allowed, so this might already be blocked by default, but I want to confirm that to the vendor to complete the security on this setup.

Is there something I am missing while going through the menus? We're on version 7.0.7 - I am comfortable with the menus and interface and making changes, I'm just not sure where to go, and searching online for this option isn't yeilding any good results.

Tweakbox Appvalley tutuapp
2 REPLIES 2
Cajuntank
Contributor II

If you are talking about blocking ingress into your network, then yes, there is an implicit deny unless you have a specific policy allowing traffic in from these ports. If you are talking about blocking egress from your network, then you will need to create a service definition for that port range of 5985-5986 (you will also need to specify if its tcp and or udp). Then you will create a policy with that new service defined and your action will be set to DENY instead of ACCEPT. Then move the policy up in the list to where it is being processed first before other  policies accordingly.

abarushka
Staff
Staff

Hello,

 

In case VIP are used you may consider to follow kb below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...

FortiGate
Labels
Top Kudoed Authors