Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Stealth Ports
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stealth Ports
On my old router, the firewall had a checkbox to stealth all ports. Instead of reporting that a port was closed, if set, it would not issue a response at all. As such, the router, and the network behind it, was invisible to the Internet. Port Scans would not get a response on Port 113, or otherwise.
How do I accomplish the same thing on FortiOS? I understand there is an option to ignore Pings from the WAN, and I can forward Port 113 to an unused address, but how about other ports? Am I missing a setting somewhere? Is there an easy way to make the Fortigate invisible?
I read somewhere that the IPS signatures will detect and prevent Port Scans, but if I don' t opt for the UTM services, am I exposed?
Any advice or guidance would be appreciated.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at the interface set ident-accept disable| enable command?
Enable or disable passing ident packets (TCP port 113) to the firewall policy. If set to disable, the FortiGate unit sends a TCP reset packet in response to an ident packet.
look here, but I think this what your talking about
http://docs.fortinet.com/cb/html/FOS_Cookbook/Install_advanced/cb_enhance_security.html
Oh the other question; am I exposed ?
The real question is exposed to what? What risked do you deem your network and security appliance has?
You can always schedule a port sweep and vulnerability test to your network and firewall appliance.
I find that disable remote admin on the untrust/external or if ssh is required, move it to a non well known port
Ensure that all fwpolices are check and primary the ordering
Disable weak ciphers
Bascially everything in that link should look at deploying and with regulary checks and audits.
just my 2 cts
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info!
Wouldn' t sending a TCP Reset in response to an Ident packet tell the sender that there is a network present at the IP address targeted? Is this any different than having the router return a Port Closed response?
By exposed, I was referring to having my network completely hidden from port scans or probes from the WAN side. I am not hosting any servers and do not want any ports exposed to the Internet.
On other lesser SPI routers, as I mentioned in my original post, I can accomplish this with a single check-box. I am concerned that with all the configuration options available, I will not be able to properly lock-down my environment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest to take a look at local-in policies for ports which respond to requests due to implicit defaults.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope this answer your questions
Wouldn' t sending a TCP Reset in response to an Ident packet tell the sender that there is a network present at the IP address targeted? Is this any different than having the router return a Port Closed response? You have this backwards, with ident enable it won' t send a tcp-reset. You enable it per interface and the default is disable . With it disable, it sends a tcp-reset response such as this from probes; sudo tcpdump -nnnn -vvv -i ppp0 src net 192.16.153 tcpdump: listening on ppp0, link-type PPP (PPP), capture size 65535 bytes 06:03:40.001204 IP (tos 0x0, ttl 32, id 40446, offset 0, flags [none], proto TCP (6), length 40) 192.16.153.5.113 > 10.1.49.98.50534: Flags [R.], cksum 0x3a1e (correct), seq 0, ack 3493808439, win 0, length 0 By exposed, I was referring to having my network completely hidden from port scans or probes from the WAN side. I am not hosting any servers and do not want any ports exposed to the Internet. Will in that case , you want to drop port 541 also, than the fortigate will sit quietly With 514/tcp open 06:13:22.551278 IP (tos 0x80, ttl 56, id 49378, offset 0, flags [DF], proto TCP (6), length 52) 192.16.153.5.541 > 10.1.49.98.50621: Flags [.], cksum 0xd812 (correct), seq 85, ack 6, win 5792, options [nop,nop,TS val 97668268 ecr 294822558], length 0 06:13:22.552171 IP (tos 0x80, ttl 56, id 49379, offset 0, flags [DF], proto TCP (6), length 59) 192.16.153.5.541 > 10.1.49.98.50621: Flags [P.], cksum 0x7b0c (correct), seq 85:92, ack 6, win 5792, options [nop,nop,TS val 97668268 ecr 294822558], length 7 06:13:22.552202 IP (tos 0x80, ttl 56, id 49380, offset 0, flags [DF], proto TCP (6), length 52) 192.16.153.5.541 > 10.1.49.98.50621: Flags [F.], cksum 0xd80a (correct), seq 92, ack 6, win 5792, options [nop,nop,TS val 97668268 ecr 294822558], length 0 06:13:22.857135 IP (tos 0x80, ttl 56, id 34511, offset 0, flags [none], proto TCP (6), length 40) 192.16.153.5.541 > 10.1.49.98.50621: FlagsNot sure what you mean by SPI, but typically a router is not a firewall unless it' s running some type of stateless-firewall ( e.g cisco ZBFW advancesecurity , etc… ) I would not compare the 2. What you should be more concern with are the policies that you active have open allow traffic inbound and securing the hosts that are using such fwpolicies. A firewall no matter how good it is, don' t fix host specific problems or weak secure practices :) Any have good person can figure out a firewall is in place via traceroute. Just following that link, it provides some good practices. And no matter if it' s a fortigate/cisco/juniper or iptables., cksum 0xe61f (correct), seq 3787753917, win 0, length 0 ( you disable it here ) config system central-management set status disable set type fortimanager set auto-backup disable set schedule-config-restore enable set schedule-script-restore enable set allow-push-configuration enable set allow-pushd-firmware enable set allow-remote-firmware-upgrade enable set allow-monitor enable set fmg ' ' set vdom " root" set authorized-manager-only enable unset serial-number end FWIW: To validate, open a telnet to a unused port on your firewall, monitor for any noise such as reset or icmp port unreachables using tcpdump or a portscanner On other lesser SPI routers, as I mentioned in my original post, I can accomplish this with a single check-box. I am concerned that with all the configuration options available, I will not be able to properly lock-down my environment.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To get an additional overview of how a Fortigate itself may/does communicate with other devices by default, we found this KB article helpful.
(btw. SPI is referring to stateful packet inspection)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another useful command for port listeners and active sessions status;
diag sys tcpsock
It can provide alot of good information.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,685 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
471 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
244 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1710 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.