Why is tcp port 179 open in firewall even though BGP is not used?
Because it is scanned as being open.
Is there any way to disable it?
Solved! Go to Solution.
Let's consider this topology:
172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1
LAN1 IP address: 172.16.1.2
You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2.
But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.
Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping.
This simply creates a local-in policy allow for ping on this interface.
You can display local-in policies in GUI in System> Feature Visibility.
If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.
A packet with destination IP of any of your interface is a traffic destined to your firewall, not just towards loopback or virtual IP. If you ping your interface IP, that is also a traffic destined to your firewall and it won't be processed by your firewall policies.
I dont understand this part: If you ping your interface IP, that is also a traffic destined to your firewall and it won't be processed by your firewall policies.
My firewall policies can block or allow ping isnt it?
Let's consider this topology:
172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1
LAN1 IP address: 172.16.1.2
You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2.
But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.
Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping.
This simply creates a local-in policy allow for ping on this interface.
You can display local-in policies in GUI in System> Feature Visibility.
If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.
THis totally explains my queries.
Thanks
Hi @BusinessUser,
Firewall policies are for traffic passing through the FortiGate. local-in policies are for traffic coming directly to the FortiGate itself. You need to create two local-in policies, one to allow port 179 from ISP router and another one to block port 179 from any IP addresses.
Regards,
I also have just noticed Port 179 is open after running the ShieldsUp test. I have one port closed and Port 179 open, when previously everything was stealth.
I have a Raspberry Pi running Home Assistant and would like to know what is actually using this. Everything else I see is a very vague generic description of 179 and BGP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.