Why is tcp port 179 open in firewall even though BGP is not used?
Because it is scanned as being open.
Is there any way to disable it?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Let's consider this topology:
172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1
LAN1 IP address: 172.16.1.2
You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2.
But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.
Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping.
This simply creates a local-in policy allow for ping on this interface.
You can display local-in policies in GUI in System> Feature Visibility.
If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.
Created on 10-07-2023 05:12 AM Edited on 10-07-2023 05:13 AM
Ok so will putting a firewall rule instead of a local in policy solve the problem?
Using firewall policy in the GUI is "better" than using the CLI since we can keep track of what is going on.
You can test it yourself and see it won't work. Because regular FW policies are for traffic coming in one interface and going out to the other interface on the FGT. Those BGP packets are destined to the FGT itself not going out to any interface. Only local-in-policy can block them, just like blocking VPN or hack attempts to the FGT.
Toshi
Also just want to make sure you want to close BGP port on a different FGT or interfaces from the FGTs in your another post:
https://community.fortinet.com/t5/Support-Forum/Need-vrrp-configuration-template-for-special-case/td...
Those need BGP port open on the ISP interface because they use BGP with the ISP.
I dont understand.
BGP packets have to come from the wan interface right?
Why are the bgp packets destined to the FGT itself?
Whats the destination IP of the BGP packets? Isn't it an IP address on Firewall?
Yes. But logically speaking I only put the ip address on the wan interface and lan interface.
So why wouldnt a firewall rule work just fine?
Firewall policies are for passthrough traffic (source and destination are outside firewall), the don't come into picture when the destination is on firewall.
Hi,
but i never set any virtual ip or loopback. I dont really understand.
Why do you need VIP or loopback? BGP can be on the physical interface itself.
That is what I don't understand.
I didn't set any loopback or virtual interface so why will traffic go directly to firewall?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.