Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

TCP port 179 is open in firewall

Why is tcp port 179 open in firewall even though BGP is not used?

Because it is scanned as being open.

Is there any way to disable it?

1 Solution
nweckel

Let's consider this topology:
172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1
LAN1 IP address: 172.16.1.2

You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2.
But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.

Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping.
This simply creates a local-in policy allow for ping on this interface.
You can display local-in policies in GUI in System> Feature Visibility.
If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.

View solution in original post

25 REPLIES 25
BusinessUser

Ok so will putting a firewall rule instead of a local in policy solve the problem?

Using firewall policy in the GUI is "better" than using the CLI since we can keep track of what is going on.

Toshi_Esumi
Esteemed Contributor III

You can test it yourself and see it won't work. Because regular FW policies are for traffic coming in one interface and going out to the other interface on the FGT. Those BGP packets are destined to the FGT itself not going out to any interface. Only local-in-policy can block them, just like blocking VPN or hack attempts to the FGT.

 

Toshi

Toshi_Esumi
Esteemed Contributor III

Also just want to make sure you want to close BGP port on a different FGT or interfaces from the FGTs in your another post:
https://community.fortinet.com/t5/Support-Forum/Need-vrrp-configuration-template-for-special-case/td...

Those need BGP port open on the ISP interface because they use BGP with the ISP.

BusinessUser

I dont understand.

BGP packets have to come from the wan interface right?

Why are the bgp packets destined to the FGT itself?

srajeswaran

Whats the destination IP of the BGP packets? Isn't it an IP address on Firewall?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

BusinessUser

Yes. But logically speaking I only put the ip address on the wan interface and lan interface.

 

So why wouldnt a firewall rule work just fine?

srajeswaran

Firewall policies are for passthrough traffic (source and destination are outside firewall), the don't come into picture when the destination is on firewall.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

BusinessUser

Hi,

but i never set any virtual ip or loopback. I dont really understand.

srajeswaran

Why do you need VIP or loopback? BGP can be on the physical interface itself.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

BusinessUser

That is what I don't understand.

I didn't set any loopback or virtual interface so why will traffic go directly to firewall?

Labels
Top Kudoed Authors