Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

TCP port 179 is open in firewall

Why is tcp port 179 open in firewall even though BGP is not used?

Because it is scanned as being open.

Is there any way to disable it?

1 Solution
nweckel

Let's consider this topology:
172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1
LAN1 IP address: 172.16.1.2

You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2.
But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.

Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping.
This simply creates a local-in policy allow for ping on this interface.
You can display local-in policies in GUI in System> Feature Visibility.
If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.

View solution in original post

25 REPLIES 25
srajeswaran

A packet with destination IP of any of your interface is a traffic destined to your firewall, not just towards loopback or virtual IP. If you ping your interface IP, that is also a traffic destined to your firewall and it won't be processed by your firewall policies.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

BusinessUser

I dont understand this part: If you ping your interface IP, that is also a traffic destined to your firewall and it won't be processed by your firewall policies.

 

My firewall policies can block or allow ping isnt it?

nweckel

Let's consider this topology:
172.16.1.1 ------ [LAN1|FGT|LAN2] ----- 192.168.1.1
LAN1 IP address: 172.16.1.2

You can block ping from 172.16.1.1 to 192.168.1.1 using firewall policy with srcintf LAN1 and dstintf LAN2.
But to block ping from 172.16.1.1 to 172.16.1.2, you need a local-in policy.

Easy example: In GUI navigate to Network> Interface. Edit an interface and allow administrative access ping.
This simply creates a local-in policy allow for ping on this interface.
You can display local-in policies in GUI in System> Feature Visibility.
If you don't allow administrative access ping on the interface: default local-in policy is used which is action=drop.

BusinessUser

THis totally explains my queries.

Thanks

hbac

Hi @BusinessUser

 

Firewall policies are for traffic passing through the FortiGate. local-in policies are for traffic coming directly to the FortiGate itself. You need to create two local-in policies, one to allow port 179 from ISP router and another one to block port 179 from any IP addresses. 

 

Regards, 

megumi35
New Contributor

I also have just noticed Port 179 is open after running the ShieldsUp test. I have one port closed and Port 179 open, when previously everything was stealth.

I have a Raspberry Pi running Home Assistant and would like to know what is actually using this. Everything else I see is a very vague generic description of 179 and BGP.

https://omegle.onl/ vshare
Top Kudoed Authors