block port 10443

don_arachchi · ‎07-04-2019

hi can some please show me how to block port 10443 on fortigate?? pci scan fails on this port.

Dave_Hall · ‎07-04-2019

See the help section on "Use local-in policies to close open ports or restrict access".

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Toshi_Esumi · ‎07-04-2019

If PCI scan found some kind of SSL vulnerability at 10443, likely the public-facing interface is used GUI admin access with port 10443, or SSL VPN is configured with port 10443. The admin access at the internet interface is not recommended and you should disable it on the interface. But if you're using SSL VPN, instead of shutting it down, you need to address the SSL vulnerability the scan is warning. If not using, you can shut it down on the "ssl.root" interface; "set status down".

manishchawla · ‎07-05-2019

Just run a

config global

diag sys tcpsock | grep 0.0.0.0

if the port is in listening mode it will show in above output

after that just create a new policy

config firewall local-in-policy

edit 1

and then fill the required fields

emnoc · ‎07-05-2019

diag sys tcpsock | grep 0.0.0.0

You have to be careful of that command it showns tons of ports in listener state BUT that does mean they are in use.

Local-in policy would be the simplest method to secure 10443.

Ken Felix

PCNSE

NSE

StrongSwan

block port 10443

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website