Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- port scan are detected but not blocked
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 05-09-2008 06:36 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
port scan are detected but not blocked
hi all
i got a query that FGT is not blocking portscan,
" " I have been performing some basic tests of the IPS capabilities of our fortigate v2.80 - MR5. I started out testing the device' s portscan protection rules but have so far been unable to prevent the portscans from being succesfull. From the logs, I notice that the fortigate detects the scan, but allows it anyway.
I tested the device using the following scenario:
1. I opened all the ports between 2 fortigate interfaces
2. I configured all IPS options related to portscans. I enabled them and set the action to drop (and in other tests " clear session" and " drop session" )
3. I created my own profile (" maarten" ), configured it to follow IPS rules and attached it to the firewall policy that allows sessions betweed the wan1 and internal ports.
4. I enabled logging, so I would be able to follow the device' s reponse
=== scantop === fortigate === victim (host with ports listening on 22/TCP
and 8080/TCP)
When scanning my victim using nmap, all open ports are reported acurately.
It seems like the fortigate is not blocking my portscan, like you would expect from an IPS....
====================================================
NMAP and SYSLOG output:
====================================================
Starting nmap 3.70 ( http://www.insecure.org/nmap ) at 2004-10-25 10:18 W.
Europ
Interesting ports on 192.168.1.1:
(The 65533 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 654.401 seconds
====================================================
The fortigate logs:
Oct 25 10:17:33 FG.CORP.LAN date=2004-10-25 time=10:12:21
device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
pri=alert attack_id=100663398 src=172.16.152.162 dst=192.168.1.1
src_port=58020 dst_port=44993 src_int=n/a dst_int=n/a status=dropped
proto=6 service=44993/tcp msg=" anomaly: portscan, 1001 > threshold 1000,
repeated 67 times[Reference: http://www.fortinet.com/ids/ID100663398]"
Oct 25 10:17:35 FG.CORP.LAN date=2004-10-25 time=10:12:23
device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
pri=alert attack_id=100663402 src=172.16.152.162 dst=192.168.1.1
src_port=58020 dst_port=48556 src_int=n/a dst_int=n/a status=detected
proto=6 service=48556/tcp msg=" anomaly: tcp_src_session, 2001 > threshold
2000, repeated 67 times[Reference:
http://www.fortinet.com/ids/ID100663402]"
Oct 25 10:17:49 FG.CORP.LAN date=2004-10-25 time=10:12:37
device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
pri=alert attack_id=100663409 src=172.16.152.162 dst=192.168.1.1
src_port=58020 dst_port=53739 src_int=n/a dst_int=n/a status=detected
proto=6 service=53739/tcp msg=" anomaly: tcp_dst_session, 5001 > threshold
5000, repeated 3434 times[Reference:
http://www.fortinet.com/ids/ID100663409]"
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10561 duration=20 rule=7 policyid=7 proto=554/tcp
service=554/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=554 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10562 duration=20 rule=7 policyid=7 proto=dns
service=dns status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=53 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10567 duration=20 rule=7 policyid=7 proto=3389/tcp
service=3389/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=3389 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10568 duration=20 rule=7 policyid=7 proto=389/tcp
service=389/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=389 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
=========================================================
As you can see, the fortigate firewall/IPS detects the anomaly, but still allows the portscan to continue. There is no IPS response that blocks the entire portscan. I had a tcpdump running on my victim to see if maybe port 22 and 8080 had been scanned before the threhold of the rules had been met. However, this did not seem to be the case. tcpdump reported a probe of port 8080 over a minute after the fortigate first detected the scan.
I was wondering if any of you have noticed the same behaviour on your
fortigates, or if you have different test results. I have included some
details of my configuration below.
Kind regards, Maarten Hartsuijker
Version:Fortigate-60 2.80,build250,040914
ids-db:2.139(10/19/2004 15:14)
config ips group " scan"
config rule " Nmap.TCP"
set action drop (tried " clear session" and " drop session"
options as well)
end
config rule " SYNScan.Portscan"
set action drop (tried " clear session" and " drop session"
options as well)
end
end
config ips anomaly " portscan"
set action drop (tried " clear session" and " drop session" options as
well)
set threshold " 1000"
end
config ips anomaly " syn_flood"
set threshold " 2000"
end
config firewall profile
.......
edit " maarten"
set imap fragmail
set pop3 fragmail
set smtp fragmail
set ips signature anomaly
next
end
config firewall policy
...
edit 2
set srcintf " internal"
set dstintf " dmz"
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " always"
set service " ANY"
set profile_status enable
set profile " maarten"
next
...
end
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Not applicable
Created on 05-09-2008 10:29 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m just wondering why you are testing against such old firmware.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually i just got query from one of my clients...
so is should check on the latest firmware...
and how about port scan...?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First: 2.8 MR5 is not " latest" but more like 3 years old Firmware.
staying on 2.8 we' re at MR13 or so already. But Major Release v3 is out already like for 2 years and we are at MR6 !.
So " FortiOS 3.0 MR6 patch1" is the latest.
Second:
What can be " blocked" from a portscan ?
Potentially a port-scan can be detected while having the ports closed; so what is Fortigate supposed to block ? The Source-IP ? and why... A Portscan itself is nothing bad and ususally good enough to be detected.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want to drop the port scan session, as the open ports can be scaned and would be critical for security.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you mean " drop port scan session" ?
A port scan usually does not belong to a session, but rather to a (single) packet probe.....
So your question maybe: Can the SRC-IP be blocked permanently/temporarily in an automated way; no it can' t.
-R.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,682 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
243 -
FortiAuthenticator v5.5
234 -
IPsec
207 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1709 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.