Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

web services posts on fortigate

Good morning friends, a question.

 

I have several web services posts on fortigate. According to a report, I see that the attack events are related to the http port.

 

What considerations should I have before removing the http port in the publication?

 

Is it simply changing the port in the VIP? Or is it also required to make changes to the web servers?

7 REPLIES 7
hbac
Staff
Staff

Hi @unknown1020,

 

If you don't want port 80 to be exposed, you can remove the VIP that forward port 80.

 

Regards, 

unknown1020
New Contributor III

Hello, thank you for responding, but the port change must be made in the VIP and also on the server, right?

AEK
SuperUser
SuperUser

Hi Unknown

You can change to HTTPS but this will not prevent attacks. Best solution to block the attacks is to use a separate WAF appliance between FG and the back-end server.

If the server is just for test purpose or you can't use a separate WAF than you may use FortiGate's WAF profile with a virtual server object.

AEK
AEK
DPadula
Staff
Staff

As mentioned by AEK changing the port number is not a solution.
Besides the WAF have a look on DoS policies inside the FGT as well. Might help you to prevent some of the attacks.
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/771644/dos-policy

unknown1020
New Contributor III

Thanks for the response, a question, when configuring DOS Policy, could that configuration increase the firewall CPU consumption? I have planned to first put it in monitor mode to view the events, then apply the respective locks.

AEK

I think DoS policy will consume the same CPU either in monitor mode or in block mode. As per my experience with it it doesn't consume significant processing (nothing visible).

AEK
AEK
DPadula
Staff
Staff

Hi unknown1020

 

A good strategy is to record a base line regarding memory, CPU and sessions on busy and normal business days for the firewall operation.
Having that it will help you in the future to identify if a feature (not only DoS Policies) or any change on the network has affected the environment.

 

As mentioned by my colleague AEK I don't think enabling DoS policy will add significant CPU usage.

Of course, every feature that you enable will always consume an amount of CPU and memory even it is not in use. As a good practice always disable features that you don't need. 

 

Cheers

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors