FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rphulekar
Staff
Staff
Article Id 195373

Description

 

This article describes how, by default, FortiGate units only accept remote administrative access over HTTPS connections on TCP port 443 to the default internal network interface for that FortiGate model. Restricting administrative access by default helps to ensure that only the user can change the firewall policy and other security configurations.

 

It also improves the security of the FortiGate unit itself by reducing the number of ports that potential attackers can discover by network probes and port scans, a common method of discovering open ports for denial of service (DoS) attacks. Fortinet strongly recommends disabling any external access for management, unless absolutely necessary.

 

TCP port 113 (Ident/Auth) is an exception to this rule, but it is not commonly used.
FortiGate units receiving an ident request on this port respond with a TCP RST, which resets the connection.
This prevents the delay that normally occurs if the requesting hosts were to wait for the connection attempt to time out (499074).

 

From the security perspective this can potentially be exploited (DoS attack).

If this service is not commonly used, FortiGate should be made invisible to probes, therefore TCP RST responses can be disabled to identify requests and subject those requests to firewall policies, thereby closing this port.

 

See how: Technical Tip: Configure the FortiGate to send TCP RST packet on session timeout.

 

Scope

 

FortiGate.

 

Solution

 

Disabling TCP RST responses to ident/auth requests is done per interface, through the command line.
For each network interface that should NOT respond to ident requests on TCP port 113, enter the following CLI commands:

 

config system interface
    edit <interface name>
        set ident-accept disable
    next
end

 

ident-accept enable  <-  Enable determining a user's identity from packet identification.


This will allow the traffic via the firewall interface as normal traffic, but no RST response is provided (can be further controlled via local-in policies). Can further be blocked through local-in policies. 

ident-accept disable (default)
  <- 'Disable determining a user's identity from packet identification.' No CPU power is needed to process such traffic.

The port is considered closed (no reply is sent) in both cases, even if some port scanning tools will report this as an open port. This can be verified through FortiGate CLI by listing the ports in the listening state:

 

diagnose sys tcpsock | grep :113

 

Technical Tip: View which ports are actively open and in use by FortiGate

 

For example, to disable ident responses on a network interface named port1, enter the following command:

 

config system interface
    edit <interface name>
        set ident-accept enable
    next
end

 

How to make the FortiGate silently drop Ident instead of responding with an RST:

To achieve this, ident-accept has to be set to enable and a local-in policy configured to silently drop the traffic. This stops FortiGate from responding and gives an accurate NMap scan of port 113.

 

Sample Configuration

 

config system interface
   edit "mgmt"
     set vdom "root"
     set ip 1.2.3.4 255.255.255.252
     set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
     set ident-accept enable <---
     ...
   next
end

config firewall service custom
   edit "ident"
     set tcp-portrange 113
   next
end

config firewall local-in-policy
   edit 1
     set intf "any"
     set srcaddr "all"
     set dstaddr "all"
     set service "ident"
     set schedule "always"
   next
end

 

Note:

The FortiGate interface will always respond to the SYN on port 113 with RST as long as 'ident-accept' is disabled, even if the destination IP of this SYN packet is not this interface. This means this FortiGate interface has intercepted this TCP 113 traffic, which will never reach its destination. In this scenario, when the scanner initiated this TCP 113 traffic and received this RST packet, it will mark the port 113 as open. However, it would never know this SYNC RST was not from the real destination IP it attempted to scan.

 

So, when performing port scanning to a FortiGate, it is recommended to make sure the scanning traffic could reach the FortiGate directly instead of traversing through another FortiGate. Otherwise, the port 113 status will be inaccurate.