Article
| Description |
By default, FortiGate units do not accept remote administrative access except by HTTPS connections on TCP port 443 to the default internal network interface for that FortiGate model. Restricting administrative access by default helps to ensure that only you can change your firewall policy and other security configurations. It also improves security of the FortiGate unit itself by reducing the number of ports that potential attackers can discover by network probes and port scans, a common method of discovering open ports for denial of service (DoS) attacks.
TCP port 113 (Ident/Auth) is an exception to this rule. By default, FortiGate units receiving an ident request on this port respond with a TCP RST, which resets the connection. This prevents delay that would normally occur if the requesting host were to wait for the connection attempt to time out.
This port is less commonly used today. If you do not use this service, and you prefer to make your FortiGate unit invisible to probes, you can disable TCP RST responses to ident requests and subject those requests to firewall policies, and thereby close this port.
|
| Components |
- All FortiGate units
- FortiOS 2.8 MR11 or greater, 5.0, 5.2, 5.4
|
| Steps or Commands |
To disable TCP RST responses to ident/auth requests
-
On the FortiGate unit, connect to the CLI.
-
For each network interface that should not respond to ident requests on TCP port 113, enter the following CLI commands:
config system interface
edit
set ident-accept enable
next
end
For example, to disable ident responses on a network interface names port1, you would enter the following commands:
config system interface
edit port1
set ident-accept enable
next
end
TCP 113 is closed.
|
Related Articles
Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products
