Description
This article describes how, by default, FortiGate units only accept remote administrative access over HTTPS connections on TCP port 443 to the default internal network interface for that FortiGate model. Restricting administrative access by default helps to ensure that only the user can change the firewall policy and other security configurations.
It also improves the security of the FortiGate unit itself by reducing the number of ports that potential attackers can discover by network probes and port scans, a common method of discovering open ports for denial of service (DoS) attacks. Fortinet strongly recommends disabling any external access for management, unless absolutely necessary.
TCP port 113 (Ident/Auth) is an exception to this rule, but it is not commonly used.
FortiGate units receiving an ident request on this port respond with a TCP RST, which resets the connection.
This prevents the delay that normally occurs if the requesting hosts were to wait for the connection attempt to time out (499074).
From the security perspective this can potentially be exploited (DoS attack).
If this service is not commonly used, FortiGate should be made invisible to probes, therefore TCP RST responses can be disabled to identify requests and subject those requests to firewall policies, thereby closing this port.
See how: Technical Tip: Configure the FortiGate to send TCP RST packet on session timeout.
Scope
FortiOS.
Solution
Disabling TCP RST responses to ident/auth requests is done per interface, through the command line.
For each network interface that should NOT respond to ident requests on TCP port 113, enter the following CLI commands:
config system interface
edit <interface name>
set ident-accept disable
next
end
ident-accept enable <- Enable determining a user's identity from packet identification.
This will allow the traffic via the firewall interface as normal traffic, but no RST response is provided (can be further controlled via local-in policies). Can further be blocked through local-in policies.
ident-accept disable (default) <- 'Disable determining a user's identity from packet identification.' No CPU power is needed to process such traffic.
The port is considered closed (no reply is sent) in both cases, even if some port scanning tools will report this as an open port. This can be verified through FortiGate CLI by listing the ports in the listening state:
diag sys tcpsock | grep :113
Technical Tip: View which ports are actively open and in use by FortiGate
For example, to disable ident responses on a network interface named port1, enter the following command:
config system interface
edit <interface name>
set ident-accept enable
next
end
Note: The FortiGate interface will always respond to the SYN on port 113 with RST as long as 'ident-accept' is disabled, even if the destination IP of this SYN packet is not this interface. This means this FortiGate interface has intercepted this TCP 113 traffic, which will never reach its destination. In this scenario, when the scanner initiated this TCP 113 traffic and received this RST packet, it will mark the port 113 as open. However, it would never know this SYNC RST was not from the real destination IP it attempted to scan.
So, when performing port scanning to a FortiGate, it is recommended to make sure the scanning traffic could reach the FortiGate directly instead of traversing through another FortiGate. Otherwise, the port 113 status will be inaccurate.
