FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 189921


This article explains how to close undesired open ports on the FortiGate to avoid being scanned from external sources.


In this example, we will use TCP Port 8000:
1) Create a Custom Service.

Go to Firewall Object/Service/Services and select 'Create New'.
Name: Port-8000
Protocol Type: TCP/UDP/STCP
Protocol: TCP
Destination Port: 800.
Leave the other fields blank
Select 'OK' to save.

2) Create the Local-In Policy.

This step has to be configured from the CLI.
# config firewall local-in-policy
    edit 1
        set intf "wan1"           <----- External interface.
        set srcaddr "all"         <----- Source.
        set dstaddr "all"         <----- Destination.
        set action deny           <----- Action.
        set service "Port 8000"   <----- Custom Service created in step 1
        set schedule "always"
        set status enable
To verify the settings, from the CLI type:
# config firewall local-in-policy
# show full
This policy cannot been checked from the WEB GUI, only from the CLI.

Special Note:
Ports which are handled by Session Helpers like SIP or SCCP are not affected by this change.
To deny these, steps from the the related articles.


Related Articles

Troubleshooting Tip: FortiGate session table information

Technical Tip: Disabling VoIP Inspection

Technical Tip: Enable and disable FortiGate system session helpers