Description
This article describes how to block open ports on the FortiGate.
Solution
Below are the ports/protocols that are opened by design.
Ports.
500 & 4500 - VPN
1144 - Fusion Script
3799 - RADIUS dynamic Auth
520 - RIP
3784 - BFD Control Protocol
Protocols.
2 - IGMP (Internet Group Management)
89 - OSPFIGP
112 - VRRP
103 - PIM (Protocol Independent Multicast)
For Example if the RIP protocol is not used , create a service for the specific port and create local in policy with corresponding service
From CLI.
To block any port, follow the below steps to add a local policy to deny traffic.
Create service with the port.
# config firewall service custom
edit "RIP"
set category "General"
set udp-portrange 520
next
end
Add the local policy.
# config firewall local-in-policy
edit 1
set intf "any"
set srcaddr "all"
set dstaddr "all"
set service "RIP"
set schedule "always"
next
end
Local-in policies are used to close open ports or otherwise restrict access to FortiGate.
