FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that after enabling the FortiManager Cloud connector from the FortiGate, if a port scan is performed against the external interface (WAN) of the FortiGate, then the ports 541, 53, 80, and 443 show us as 'open' even though they are disabled at the interface level.
Scope
FortiGate.
Solution
For a port scan that reveals ports 541, 53, 80, and 443 are open with respect to an external interface that has 'FMG-Access' enabled in the interface, but other administrative access disabled, the reasons why the said ports show open are as below:
FOR PORT 541:
Port 541 is the default port used for FortiManager traffic. Hence, enabling 'FMG-Access' will open up port 541 for sure.
Another important criterion in the connection between FortiGate and FortiManager/ FortiManager Cloud to establish is TLS versions should match or be compatible on both ends.
Since the SSL/TLS version is checked here, the ports used for the same are port 80 (HTTP) and port 443 (HTTPS).
In case the FortiManager Cloud access is required and the said ports show up as open to the Internet, then the FortiGate will allow/permit any inbound traffic from external sources, if and only if there are firewall policies configured for the same.
