FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
abarushka
Staff
Staff
Article Id 193827

Description

 

This article describes why some ports are opened once traffic hits the firewall policy with UTM profiles in proxy inspection mode even though they are closed on the server side.

 

Scope

 

Any supported version of FortiGate.

Solution

 

Topology

Scenario A:


The user is protected by FortiGate and runs a port scan (for example, NMAP) against the server on the internet.

 
Scenario B:
 
The server is protected by FortiGate (the server has a public IP address and VIP is not used) and the user is running a port scan (for example, NMAP) against the server.

 
During a security audit, the engineer may find some ports open even though they are closed on the server side. This may occur because traffic hits the firewall policy with UTM security profiles in proxy mode.
If the UTM security profile is in proxy mode, there will be 2 sessions established between the user and FortiGate and between FortiGate and the server. FortiGate will send a (SYN ACK) packet to the client immediately without waiting for a (SYN ACK) packet from server. See the diagram below:
 
 
A list of inspected/open ports can be set under the following:
 
In the CLI:
 
firewall profile-protocol-options
 
In the GUI:
 
Go to Policy & Objects -> Proxy Options.
 
All ports configured will be scanned and FortiGate will send (SYN ACK) packets for all selected ports regardless of whether they are opened on the server side.
 
 
Moreover, extra ports can be opened when deep inspection is in effect.
The list of open ports can be configured under the following:
 
In the CLI:
 
config firewall ssl-ssh-profile
 
In the GUI:
 
Go to Security Profiles -> SSL/SSH Inspection.
 
All ports set will be scanned and FortiGate will send (SYN ACK) packets for all selected ports regardless of whether they are opened on the server side.
 

 
See examples below. Output may differ depending on the environment.

No UTM in proxy inspection mode or UTM in flow inspection mode:
 
nmap <server IP addres> -Pn
Not shown: 993 filtered ports
PORT     STATE  SERVICE
53/tcp   open   domain
113/tcp  closed  ident
541/tcp  open    uucp-rlogin
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
 
UTM in proxy inspection mode without deep inspection and default 'Proxy Options':
 
nmap <server IP addres> -Pn
Not shown: 987 filtered ports
PORT     STATE  SERVICE
21/tcp   open     ftp
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open    pop3
113/tcp  closed  ident
115/tcp  open    msrpc
143/tcp  open    imap
541/tcp  open    uucp-rlogin
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
 
UTM in proxy inspection mode with deep inspection:
 
nmap <server IP addres> -Pn
Not shown: 993 filtered ports
Not shown: 982 filtered ports
PORT     STATE  SERVICE
21/tcp   open     ftp
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   open     http
110/tcp  open    pop3
113/tcp  closed  ident
143/tcp  open    imap
443/tcp  open    https
465/tcp  open    smtps
541/tcp  open    uucp-rlogin
990/tcp  open    ftps
993/tcp  open    imaps
995/tcp  open    pop3s
1443/tcp open   ies-lm
2000/tcp open   cisco-sccp
5060/tcp open   sip
8008/tcp open   http
8010/tcp open   xmpp

 

When flow inspection is in effect, FortiGate will not send a (SYN ACK) packet to the client before receiving a (SYN ACK) packet from the server.

Contributors