FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rphulekar
Staff
Staff
Article Id 195373

Description

 

This article describes that, by default, FortiGate units only accept remote administrative access over HTTPS connections on TCP port 443 to the default internal network interface for that FortiGate model. Restricting administrative access by default helps to ensure that only the user can change the firewall policy and other security configurations.

 

It also improves the security of the FortiGate unit itself by reducing the number of ports that potential attackers can discover by network probes and port scans, a common method of discovering open ports for denial of service (DoS) attacks. Fortinet strongly recommends disabling any external access for management, unless absolutely necessary.

 

TCP port 113 (Ident/Auth) is an exception to this rule, but it is not commonly used.
FortiGate units receiving an ident request on this port respond with a TCP RST, which resets the connection.
This prevents the delay that normally occurs if the requesting hosts were to wait for the connection attempt to time out (499074).

 

From the security perspective this can potentially be exploited (DoS attack).

If this service is not commonly used, FortiGate should be made invisible to probes, therefore TCP RST responses can be disabled to identify requests and subject those requests to firewall policies, thereby closing this port.

 

See how: Technical Tip: Configure the FortiGate to send TCP RST packet on session timeout.

 

Scope

 

FortiOS.

 

Solution

 

Disabling TCP RST responses to ident/auth requests is done per interface, through the command line.
For each network interface that should NOT respond to ident requests on TCP port 113, enter the following CLI commands:

 

config system interface
    edit <interface name>
        set ident-accept disable
    next
end

 

ident-accept enable  <-----  Enable determining a user's identity from packet identification.


This will allow the traffic via the firewall interface as normal traffic, but no RST response is provided (can be further controlled via local-in policies). Can further be blocked through local-in policies. 

ident-accept disable (default)
  <----- 'Disable determining a user's identity from packet identification.' No CPU power is needed to process such traffic.

The port is considered closed (no reply is sent) in both cases, even if some port scanning tools will report this as an open port. This can be verified through FortiGate CLI by listing the ports in the listening state:

 

diag sys tcpsock | grep :113

 

Technical Tip: View which ports are actively open and in use by FortiGate

 

For example, to disable ident responses on a network interface named port1, enter the following command:

 

config system interface
    edit <interface name>
        set ident-accept enable
    next
end