The content you are looking for has been archived. View related content below.
Created on 06-08-2006 12:00 AM Edited on 03-08-2024 07:20 AM By Jean-Philippe_P
Description
This article describes that, by default, FortiGate units only accept remote administrative access over HTTPS connections on TCP port 443 to the default internal network interface for that FortiGate model. Restricting administrative access by default helps to ensure that only the user can change the firewall policy and other security configurations.
It also improves the security of the FortiGate unit itself by reducing the number of ports that potential attackers can discover by network probes and port scans, a common method of discovering open ports for denial of service (DoS) attacks. Fortinet strongly recommends disabling any external access for management, unless absolutely necessary.
TCP port 113 (Ident/Auth) is an exception to this rule, but it is not commonly used.
FortiGate units receiving an ident request on this port respond with a TCP RST, which resets the connection.
This prevents the delay that normally occurs if the requesting hosts were to wait for the connection attempt to time out (499074).
From the security perspective this can potentially be exploited (DoS attack).
If this service is not commonly used, FortiGate should be made invisible to probes, therefore TCP RST responses can be disabled to identify requests and subject those requests to firewall policies, thereby closing this port.
See how: Technical Tip: Configure the FortiGate to send TCP RST packet on session timeout.
Scope
FortiOS.
Solution
Disabling TCP RST responses to ident/auth requests is done per interface, through the command line.
For each network interface that should NOT respond to ident requests on TCP port 113, enter the following CLI commands:
config system interface
edit <interface name>
set ident-accept disable
next
end
ident-accept enable <----- Enable determining a user's identity from packet identification.
This will allow the traffic via the firewall interface as normal traffic, but no RST response is provided (can be further controlled via local-in policies). Can further be blocked through local-in policies.
ident-accept disable (default) <----- 'Disable determining a user's identity from packet identification.' No CPU power is needed to process such traffic.
The port is considered closed (no reply is sent) in both cases, even if some port scanning tools will report this as an open port. This can be verified through FortiGate CLI by listing the ports in the listening state:
diag sys tcpsock | grep :113
Technical Tip: View which ports are actively open and in use by FortiGate
For example, to disable ident responses on a network interface named port1, enter the following command:
config system interface
edit <interface name>
set ident-accept enable
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.