Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff

Created on ‎04-24-2020 12:06 AM Edited on ‎04-16-2024 10:46 PM By Community Manager

Article Id 193666

Technical Tip: How to disable TCP ports 8008, 8010, 8015, and 8020 on VIP

Description


This article describes how to disable the FortiGuard used ports 8008, 8010, and 8020 from being exposed to external when using static NAT.


Explanation regarding these ports:

  • Port 8008 is used by the FortiGate to authenticate with FortiGuard when an HTTP override request occurs (FortiGuard web filter HTTP override authentication).
  • Port 8010 is used by FortiGate to authenticate with FortiGuard when an HTTPS override request occurs (FortiGuard web filter HTTPS override authentication).
  • Port 8015 is used by the FortiGate to authenticate with FortiGuard when a HTTPS override request occurs in flow mode (FortiGuard web filter https override authentication).
  • Port 8020 is used by the FortiGate for FortiGuard web filter warning authentication.

 

Also for other ports used by FortiGuard or others, we can use the solutions below.


When static NAT is configured to publish service port other than HTTPS with proxy inspection-mode UTM enable results in opening ports 8008, 8010, and 8020.  Port 8015 is opened if flow-based inspection mode is used. (FortiGuard) to external, below is the sample of configuration :


Client ---(Internet)---- (10.56.243.92)-port1-[FGT]-port3-(10.1.0.92)-----Email/Web Server-(10.1.0.67)
 

config firewall vip
    edit "Email_Web"
        set extip 10.56.243.92
        set extintf "any"
        set mappedip "10.1.0.67"
    next
end

config firewall policy

    edit 2
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "SMTP"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set emailfilter-profile "default"         
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

 

Scope

 

FortiGate.


Solution

 

  1. Create a new certificate ssl-ssh-profile call “custom” or any preferable name with HTTPS disable.

 

config firewall ssl-ssh-profile
    edit "custom"
        config https
            set status disable
        end
        config ftps
            set ports 990
            set status deep-inspection
        end
        config imaps
            set ports 993
            set status deep-inspection
        end
        config pop3s
            set ports 995
            set status deep-inspection
        end
        config smtps
            set ports 465
            set status deep-inspection
        end
        config ssh
            set ports 22
            set status disable
        end
end

 

  1. Apply the newly created ssl-ssh-profile above to affect policy:

 

config firewall policy

    edit 2
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "ALL_ICMP" "SMTP"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "custom"  <---------
        set emailfilter-profile "default"
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

 

If the same VIP is hosting HTTPS service, an additional firewall policy is required above the existing policy as the below example.

 

config firewall policy
    edit 3
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set ips-sensor "default"
        set logtraffic all
        set fsso disable
    next

 

 

Solution 2:

 

  1. Create a Firewall policy with set match-vip enabled and specific custom service:

 

config firewall service custom

    edit "8010"
       set tcp-portrange 8010
    next

 

config firewall policy
    edit 6
        set name "blockvip"
        set uuid c95523f6-0cc2-51ec-9088-bd948d796fe5
        set srcintf "port1"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "Email_Web"
        set schedule "always"
        set service "8010" <-----------
        set logtraffic disable
        set match-vip enable <------------
    next     

 

It is possible to check on the debug flow matching the denied Firewall Policy:

 

id=20085 trace_id=1 func=iprope_fwd_auth_check line=803 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-6"
id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 6)" <--------------

 

Note:

After closing the VIP ports 8008, 8010, 8015, and 8020 make sure the tests are done from a computer that is not behind another FortiGate as FortiGate will intercept the traffic causing a false positive result.

 

If it requires to be done behind another FortiGate, it is necessary to disable those ports by 'set close-ports enable temporarily' and disable it back once testing is completed.

 

For more information regarding the use of the command set match-vip, check below:

Technical Tip: DENY Policy for Virtual IP Firewall Policy

Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy

21601
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.