Description
Firewall behavior for a port scan when Perimeter firewall is in proxy mode and DMZ firewall in flow mode.
d=20085 trace_id=11 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 120.34.23.24:56850->150.230.43.43:2000) from Port3. flag [S], seq 3889154439, ack 0, win 42340"
id=20085 trace_id=11 func=init_ip_session_common line=5792 msg="allocate a new session-005044c5"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-150.230.43.43 via Port3"
id=20085 trace_id=11 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 9)"
Solution
Configure the Perimeter firewall with inspection mode set to Flow to avoid false positives.
Firewall behavior for a port scan when Perimeter firewall is in proxy mode and DMZ firewall in flow mode.
When a user tries to do a port scan for DMZ firewall interface IP address and if the traffic has to flow through Perimeter firewall which is in inspection mode set to proxy, the port scan result will be a false positive since the perimeter firewall will do proxy for the connection.
In a proxy-based policy, the TCP connection is proxied by the FortiGate.
A TCP 3-way handshake can be established with the client even though the server did not complete the handshake and vice versa.
Logs from Perimeter firewall.
Port1 in 120.34.23.24.12285 -> 150.230.43.43.2000: syn 893336424 <----- SYN packet received by a perimeter
Port1 out 150.230.43.43.2000 -> 120.34.23.24.12285: syn 1073939919 ack 893336425 <----- Perimeter firewall responded back with SYN-ACK even though 150.230.43.43 is not configured on its interface.
Port1 in 120.34.23.24.12285 -> 150.230.43.43.2000: ack 1073939920 <----- Proxy handshake completed.
Port2 out 120.34.23.24.12285 -> 150.230.43.43.2000: syn 3889154439 <----- First packet sent towards DMZ Firewall. DMZ firewall have 150.230.43.43 configured on its interface.
Port1 out 150.230.43.43.2000 -> 120.34.23.24.12285: syn 1073939919 ack 893336425 <----- Perimeter firewall responded back with SYN-ACK even though 150.230.43.43 is not configured on its interface.
Port1 in 120.34.23.24.12285 -> 150.230.43.43.2000: ack 1073939920 <----- Proxy handshake completed.
Port2 out 120.34.23.24.12285 -> 150.230.43.43.2000: syn 3889154439 <----- First packet sent towards DMZ Firewall. DMZ firewall have 150.230.43.43 configured on its interface.
If there is a security policy configured to drop the port scan traffic on DMZ firewall, traffic will be dropped but still a false positive results will appear in websites like ping.eu.
Logs from DMZ firewall.
d=20085 trace_id=11 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 120.34.23.24:56850->150.230.43.43:2000) from Port3. flag [S], seq 3889154439, ack 0, win 42340"
id=20085 trace_id=11 func=init_ip_session_common line=5792 msg="allocate a new session-005044c5"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-150.230.43.43 via Port3"
id=20085 trace_id=11 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 9)"
Solution
Configure the Perimeter firewall with inspection mode set to Flow to avoid false positives.
Related Articles
