Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
don_arachchi
New Contributor

block port 10443

hi can some please show me how to block port 10443 on fortigate?? pci scan fails on this port. 

4 REPLIES 4
Dave_Hall
Honored Contributor

See the help section on "Use local-in policies to close open ports or restrict access".

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Toshi_Esumi
Esteemed Contributor III

If PCI scan found some kind of SSL vulnerability at 10443, likely the public-facing interface is used GUI admin access with port 10443, or SSL VPN is configured with port 10443. The admin access at the internet interface is not recommended and you should disable it on the interface. But if you're using SSL VPN, instead of shutting it down, you need to address the SSL vulnerability the scan is warning. If not using, you can shut it down on the "ssl.root" interface; "set status down".

manishchawla
New Contributor

Just run a

config global

diag sys tcpsock | grep 0.0.0.0

 

if the port is in listening mode it will show in above output

after that just create a new policy

config firewall local-in-policy

edit 1

and then fill the required fields

emnoc
Esteemed Contributor III

diag sys tcpsock | grep 0.0.0.0

 

 

You have to be careful of that command it showns tons of ports in listener state BUT that does  mean they are in use.

 

Local-in policy would be the simplest method to secure 10443.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors