Fortinet black logo

New Features

Add option to set application default port as a service port

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:553603
Download PDF

Add option to set application default port as a service port

The default-app-port-as-service option can be used in NGFW mode to set the application default port as a service port. This allows applications to match the policy and be blocked immediately the first time that traffic hits the firewall. When this option is enabled, the NGFW policy aggregates the ports used by the applications in the policy and performs a pre-match on the traffic. This has changed from previous behavior where the traffic must be identified by IPS first, and then policy matching occurs based on the matched port.

config system settings
    set default-app-port-as-service {enable | disable}
end
Note

This option can be configured on a per-VDOM level.

This setting is enabled by default on new installations. When upgrading, the setting is disabled to retain the previous behavior.

To configure the application default port as service port:
  1. Configure the VDOM settings:
    config system settings
        set vdom-type traffic
        set opmode nat
        set ngfw-mode policy-based
        set block-land-attack disable
        set default-app-port-as-service enable
        set application-bandwidth-tracking disable
    end
  2. Configure the NGFW policy:
    config firewall security-policy
        edit 1
            set name "test"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set internet-service-src disable
            set enforce-default-app-port enable 
            set action accept
        next
    end

Sample logs

The following logging behavior occurs in NGFW mode with default-app-port-as-service:

  • When default-app-port-as-service and enforce-default-app-port are enabled, traffic that does not match the default port is blocked immediately. Only a traffic log is generated.

    Log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:16:36 eventtime=1645730197145603994 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40402 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=6811 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40402 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
    Log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:19:20 eventtime=1645730360685614031 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41362 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7213 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41362 duration=9 sentbyte=60 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
  • When default-app-port-as-service is disabled and enforce-default-app-port is enabled, traffic that does not match the default port is not blocked immediately. Application and traffic logs are generated.

    Traffic log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:21:51 eventtime=1645730511325606916 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40408 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7522 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40408 duration=14 sentbyte=164 rcvdbyte=171 sentpkt=3 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65501-0
    Application log with SSH and FTP traffic:
    2: date=2022-02-24 time=11:21:39 eventtime=1645730499338228209 tz="-0800" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=40408 dstport=21 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7522 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744239 msg="Network.Service: FTP" apprisk="elevated"
    Traffic log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:24:25 eventtime=1645730665235613912 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41366 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7876 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41366 duration=11 sentbyte=112 rcvdbyte=171 sentpkt=2 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65500-0
    Application log with SSH and FTP traffic with port 2121:
    2: date=2022-02-24 time=11:24:16 eventtime=1645730656426052412 tz="-0800" logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=41366 dstport=2121 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7876 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744241 msg="Network.Service: FTP, non-default port used: 2121" apprisk="elevated"

Add option to set application default port as a service port

The default-app-port-as-service option can be used in NGFW mode to set the application default port as a service port. This allows applications to match the policy and be blocked immediately the first time that traffic hits the firewall. When this option is enabled, the NGFW policy aggregates the ports used by the applications in the policy and performs a pre-match on the traffic. This has changed from previous behavior where the traffic must be identified by IPS first, and then policy matching occurs based on the matched port.

config system settings
    set default-app-port-as-service {enable | disable}
end
Note

This option can be configured on a per-VDOM level.

This setting is enabled by default on new installations. When upgrading, the setting is disabled to retain the previous behavior.

To configure the application default port as service port:
  1. Configure the VDOM settings:
    config system settings
        set vdom-type traffic
        set opmode nat
        set ngfw-mode policy-based
        set block-land-attack disable
        set default-app-port-as-service enable
        set application-bandwidth-tracking disable
    end
  2. Configure the NGFW policy:
    config firewall security-policy
        edit 1
            set name "test"
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set internet-service-src disable
            set enforce-default-app-port enable 
            set action accept
        next
    end

Sample logs

The following logging behavior occurs in NGFW mode with default-app-port-as-service:

  • When default-app-port-as-service and enforce-default-app-port are enabled, traffic that does not match the default port is blocked immediately. Only a traffic log is generated.

    Log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:16:36 eventtime=1645730197145603994 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40402 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=6811 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40402 duration=10 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"
    Log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:19:20 eventtime=1645730360685614031 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41362 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7213 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41362 duration=9 sentbyte=60 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned"
  • When default-app-port-as-service is disabled and enforce-default-app-port is enabled, traffic that does not match the default port is not blocked immediately. Application and traffic logs are generated.

    Traffic log with SSH and FTP traffic:
    1: date=2022-02-24 time=11:21:51 eventtime=1645730511325606916 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=40408 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=21 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7522 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="FTP" trandisp="snat" transip=172.16.200.4 transport=40408 duration=14 sentbyte=164 rcvdbyte=171 sentpkt=3 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65501-0
    Application log with SSH and FTP traffic:
    2: date=2022-02-24 time=11:21:39 eventtime=1645730499338228209 tz="-0800" logid="1059028705" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=40408 dstport=21 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7522 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744239 msg="Network.Service: FTP" apprisk="elevated"
    Traffic log with SSH and FTP traffic with port 2121:
    1: date=2022-02-24 time=11:24:25 eventtime=1645730665235613912 tz="-0800" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vd1" srcip=10.1.100.12 srcport=41366 srcintf="port2" srcintfrole="undefined" dstip=172.16.200.55 dstport=2121 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=7876 proto=6 action="deny" policyid=0 policytype="security-policy" poluuid="7ed35582-95a2-51ec-0d21-4093cb91e67b" policyname="Default" centralnatid=1 service="tcp/2121" trandisp="snat" transip=172.16.200.4 transport=41366 duration=11 sentbyte=112 rcvdbyte=171 sentpkt=2 rcvdpkt=2 appid=15896 app="FTP" appcat="Network.Service" apprisk="elevated" utmaction="block" countapp=1 utmref=65500-0
    Application log with SSH and FTP traffic with port 2121:
    2: date=2022-02-24 time=11:24:16 eventtime=1645730656426052412 tz="-0800" logid="1060028736" type="utm" subtype="app-ctrl" eventtype="port-violation" level="warning" vd="vd1" appid=15896 srcip=10.1.100.12 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=41366 dstport=2121 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="FTP" direction="outgoing" policyid=0 sessionid=7876 action="block" appcat="Network.Service" app="FTP" incidentserialno=188744241 msg="Network.Service: FTP, non-default port used: 2121" apprisk="elevated"