Making FortiGate completely invisible to probes

最新推荐文章于 2006-10-29 17:43:00 发布
最新推荐文章于 2006-10-29 17:43:00 发布
阅读量1k 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: fortinet 文章标签: interface tcp exception command delay service
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/gotonet/article/details/1355744
默认情况下,FortiGate设备除TCP 443端口外不接受任何TCP或UDP连接,以增强安全性。本文介绍如何通过CLI命令在指定接口上禁用TCP 113端口的自动重置功能,以提高隐身性。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

FortiGate units by default do not accept TCP or UDP connections on any port (except TCP port 443 HTTPS connections on the default internal interface for administration). This reduces the possibility of attacks such as Denial of Service (DoS) as the unit's ports cannot be discovered by probing.

An exception to this "stealth" configuration is TCP port 113 (Ident/Auth). By default, this port returns a RST packet to reset the connection. This avoids the delay that occurs if the server making the ident request waits for the request to time out.

The ident port is less used today. If you would prefer to have your FortiGate unit completely invisible to probes at the cost of occasional delays, you can turn off the automatic reset of TCP port 113 connections.

  • FortiGate unit - all models

  • FortiOS firmware - version 2.8 MR11 and later, version 3.0

    Execute the set ident-accept enable CLI command on each interface where you want to turn off the automatic reset of TCP port 113 connections. For example, to do this on port1: 

  •   config system interface
    edit port1
      set ident-accept enable
    end
  end
 
802.3ad Link Aggregation FAQ
gotonet的专栏
10-29 2012
What is link aggregation?Link aggregation, otherwise known as IEEE 802.3ad standard, allows the grouping of interfaces into a larger bandwidth trunk. It also allows for high availability (HA) by a
FortiGuard Center
瞎几把学
05-02 5856
1. FortiGuard CenterGo to the Fortinet FortiGuard Center to access FortiGuard resources such as the Fortinet threat and vulnerabilities database. This database is maintai
fortigate7.2.4
05-20
fortigate7.2.4
Fortigate 7.0.0 firmware fortigate 7.0.0固件
06-26
Fortigate 7.0.0 firmware fortigate 7.0.0固件
飞塔fortigate7.4.6安装包
最新发布
03-19
飞塔fortigate7.4.6安装包
fortigate7.6.2
03-19
飞塔fortigate7.6.2安装包
fortigate7.2.11
03-19
飞塔fortigate7.2.11安装包
Fortigate防火墙忘记密码时恢复
gotonet的专栏
10-29 2910
如果用户忘记默认的"admin" password (or any other admin access), 如下为恢复密码的过程,仅供参考:1. Connect a PC serial (com port) to FG console.2. Bring up Hyper Terminal using proper setting.3. At the console login prompt, t
FortiGate has reached connection limit..message
gotonet的专栏
10-29 2392
This above message may be displayed on the Alert Message Console GUI. It is similar to the “The system has entered conserve mode” Event log message.Explanation:The antivirus engine was low on memo
如何使用CLI通过TFTP升级Fortigate防火墙系统文件
gotonet的专栏
10-29 2271
1,通过超级终端或其他工具,连接CONSOLE口,参数设置为默认即可,特别的例外,例如,Fortigate-300(A),速率为115200.其他相同。2,使用交叉线连接防火墙的internal口,A系列产品的接口为自适应。3,重新启动防火墙,出现如下提示:   Ver:03000300Serial number:FGT-602103243758RAM activation
Fortinet Certified Network Security Professional
gotonet的专栏
10-29 2016
Fortinet Certified Network Security Professional Taining NotesImplmenting FortiGate Security and Content InspectionCourse 925-201b Authorized TainingInstructor: Florence Lau Fortinet Malaysia Sd
Configure virtual domains for an 802.1q VLAN trunk
gotonet的专栏
10-29 1773
IntroductionThis document describes how to configure virtual domains in Transparent mode to provide AV/IPS protection in an 802.1q VLAN trunk environment. In a typical 802.1q VLAN trunk environmen
FortiNet v2.8 FCSE培训笔记!
gotonet的专栏
10-29 1652
1.         全球技术论坛:http://support.fortinet.com/forumFortiNet2.         中国技术论坛:http://bbs.fortinet.com.cnFortiNet3.         技术资料网站:http://kc.forticare.comFortiNet4.         最新版本:FortiOS V2.80 buil
如何利用FG防火墙实现IP/MAC地址binding?
gotonet的专栏
10-29 1640
1、在防火墙上定义对应的IP-mac对应表config firewall ipmacbinding table    edit 1        set ip 192.167.1.111        set mac 00:0a:eb:7c:16:05        set name "robbie"        set status enable    next
configure secondary IPs to overlap the primary ip
gotonet的专栏
10-29 1566
Fortigate-800 # config sys global  (global)#  set      modify value unset    set to default value get      get configuration show     retrieve value abort    end and discard last config
cisco and fortigate OSPF configure
gotonet的专栏
10-29 1456
cisco 3745 router config:Router#sh runBuilding configuration...Current configuration : 3002 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service p
Can I block IM by FortiGate firewalls
gotonet的专栏
10-29 1431
You can use the CLI command config imp2p old-version to block older IM versions than the following at Fortios 3.0: MSN 6.0 ICQ 4.0 AIM 5.0 Yahoo 6.0For details see the For
Fortigate firewall LDAP config
gotonet的专栏
10-29 1414
Case ScenarioYou have to two groups of users attempting to access the Internet through the FortiGate. Most users need to be restricted in their access to the Internet. A few select users are permitt
Manual RBL ORDBL DNSBL SPAM troubleshooting
gotonet的专栏
10-29 1331
This article describes how to manually test an IP address connecting to your SMTP server to verify whether it is considered a Spam source by various RBL/ORDBL/DNSBL services.This example uses a Micr
FortiGate透明模式详解
"FortiGate透明模式文档,由Fortinet公司提供,主要介绍了如何启用和配置FortiGate设备在透明模式下工作,以及该模式下的相关特性,包括STPforward、VLANforward、forwarddomain和L2forward等。文档适用于FortiOS v3...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值