Fortigate – How to Disable Unused LAN Ports on Fortigate

fortigatefortinet

I know I can set the administrative status of WAN/DMZ ports to down to disable them, but I can only see how to set the entire internal interface up/down. Is there a way to set individual LAN ports down so someone cannot plug into them and access the network?

Best Answer

It's look like that theinternal-switch-mode is set as switch¹ (by default). That means that all port on the internal interface are configured as they are only one:

Switch mode combines FortiGate unit interfaces into one switch with one address. Interface mode gives each internal interface its own address.²

so, as I understand, if in system global configuration you set: internal-switch-mode interface, you shall configure each port independently, so you will able to reconfigure port 1 and 2 then disable the other as @David say.

NB Before switching modes, all configuration settings for the interfaces affected by the switch must be set to defaults.²

Ref:

Related Solutions

Switch – Fortigate HA: how to locate switch port connected to passive unit

What you can do is SSH to the Active unit, then run:

execute ha manage <x>

where x is the ID of the other unit.

Then run

config system interface
edit "port1"
set status down
next 
edit "port1"
set status up
end

You can then log on to the switch (assuming it is logging interface UP/DOWNS) and see which interface went down.

Fortigate Logging: Prevent Ping to Firewall Interface While Logging Implicitly Denied Traffic

For Fortigate firewalls running FortiOS 5.0 or newer, it is possible to use the CLI to specifically disable logs for accepted traffic directed to the firewall itself:

Log on to firewall using SSH, then run the following commands (assuming the firewall has a VDOM named 'root')

config vdom
edit root
config log settings
set local-in-allow disable

This has to be done on a per VDOM basis.

Once this is done, the firewall keeps logging all denied traffic, without logging accepted pings, SNMP monitoring queries etc.

Fortinet has more informationg here: http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_log.17.13.html

For Fortigate firewalls running FortiOS older than 5.0, I suppose the best advice is to upgrade to 5.0 or newer and then apply the setting suggested above. It seems like the feature 'set local-in-allow disable' is not available before FortiOS 5.0.

Best Answer

Related Solutions

Switch – Fortigate HA: how to locate switch port connected to passive unit

Fortigate Logging: Prevent Ping to Firewall Interface While Logging Implicitly Denied Traffic

Related Topic