FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 18 - Managing Devices > Vulnerability Scan

Vulnerability Scan

The Network Vulnerability Scan helps you to protect your network assets (servers and workstations) by scanning them for security weaknesses. You can scan on-demand or on a scheduled basis. Results are viewable on the FortiGate unit, but results are also sent to an attached FortiAnalyzer unit. The FortiAnalyzer unit can collect the results of vulnerability scans from multiple FortiGate units at different locations on your network, compiling a comprehensive report about network security.

This section describes how to configure a single FortiGate unit for network scanning and how to view the results of the scan.

The following topics are included in this section:

Configuring vulnerability scans

You can configure the scan schedule and the assets to be scanned.

To configure scanning - web-based manager:
  1. Go to User & Device > Vulnerability Scan > Scan Definition.
  2. Beside Schedule select Change to set the scan schedule and mode:
Recurrence Select Daily, Weekly, or Monthly and configure the details for the option you have selected.
Suspend Scan between Set a time during which the scan should be paused if its running. (Optional)
Vulnerability Scan Mode

Quick — check only the most commonly used ports
Standard — check the ports used by most known applications
Full — check all TCP and UDP ports

For a detailed list of the TCP and UDP ports examined by each scan mode, see Ports scanned in each scan mode.

  1. Select Apply to save the configuration.
  2. In Asset Definitions, click Create New and enter information about the asset:

 

Name Enter a name for this asset.
Type Select IP Address to add a single IP address.
Select Range to add a range of IP addresses to scan.
IP Address Enter the IP address of the asset. (Type is IP Address.)
Range Enter the start and end of the IP address range. (Type is Range.)
Enable Scheduled Vulnerability Scanning Select to allow this asset to be scanned according to the schedule. Otherwise the asset is not scanned during a scheduled vulnerability scan.
Windows Authentication Select to use authentication on a Windows operating system. Enter the username and password in the fields provided.
For more information, see Requirements for authenticated scanning and ports scanned.
Unix Authentication Select to use authentication on a Unix operating system. Enter the username and password in the fields provided.
For more information, see Requirements for authenticated scanning and ports scanned.
To configure scanning - CLI:

To configure, for example, a standard scan to be performed every Sunday at 2:00am, you would enter:

config netscan settings

set scan-mode standard

set schedule enable

set time 02:00

set recurrence weekly

set day-of-week sunday

end

To add an asset - CLI:

This example adds a single computer to the Asset list:

config netscan assets

edit 0

set name "server1"

set addr-type ip

set start-ip 10.11.101.20

set auth-windows enable

set win-username admin

set win-password zxcvbnm

set scheduled enable

end

This example adds an address range to the Asset list. Authentication is not used:

config netscan assets

edit 0

set name "fileservers"

set addr-type range

set start-ip 10.11.101.160

set end-ip 10.11.101.170

set scheduled enable

end

Running a vulnerability scan and viewing scan results

To run a vulnerability scan - web-based manager:
  1. Go to User & Device > Vulnerability Scan > Scan Definition and select Start Scan.
    When the scan is running you can pause or stop it at any time. You can also watch the progress of the scan.
  2. When the scan is complete go to User & Device > Vulnerability Scan > Vulnerability Result to view the results of the scan.
To run a vulnerability scan - CLI:

Use the following CLI commands:

execute netscan start scan

execute netscan status

execute netscan pause

execute netscan resume

execute netscan stop

To view vulnerability scan results:
  • To view vulnerability scan results go to User & Device > Vulnerability Scan > Vulnerability Result.

Select any log entry to view log details.

Requirements for authenticated scanning and ports scanned

The effectiveness of an authenticated scan is determined by the level of access the FortiGate unit obtains to the host operating system. Rather than use the system administrator’s account, it might be more convenient to set up a separate account for the exclusive use of the vulnerability scanner with a password that does not change.

The following sections detail the account requirements for various operating systems.

Microsoft Windows hosts - domain scanning

The user account provided for authentication must

  • have administrator rights
  • be a Security type of account
  • have global scope
  • belong to the Domain Administrators group
  • meet the Group Policy requirements listed below:

Group Policy - Security Options

In the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Setting Value
Network access: Sharing and security model for local accounts Classic
Accounts: Guest account status Disabled
Network access: Let Everyone permissions apply to anonymous users Disabled

Group Policy - System Services

In the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > System Services.

Setting Value
Remote registry Automatic
Server Automatic
Windows Firewall Automatic

Group Policy - Administrative Templates

In the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

Setting Value
Windows Firewall: Protect all network connections Disabled

or

Setting Value
Windows Firewall: Protect all network connections Enabled
Windows Firewall: Allow remote administration exception Enabled
  Allow unsolicited messages from1 *
Windows Firewall: Allow file and printer sharing exception Enabled
  Allow unsolicited messages from1 *
Windows Firewall: Allow ICMP exceptions Enabled
  Allow unsolicited messages from1 *

1Windows prompts you for a range of IP addresses. Enter either “*” or the IP address of the Fortinet appliance that is performing the vulnerability scan.

Microsoft Windows hosts - local (non-domain) scanning

The user account provided for authentication must:

  • be a local account
  • belong to the Administrators group

The host must also meet the following requirements:

  • Server service must be enabled. (Windows 2000, 2003, XP)
  • Remote Registry Service must be enabled.
  • File Sharing must be enabled.
  • Public folder sharing must be disabled. (Windows 7)
  • Simple File Sharing (SFS) must be disabled. (Windows XP)

Windows firewall settings

Enable the Remote Administration Exception in Windows Firewall. (Windows 2003, Windows XP)

Allow File and Print sharing and Remote Administration traffic to pass through the firewall. Specify the IP address or subnet of the Fortinet appliance that is performing the vulnerability scan. (Windows Vista, 2008)

For each of the active Inbound Rules in the File and Printer Sharing group, set the Remote IP address under Scope to either Any IP address or to the IP address or subnet of the Fortinet appliance that is performing the vulnerability scan. (Windows 7)

Unix hosts

The user account provided for authentication must be able at a minimum to execute these commands:

  • The account must be able to execute “uname” in order to detect the platform for packages.
  • If the target is running Red Hat, the account must be able to read /etc/redhat-release and execute “rpm”.
  • If the target is running Debian, the account must be able to read /etc/debian-version and execute “dpkg”.

Ports scanned in each scan mode

Scan Type Ports scanned
Standard Scan TCP:  1-3, 5, 7, 9, 11, 13, 15, 17-25, 27, 29, 31, 33, 35, 37-39, 41-223, 242-246, 256-265, 280-282, 309, 311, 318, 322-325, 344-351, 363, 369-581, 587, 592-593, 598, 600, 606-620, 624, 627, 631, 633-637, 666-674, 700, 704-705, 707, 709-711, 729-731, 740-742, 744, 747-754, 758-765, 767, 769-777, 780-783, 786, 799-801, 860, 873, 886-888, 900-901, 911, 950, 954-955, 990-993, 995-1001, 1008, 1010-1011, 1015, 1023-1100, 1109-1112, 1114, 1123, 1155, 1167, 1170, 1207, 1212, 1214, 1220-1222, 1234-1236, 1241, 1243, 1245, 1248, 1269, 131t3-1314, 1337, 1344-1625, 1636-1774, 1776-1815, 1818-1824, 1901-1909, 1911-1920, 1944-1951, 1973, 1981, 1985-2028, 2030, 2032-2036, 2038, 2040-2049, 2053, 2065, 2067, 2080, 2097, 2100, 2102-2107, 2109, 2111, 2115, 2120, 2140, 2160-2161, 2201-2202, 2213, 2221-2223, 2232-2239, 2241, 2260, 2279-2288, 2297, 2301, 2307, 2334, 2339, 2345, 2381, 2389, 2391, 2393-2394, 2399, 2401, 2433, 2447, 2500-2501, 2532, 2544, 2564-2565, 2583, 2592, 2600-2605, 2626-2627, 2638-2639, 2690, 2700, 2716, 2766, 2784-2789, 2801, 2908-2912, 2953-2954, 2998, 3000-3002, 3006-3007, 3010-3011, 3020, 3047-3049, 3080, 3127-3128, 3141-3145, 3180-3181, 3205, 3232, 3260, 3264, 3267-3269, 3279, 3306, 3322-3325, 3333, 3340, 3351-3352, 3355,
Standard Scan TCP Continued: 3372, 3389, 3421, 3454-3457, 3689-3690, 3700, 3791, 3900, 3984-3986, 4000-4002, 4008-4009, 4080, 4092, 4100, 4103, 4105, 4107, 4132-4134, 4144, 4242, 4321, 4333, 4343, 4443-4454, 4500-4501, 4567, 4590, 4626, 4651, 4660-4663, 4672, 4899, 4903, 4950, 5000-5005, 5009-5011, 5020-5021, 5031, 5050, 5053, 5080, 5100-5101, 5145, 5150, 5190-5193, 5222, 5236, 5300-5305, 5321, 5400-5402, 5432, 5510, 5520-5521, 5530, 5540, 5550, 5554-5558, 5569, 5599-5601, 5631-5632, 5634, 5678-5679, 5713-5717, 5729, 5742, 5745, 5755, 5757, 5766-5767, 5800-5802, 5900-5902, 5977-5979, 5997-6053, 6080, 6103, 6110-6112, 6123, 6129, 6141-6149, 6253, 6346, 6387, 6389, 6400, 6455-6456, 6499-6500, 6515, 6558, 6588, 6660-6670, 6672-6673, 6699, 6767, 6771, 6776, 6831, 6883, 6912, 6939, 6969-6970, 7000-7021, 7070, 7080, 7099-7100, 7121, 7161, 7174, 7200-7201, 7300-7301, 7306-7308, 7395, 7426-7431, 7491, 7511, 7777-7778, 7781, 7789, 7895, 7938, 7999-8020, 8023, 8032, 8039, 8080-8082, 8090, 8100, 8181, 8192, 8200, 8383, 8403, 8443, 8450, 8484, 8732, 8765, 8886-8894, 8910, 9000-9001, 9005, 9043, 9080, 9090, 9098-9100, 9400, 9443, 9535, 9872-9876, 9878, 9889, 9989-10000, 10005, 10007, 10080-10082, 10101, 10520, 10607, 10666, 11000, 11004, 11223, 12076, 12223, 12345-12346, 12361-12362, 12456, 12468-12469, 12631, 12701, 12753, 13000, 13333, 14237-14238, 15858, 16384, 16660, 16959, 16969, 17007, 17300, 18000, 18181-18186, 18190-18192, 18194, 18209-18210, 18231-18232, 18264, 19541, 20000-20001, 20011, 20034, 20200, 20203, 20331, 21544, 21554, 21845-21849, 22222, 22273, 22289, 22305, 22321, 22555, 22800, 22951, 23456, 23476-23477, 25000-25009, 25252, 25793, 25867, 26000, 26208, 26274, 27000-27009, 27374, 27665, 29369, 29891, 30029, 30100-30102, 30129, 30303, 30999, 31336-31337, 31339, 31554, 31666, 31785, 31787-31788, 32000, 32768-32790, 33333, 33567-33568, 33911, 34324, 37651, 40412, 40421-40423, 42424, 44337, 47557, 47806, 47808, 49400, 50505, 50766, 51102, 51107, 51112, 53001, 54321, 57341, 60008, 61439, 61466, 65000, 65301, 65512

UDP:  7, 9, 13, 17, 19, 21, 37, 53, 67-69, 98, 111, 121, 123, 135, 137-138, 161, 177, 371, 389, 407, 445, 456, 464, 500, 512, 514, 517-518, 520, 555, 635, 666, 858, 1001, 1010-1011, 1015, 1024-1049, 1051-1055, 1170, 1243, 1245, 1434, 1492, 1600, 1604, 1645, 1701, 1807, 1812, 1900, 1978, 1981, 1999, 2001-2002, 2023, 2049, 2115, 2140, 2801, 3024, 3129, 3150, 3283, 3527, 3700, 3801, 4000, 4092, 4156, 4569, 4590, 4781, 5000-5001, 5036, 5060, 5321, 5400-5402, 5503, 5569, 5632, 5742, 6073, 6502, 6670, 6771, 6912, 6969, 7000, 7300-7301, 7306-7308, 7778, 7789, 7938, 9872-9875, 9989, 10067, 10167, 11000, 11223, 12223, 12345-12346, 12361-12362, 15253, 15345, 16969, 20001, 20034, 21544, 22222, 23456, 26274, 27444, 30029, 31335, 31337-31339, 31666, 31785, 31789, 31791-31792, 32771, 33333, 34324, 40412, 40421-40423, 40426, 47262, 50505, 50766, 51100-51101, 51109, 53001, 61466, 65000
Full Scan All TCP and UDP ports (1-65535)
Quick Scan TCP: 11, 13, 15, 17, 19-23, 25, 37, 42, 53, 66, 69-70, 79-81, 88, 98, 109-111, 113, 118-119, 123, 135, 139, 143, 220, 256-259, 264, 371, 389, 411, 443, 445, 464-465, 512-515, 523-524, 540, 548, 554, 563, 580, 593, 636, 749-751, 873, 900-901, 990, 992-993, 995, 1080, 1114, 1214, 1234, 1352, 1433, 1494, 1508, 1521, 1720, 1723, 1755, 1801, 2000-2001, 2003, 2049, 2301, 2401, 2447, 2690, 2766, 3128, 3268-3269, 3306, 3372, 3389, 4100, 4443-4444, 4661-4662, 5000, 5432, 5555-5556, 5631-5632, 5634, 5800-5802, 5900-5901, 6000, 6112, 6346, 6387, 6666-6667, 6699, 7007, 7100, 7161, 7777-7778, 8000-8001, 8010, 8080-8081, 8100, 8888, 8910, 9100, 10000, 12345-12346, 20034, 21554, 32000, 32768-32790

UDP:  7, 13, 17, 19, 37, 53, 67-69, 111, 123, 135, 137, 161, 177, 407, 464, 500, 517-518, 520, 1434, 1645, 1701, 1812, 2049, 3527, 4569, 4665, 5036, 5060, 5632, 6502, 7778, 15345