Vulnerability Scan
The Network Vulnerability Scan helps you to protect your network assets (servers and workstations) by scanning them for security weaknesses. You can scan on-demand or on a scheduled basis. Results are viewable on the FortiGate unit, but results are also sent to an attached FortiAnalyzer unit. The FortiAnalyzer unit can collect the results of vulnerability scans from multiple FortiGate units at different locations on your network, compiling a comprehensive report about network security.
This section describes how to configure a single FortiGate unit for network scanning and how to view the results of the scan.
The following topics are included in this section:
- Configuring vulnerability scans
- Running a vulnerability scan and viewing scan results
- Requirements for authenticated scanning and ports scanned
Configuring vulnerability scans
You can configure the scan schedule and the assets to be scanned.
To configure scanning - web-based manager:
- Go to User & Device > Vulnerability Scan > Scan Definition.
- Beside Schedule select Change to set the scan schedule and mode:
| Recurrence | Select Daily, Weekly, or Monthly and configure the details for the option you have selected. |
| Suspend Scan between | Set a time during which the scan should be paused if its running. (Optional) |
| Vulnerability Scan Mode |
Quick — check only the most commonly used ports For a detailed list of the TCP and UDP ports examined by each scan mode, see Ports scanned in each scan mode. |
- Select Apply to save the configuration.
- In Asset Definitions, click Create New and enter information about the asset:
| Name | Enter a name for this asset. |
| Type | Select IP Address to add a single IP address. Select Range to add a range of IP addresses to scan. |
| IP Address | Enter the IP address of the asset. (Type is IP Address.) |
| Range | Enter the start and end of the IP address range. (Type is Range.) |
| Enable Scheduled Vulnerability Scanning | Select to allow this asset to be scanned according to the schedule. Otherwise the asset is not scanned during a scheduled vulnerability scan. |
| Windows Authentication | Select to use authentication on a Windows operating system. Enter the username and password in the fields provided. For more information, see Requirements for authenticated scanning and ports scanned. |
| Unix Authentication | Select to use authentication on a Unix operating system. Enter the username and password in the fields provided. For more information, see Requirements for authenticated scanning and ports scanned. |
To configure scanning - CLI:
To configure, for example, a standard scan to be performed every Sunday at 2:00am, you would enter:
config netscan settings
set scan-mode standard
set schedule enable
set time 02:00
set recurrence weekly
set day-of-week sunday
end
To add an asset - CLI:
This example adds a single computer to the Asset list:
config netscan assets
edit 0
set name "server1"
set addr-type ip
set start-ip 10.11.101.20
set auth-windows enable
set win-username admin
set win-password zxcvbnm
set scheduled enable
end
This example adds an address range to the Asset list. Authentication is not used:
config netscan assets
edit 0
set name "fileservers"
set addr-type range
set start-ip 10.11.101.160
set end-ip 10.11.101.170
set scheduled enable
end
Running a vulnerability scan and viewing scan results
To run a vulnerability scan - web-based manager:
- Go to User & Device > Vulnerability Scan > Scan Definition and select Start Scan.
When the scan is running you can pause or stop it at any time. You can also watch the progress of the scan. - When the scan is complete go to User & Device > Vulnerability Scan > Vulnerability Result to view the results of the scan.
To run a vulnerability scan - CLI:
Use the following CLI commands:
execute netscan start scan
execute netscan status
execute netscan pause
execute netscan resume
execute netscan stop
To view vulnerability scan results:
- To view vulnerability scan results go to User & Device > Vulnerability Scan > Vulnerability Result.
Select any log entry to view log details.
Requirements for authenticated scanning and ports scanned
The effectiveness of an authenticated scan is determined by the level of access the FortiGate unit obtains to the host operating system. Rather than use the system administrator’s account, it might be more convenient to set up a separate account for the exclusive use of the vulnerability scanner with a password that does not change.
The following sections detail the account requirements for various operating systems.
Microsoft Windows hosts - domain scanning
The user account provided for authentication must
- have administrator rights
- be a Security type of account
- have global scope
- belong to the Domain Administrators group
- meet the Group Policy requirements listed below:
Group Policy - Security Options
In the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
| Setting | Value |
|---|---|
| Network access: Sharing and security model for local accounts | Classic |
| Accounts: Guest account status | Disabled |
| Network access: Let Everyone permissions apply to anonymous users | Disabled |
Group Policy - System Services
In the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > System Services.
| Setting | Value |
|---|---|
| Remote registry | Automatic |
| Server | Automatic |
| Windows Firewall | Automatic |
Group Policy - Administrative Templates
In the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
| Setting | Value |
|---|---|
| Windows Firewall: Protect all network connections | Disabled |
or
| Setting | Value | |
|---|---|---|
| Windows Firewall: Protect all network connections | Enabled | |
| Windows Firewall: Allow remote administration exception | Enabled | |
| Allow unsolicited messages from1 | * | |
| Windows Firewall: Allow file and printer sharing exception | Enabled | |
| Allow unsolicited messages from1 | * | |
| Windows Firewall: Allow ICMP exceptions | Enabled | |
| Allow unsolicited messages from1 | * | |
1Windows prompts you for a range of IP addresses. Enter either “*” or the IP address of the Fortinet appliance that is performing the vulnerability scan.
Microsoft Windows hosts - local (non-domain) scanning
The user account provided for authentication must:
- be a local account
- belong to the Administrators group
The host must also meet the following requirements:
- Server service must be enabled. (Windows 2000, 2003, XP)
- Remote Registry Service must be enabled.
- File Sharing must be enabled.
- Public folder sharing must be disabled. (Windows 7)
- Simple File Sharing (SFS) must be disabled. (Windows XP)
Windows firewall settings
Enable the Remote Administration Exception in Windows Firewall. (Windows 2003, Windows XP)
Allow File and Print sharing and Remote Administration traffic to pass through the firewall. Specify the IP address or subnet of the Fortinet appliance that is performing the vulnerability scan. (Windows Vista, 2008)
For each of the active Inbound Rules in the File and Printer Sharing group, set the Remote IP address under Scope to either Any IP address or to the IP address or subnet of the Fortinet appliance that is performing the vulnerability scan. (Windows 7)
Unix hosts
The user account provided for authentication must be able at a minimum to execute these commands:
- The account must be able to execute “uname” in order to detect the platform for packages.
- If the target is running Red Hat, the account must be able to read /etc/redhat-release and execute “rpm”.
- If the target is running Debian, the account must be able to read /etc/debian-version and execute “dpkg”.
Ports scanned in each scan mode
| Scan Type | Ports scanned |
|---|---|
| Standard Scan | TCP: 1-3, 5, 7, 9, 11, 13, 15, 17-25, 27, 29, 31, 33, 35, 37-39, 41-223, 242-246, 256-265, 280-282, 309, 311, 318, 322-325, 344-351, 363, 369-581, 587, 592-593, 598, 600, 606-620, 624, 627, 631, 633-637, 666-674, 700, 704-705, 707, 709-711, 729-731, 740-742, 744, 747-754, 758-765, 767, 769-777, 780-783, 786, 799-801, 860, 873, 886-888, 900-901, 911, 950, 954-955, 990-993, 995-1001, 1008, 1010-1011, 1015, 1023-1100, 1109-1112, 1114, 1123, 1155, 1167, 1170, 1207, 1212, 1214, 1220-1222, 1234-1236, 1241, 1243, 1245, 1248, 1269, 131t3-1314, 1337, 1344-1625, 1636-1774, 1776-1815, 1818-1824, 1901-1909, 1911-1920, 1944-1951, 1973, 1981, 1985-2028, 2030, 2032-2036, 2038, 2040-2049, 2053, 2065, 2067, 2080, 2097, 2100, 2102-2107, 2109, 2111, 2115, 2120, 2140, 2160-2161, 2201-2202, 2213, 2221-2223, 2232-2239, 2241, 2260, 2279-2288, 2297, 2301, 2307, 2334, 2339, 2345, 2381, 2389, 2391, 2393-2394, 2399, 2401, 2433, 2447, 2500-2501, 2532, 2544, 2564-2565, 2583, 2592, 2600-2605, 2626-2627, 2638-2639, 2690, 2700, 2716, 2766, 2784-2789, 2801, 2908-2912, 2953-2954, 2998, 3000-3002, 3006-3007, 3010-3011, 3020, 3047-3049, 3080, 3127-3128, 3141-3145, 3180-3181, 3205, 3232, 3260, 3264, 3267-3269, 3279, 3306, 3322-3325, 3333, 3340, 3351-3352, 3355, |
| Standard Scan | TCP Continued: 3372, 3389, 3421, 3454-3457, 3689-3690, 3700, 3791, 3900, 3984-3986, 4000-4002, 4008-4009, 4080, 4092, 4100, 4103, 4105, 4107, 4132-4134, 4144, 4242, 4321, 4333, 4343, 4443-4454, 4500-4501, 4567, 4590, 4626, 4651, 4660-4663, 4672, 4899, 4903, 4950, 5000-5005, 5009-5011, 5020-5021, 5031, 5050, 5053, 5080, 5100-5101, 5145, 5150, 5190-5193, 5222, 5236, 5300-5305, 5321, 5400-5402, 5432, 5510, 5520-5521, 5530, 5540, 5550, 5554-5558, 5569, 5599-5601, 5631-5632, 5634, 5678-5679, 5713-5717, 5729, 5742, 5745, 5755, 5757, 5766-5767, 5800-5802, 5900-5902, 5977-5979, 5997-6053, 6080, 6103, 6110-6112, 6123, 6129, 6141-6149, 6253, 6346, 6387, 6389, 6400, 6455-6456, 6499-6500, 6515, 6558, 6588, 6660-6670, 6672-6673, 6699, 6767, 6771, 6776, 6831, 6883, 6912, 6939, 6969-6970, 7000-7021, 7070, 7080, 7099-7100, 7121, 7161, 7174, 7200-7201, 7300-7301, 7306-7308, 7395, 7426-7431, 7491, 7511, 7777-7778, 7781, 7789, 7895, 7938, 7999-8020, 8023, 8032, 8039, 8080-8082, 8090, 8100, 8181, 8192, 8200, 8383, 8403, 8443, 8450, 8484, 8732, 8765, 8886-8894, 8910, 9000-9001, 9005, 9043, 9080, 9090, 9098-9100, 9400, 9443, 9535, 9872-9876, 9878, 9889, 9989-10000, 10005, 10007, 10080-10082, 10101, 10520, 10607, 10666, 11000, 11004, 11223, 12076, 12223, 12345-12346, 12361-12362, 12456, 12468-12469, 12631, 12701, 12753, 13000, 13333, 14237-14238, 15858, 16384, 16660, 16959, 16969, 17007, 17300, 18000, 18181-18186, 18190-18192, 18194, 18209-18210, 18231-18232, 18264, 19541, 20000-20001, 20011, 20034, 20200, 20203, 20331, 21544, 21554, 21845-21849, 22222, 22273, 22289, 22305, 22321, 22555, 22800, 22951, 23456, 23476-23477, 25000-25009, 25252, 25793, 25867, 26000, 26208, 26274, 27000-27009, 27374, 27665, 29369, 29891, 30029, 30100-30102, 30129, 30303, 30999, 31336-31337, 31339, 31554, 31666, 31785, 31787-31788, 32000, 32768-32790, 33333, 33567-33568, 33911, 34324, 37651, 40412, 40421-40423, 42424, 44337, 47557, 47806, 47808, 49400, 50505, 50766, 51102, 51107, 51112, 53001, 54321, 57341, 60008, 61439, 61466, 65000, 65301, 65512 UDP: 7, 9, 13, 17, 19, 21, 37, 53, 67-69, 98, 111, 121, 123, 135, 137-138, 161, 177, 371, 389, 407, 445, 456, 464, 500, 512, 514, 517-518, 520, 555, 635, 666, 858, 1001, 1010-1011, 1015, 1024-1049, 1051-1055, 1170, 1243, 1245, 1434, 1492, 1600, 1604, 1645, 1701, 1807, 1812, 1900, 1978, 1981, 1999, 2001-2002, 2023, 2049, 2115, 2140, 2801, 3024, 3129, 3150, 3283, 3527, 3700, 3801, 4000, 4092, 4156, 4569, 4590, 4781, 5000-5001, 5036, 5060, 5321, 5400-5402, 5503, 5569, 5632, 5742, 6073, 6502, 6670, 6771, 6912, 6969, 7000, 7300-7301, 7306-7308, 7778, 7789, 7938, 9872-9875, 9989, 10067, 10167, 11000, 11223, 12223, 12345-12346, 12361-12362, 15253, 15345, 16969, 20001, 20034, 21544, 22222, 23456, 26274, 27444, 30029, 31335, 31337-31339, 31666, 31785, 31789, 31791-31792, 32771, 33333, 34324, 40412, 40421-40423, 40426, 47262, 50505, 50766, 51100-51101, 51109, 53001, 61466, 65000 |
| Full Scan | All TCP and UDP ports (1-65535) |
| Quick Scan | TCP: 11, 13, 15, 17, 19-23, 25, 37, 42, 53, 66, 69-70, 79-81, 88, 98, 109-111, 113, 118-119, 123, 135, 139, 143, 220, 256-259, 264, 371, 389, 411, 443, 445, 464-465, 512-515, 523-524, 540, 548, 554, 563, 580, 593, 636, 749-751, 873, 900-901, 990, 992-993, 995, 1080, 1114, 1214, 1234, 1352, 1433, 1494, 1508, 1521, 1720, 1723, 1755, 1801, 2000-2001, 2003, 2049, 2301, 2401, 2447, 2690, 2766, 3128, 3268-3269, 3306, 3372, 3389, 4100, 4443-4444, 4661-4662, 5000, 5432, 5555-5556, 5631-5632, 5634, 5800-5802, 5900-5901, 6000, 6112, 6346, 6387, 6666-6667, 6699, 7007, 7100, 7161, 7777-7778, 8000-8001, 8010, 8080-8081, 8100, 8888, 8910, 9100, 10000, 12345-12346, 20034, 21554, 32000, 32768-32790 UDP: 7, 13, 17, 19, 37, 53, 67-69, 111, 123, 135, 137, 161, 177, 407, 464, 500, 517-518, 520, 1434, 1645, 1701, 1812, 2049, 3527, 4569, 4665, 5036, 5060, 5632, 6502, 7778, 15345 |
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
