Information
Enabling any management related services on WAN interface is high risk. Management related services such as HTTPS, HTTP, ping, SSH, SNMP, and Radius should be disabled on WAN.
Management related services should only be enabled on management interface. This is part of defending the firewall from attacks and reducing the attack surface. For WAN related services such as IPSec and SSLVPN, make use of local-in-policy (refer to CIS Section 2.4) to tighten firewall defenses.
Solution
On GUI:
Go to "Network" > "Interfaces".
Review WAN interface and disable HTTPS, HTTP, ping, SSH, SNMP, and Radius services.
On CLI:
FGT1 # config system interface
FGT1 (interface) # edit "port1"
FGT1 (port1) # unselect allowaccess ping https ssh snmp http radius-acct
Note:
-
Interface name may differ based on deployment. For this example, port1 is deployed as WAN interface.
-
"unselect allowaccess" will only show services that you have enabled. If you have not enabled snmp on that interface, then snmp option will not be available.
Impact:
Enabling management related services on WAN port is convenient, but it exposes the firewall to unnecessary risks. Vulnerabilities found on vendor devices are commonly related to management services, and opening access to these allows attackers to exploit its vulnerabilities.