Ports used by Fortinet

Ports used by Fortinet

May 9, 2014
01-520-112804-20140509
Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and
FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance
and other metrics contained herein were attained in internal lab tests under ideal conditions,
and actual performance and other resultsmay vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents
any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or
implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets
General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be
binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the
same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants,
representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves
the right to change, modify, transfer, or otherwise revise this publication without notice, and the
most current version of the publication shall be applicable.

Technical Documentation

docs.fortinet.com

Knowledge Base

kb.fortinet.com

Customer Service & Support

support.fortinet.com

Training Services

training.fortinet.com

FortiGuard

fortiguard.com

Document Feedback

techdocs@fortinet.com

Table of contents
Network Port Connectivity ......................................................................... 1
TCP/IP Port Basics.........................................................................................

Open Ports and Security................................................................................

Planning and Troubleshooting ......................................................................

Fortinet Port Numbers Diagram

.............................................................

Table of TCP/UDP Ports used by Fortinet Products

and Services .................................................................................................... 4

TCP/UDP Ports used by Fortinet Products and

Services
Network Port Connectivity
In network security, an open port typically refers to the TCP or UDP port number that is configured by an
application to listen for specific protocols. Using open ports allows remote clients to access network resources,
but if a port is not open, services behind that port will be unreachable. This is known as a closed port.
TCP/IP Port Basics
In TCP/IP, the network communication session between two devices starts and ends with a TCP, UDP, or
SCTP port. Fortinet devices do not communicate using SCTP, so we will concentrate on the TCP and UDP
ports.
The starting port of a session is usually referred to as the Source Port and the port at the far end is referred to
as the Destination Port. It is also referred to as the Listening Port, because it is configured to listen for any
traffic being directed to that port number. Both TCP and UDP ports can send and receive data, but not
simultaneously.
In order to avoid confusion, some ports are considered 'standard' in that they listen for the traffic of commonly
used protocols. If you wish to use non-standard ports for such commonly used protocols, then you must
perform additional manual configuration. Because standard ports are used to listen to specific types of traffic,
and because those same ports cannot also be used to send traffic, the Source Port is usually assigned a
random port number that is not a standard port used for listening. For example, Port 80 is the standard port
listening for HTTP traffic. Since most networked devices have HTTP traffic going in and out, a randomly
assigned port between 1025 and 65535 is opened and used as the Source Port. Ports 1 through 1024 are set
aside because most of the commonly used ports are identified in this range.
At its simplest, a port has one of three states:
1. A port can be open and listening for traffic.
2. A port can be closed, potentially waiting to be used as a source port (if it is not between 1 and 1024).
3. A port can be active, sending out traffic as a Source Port.
Open Ports and Security
In order for a networked device to be ready to receive traffic from allowed sources it has to open up ports for
that traffic. If all of the ports are left open, the ability to communicate with the device is easy and unobstructed.
This is troubling because others can see those open ports as well. The services on a fully open network are
exposed to external scrutiny, such as port scanning software that listens on those ports for exploits. This is
extremely undesirable.
It is common in network security for all network ports to be closed, except for those required for specific
services, such as FTP or web pages. As an administrator, it is your responsibility to ensure that all of the
necessary ports are open and that all of the unnecessary ports are closed.

Planning and Troubleshooting

The purpose of this document is primarily to assist in planning and troubleshooting. While every network is
different, this document should help determine which ports need to be open on your network so that
communication and traffic to and from Fortinet devices, especially those which enhance the performance of
your environment, are not impeded. In addition, if you are experiencing connectivity issues, this guide can
assist in troubleshooting the possible areas where traffic is inadvertently blocked. Due to the nature of firewalls,
any ports or services that are not expressly permitted will be blocked. As such, it is useful to have an idea of
which ports and services you may want open, with appropriate restrictions of course.
The guide also contains a one-page diagram of network port connectivity for a quick reference print-out. Refer
to the following table for more information, including explanations of each port, the protocol in question, the
application and its function, and most importantly the devices involved.

Table of TCP/UDP Ports used by Fortinet

Products and Services
Destination
Port

21

22

Application(s)

Function(s)

Protocol(s)

TCP

TCP

FTP

SSH

Log and Report uploads from FortiAnalyzer

Anti-defacement backup and restoration (FTP). Listening on

FortiWeb

FTP configuration backup from FortiWeb to other device

SSH Command line based management:

22

23

25

TCP

TCP

TCP

FTP over SSH

Telnet

SMTP

From Admin Workstation to Fortinet Device

Log and Report uploads:

To and from FortiCloud

To and from FortiAnalyzer

Anti-defacement backup and restoration (SSH/SCP) from FortiWeb

to other device

SFTP configuration backup from FortiWeb to other device

Telnet Command line based management from Admin Workstation

to Fortinet devices

HA (FGCP) between HA FortiGates

Alert Emails

From FortiAnalyzer to SMTP Mail Server

From FortiGate to SMTP Mail Server

From FortiWeb to SMTP Mail Server

Encrypted Virus Samples auto submitted to FortiGuard

49

TCP

TACACS+

TACACS+ from FortiAnalyzer

53

UDP

DNS

DNS Lookups

To DNS Servers

To FortiGuard

53

UDP

Fortinet Queries

FortiGuard Server List requests to FortiGuard

AntiSpam or Web Filtering rating lookup queries to FortiGuard

URL/AS rating lookup queries to FortiGuard

Real-time Black List(RBL) lookup requests to RBL services

67

UDP

DHCP

DHCP to and from FortiGate

68

UDP

DHCP Relay

DHCP Relay to and from FortiGate

69

UDP

TFTP

TFTP for backups, restoration, and firmware updates from FortiWeb

to other device

80

TCP

Default unsecure Web-based Management of Fortinet Device

Admin Workstation to FortiAnalyzer

Admin Workstation to FortiAuthenticator

Admin Workstation to FortiGate

Admin Workstation to FortiManager

Admin Workstation to FortiWeb

80

TCP

HTTP

Proxied HTTP traffic from FortiGate

80

TCP

HTTP

Fortinet Device Registration to FortiGuard

AV update requests from FortiClient to FortiManager

Server health checks from FortiWeb to other device

Predefined HTTP service. Only occurs if the service is used by a

policy, listening on FortiWeb

Issuing and revocation of digital certificates

80

TCP

Simple Certificate Enrollment

Protocol (SCEP)

Listening on FortiAuthenticator

88

TCP

Kerboros

Account Authentication traffic from FortiAuthenticator to Active

Directory Controllers

123

UDP

NTP

Time Synchronization from Fortinet Device to NTP Server

135

TCP

Client/Server (WMI, SEL)

FortiAuthenticator to Active Directory Controllers

137

UDP

Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

Anti-defacement backup and restoration (Windows-style share) from

FortiWeb to other device.

Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

Anti-defacement backup and restoration (Windows-style share) from

FortiWeb to other device.

138

UDP

139

161

162

389

443

TCP/UDP

UDP

UDP

TCP/UDP

TCP

NetBIOS

Simple Network Management

Protocol (SNMP)

Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

Anti-defacement backup and restoration (Windows-style share) from

FortiWeb to other device.

SNMP Poll

Simple Network Management

Protocol (SNMP) Traps

LDAP

HTTPS

FortiManager to FortiGate

Listening on FortiAuthenticator

Listening on FortiWeb

To SysLog server

To FortiAnalyzer

To FortiManager

LDAP Lookups, Authentication Requests and Report queries

PKI Authentication

To Active Directory Domain Controllers

To FortiAuthenticator

To LDAP Server

Default Secure Web-based Management of Fortinet Device

Admin Workstation to Fortinet Device

Firmware and Signature Downloads from FortiGuard

FGD SMS to FortiGuard

FC FTM to FortiGuard

FC Licensing to FortiGuard

Policy Override Auth to FortiGuard

AntiVirus/IPS updates to FortiGuard

URL/AS update requests to FortiGuard

Remote Vulnerability Scan updates to FortiGuard

Device Registration requests to FortiGuard

Server health checks from FortiWeb to other devices

Proxied HTTPS traffic from FortiGate to Proxy Server

FSSO Portal and Widget traffic

443

TCP

Representational state transfer

(REST) API / HTTP

Listening on FortiAnalyzer

445

TCP

Microsoft-DS Active Directory,

Windows shares

Domain Controller Polling

500

UDP

IPsec

FortiAuthenticator to Active Directory Domain Controller

Listening on FortiAnalyzer

NTLM authentication queries.

Anti-defacement backup and restoration (Windows-style share)

from FortiWeb to other device.

Secure SNMP over IPsec connection

514

TCP/UDP

Syslog messages OFTP

FortiGate to FortiAnalyzer

Device Registration

From FortiManager to FortiAnalyzer

From FortiGate to FortiAnalyzer

Quarantined files to FortiAnalyzer

Logs and Reports

To SysLog server

To FortiAnalyzer

To FortiCloud

To FortiManager

OFTP for file submission and statistics exchange

Between FortiGate and FortiSandbox (FortiCloud)

520

UDP

Routing Information Protocol (RIP)

Listening on FortiGate

541

TCP

Central Management from FortiManager

SSL Management Tunnel to FortiCloud

Encrypted LDAP authentication traffic from

636

TCP

703

TCP

1000

TCP

Device Registration

Lightweight Directory Access

Protocol over TLS/SSL (LDAPS)

FGCP L2

Fortinet Devices to Active Directory Domain Controllers

Fortinet Devices to LDAP servers (including FortiAuthenticator)

HA Heartbeat between HA FortiGates

Policy Override Keepalive listening on FortiGate

(Closed by default, but can be enabled)

1003

TCP

Policy Override Keepalive listening on FortiGate

(Closed by default, but can be enabled)

1812

TCP

RADIUS

RADIUS Authentication Requests

To FortiAuthenticator

To RADIUS Server

1813

UDP

RADIUS

RADIUS Accounting to FortiAuthenticator

2049

TCP

NFS

Network File System listening on FortiAnalyzer (Not supported in

FAZ v5.0/5.2)

2302

TCP

HTTP or HTTPS administrative access to web-based manager's CLI

dashboard widget(v3.0 MR5 only)

2560

TCP

3000

TCP

Online Certificate Status Protocol

(OCSP)

Listening on FortiAnalyzer

Listening on FortiGate

Obtaining the revocation status of an X.509 digital certificate,

listening on FortiAuthenticator

Log aggregation listening on FortiAnalyzer

(Log aggregation server support requires model FortiAnalyzer
800 or greater)

3306

TCP

3784

UDP

4500

UDP

Remote MySQL database connection listening on FortiAnalyzer

BFD

Listening on FortiGate

IPsec

Secure SNMP over IPsec connection

FortiGate to FortiAnalyzer

FortiGate to FortiManager

5199

TCP

HA Heartbeat or synchronization listening on FortiManager

6055

UDP

HA heartbeat. Layer 2 multicast.

6056

UDP

From FortiWeb to other device

Listening on FortiWeb

HA configuration synchronization. Layer 2 multicast.

From FortiWeb to other device

Listening on FortiWeb

8000

8001

TCP

TCP

FSSO

SSO Mobiltity Agent

Windows Active Directory Collector Agent for Fortinet Single Sign-On

From Active Directory Collector to FortiGate

From FortiAuthenticator to FortiGate

From FortiGate to FortAuthenticator

This port is used to pass userid and IP address information from

FortiClient to FortiAuthenticator.
(This functionality is not necessary for the completion of phase 1)

8002

TCP/UDP

FSSO

FSSO

UDP (for plain traffic), or TCP (for encrypted traffic)

FortiAuthenticator listening for traffic - Hierarchical FSSO Info from

Tier Supplier

FortiAuthenticator listening for traffic from DS/TS Agents with FSSO

Login information

8003

TCP

8008

TCP

User authentication for policy override of HTTP traffic listening on

FortiGate

8009

TCP

FortiClient Portal listening on FortiGate 1000A, 3600A, and 5005FA2

only

8010

TCP

User authentication for policy override of HTTPS traffic from

FortiClient to FortiGate
(This port and IP address must be load balanced between all four
FortiGate 1500Ds)

8333

8888

TCP

UDP

Configuration replication.

From FortiWeb to other device

Listening on FortiWeb

Application and Signature updates requests, FortiGuard AntiSpam or

Web Filtering rating lookup requests and URL/AS Rating requests

FortiClient to FortiGuard

FortiGate to FortiGuard

FortiClient to FortiManager

FortiGate to FortiManager

FortiGuard Server List

FortiClient to FortiGuard

FortiGate to FortiGuard

8890

TCP

A/V, IPS signature, AntiSpam and Web Filtering update requests

FortiGate to FortiManager

FortiManger to FortiGuard

8890

ETH Layer
2

Between FortiGate and FortiManager for FortiGuard Updates

8900

TCP

VPN Settings distribution to authenticated FortiClient installations

9443

UDP

FortiClient to FortiGate

AV/IPS Push

FortiGuard to FortiGate

FortiGuard to FortiManager

FortiManager to FortiGate

10443

TCP

Connection to SSL-VPN Portals, listening on FortiGate

10151

TCP

Contract validation from FortiGate to FortiCloud

10