Article
The information relating to the ports used by Fortinet products is now available in the document Fortinet Communications Ports and Protocols document which can be found in the FortiOS Handbook section of the Fortinet Document Library.
Versions of the document are available from FortiOS 5.2.
The information contained in this article is no longer updated but may be of interest if running earlier versions of firmware.
|
Description
|
This article lists:
- ports for traffic originating from units
- ports for traffic receivable by units (listening ports)
- ports used to connect to the Fortinet Distribution Network (FDN)
Traffic varies by enabled options and configured ports. Only default ports are listed.
This information is also available in diagram format at the end of this article, and as a downloadable PDF.
For similar information about FortiMail, see the related article "FortiMail Traffic Types and TCP/UDP Ports".
|
|
Components
|
- FortiOS v4.0 , v3.0, v2.80 , and v2.50
- FortiClient v2.x, v3.0
- FortiManager v4.0 , v3.0
- FortiAnalyzer v3.0
- FortiProxy 2.0.x,7.0.x
- Fortinet Distribution Network (FDN)
|
|
Originating Traffic
|
FortiGate
| Functionality |
Port(s) |
| DNS lookup; RBL lookup |
UDP 53 |
| FortiGuard Antispam or Web Filtering rating lookup |
UDP 53 or UDP 8888 |
FDN server list
Source and destination port numbers vary by originating or reply traffic. See also the related article "How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?". |
UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031 |
| NTP synchronization |
UDP 123 |
| SNMP traps |
UDP 162 |
Syslog
All FortiOS versions can use syslog to send log messages to remote syslog servers. FortiOS v2.80 and v3.0 can also view logs stored remotely on a FortiAnalyzer unit. See originating port TCP 514.
Note : If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50 |
UDP 514 |
| Configuration backup to FortiManager unit or FortiGuard Analysis and Management Service |
TCP 22 |
| SMTP alert email; encrypted virus sample auto-submit |
TCP 25 |
| LDAP or PKI authentication |
TCP 389 or TCP 636 |
FortiGuard Antivirus or IPS update
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890. |
TCP 443 |
| FortiGuard Analysis and Management Service |
TCP 443 |
| FortiGuard Analysis and Management Service log transmission (OFTP) |
TCP 514 |
| SSL management tunnel to FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later) |
TCP 541 |
| FortiGuard Analysis and Management Service contract validation |
TCP 10151 |
| Quarantine, remote access to logs & reports on a FortiAnalyzer unit, device registration with FortiAnalyzer units (OFTP) |
TCP 514 |
| RADIUS authentication |
TCP 1812 |
FortiAnalyzer
| Functionality |
Port(s) |
| DNS lookup |
UDP 53 |
| NTP synchronization |
UDP 123 |
| Windows share |
UDP 137-138 |
| SNMP traps |
UDP 162 |
Syslog; log forwarding
Note : If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50. |
UDP 514 |
| Log & report upload |
TCP 21 or TCP 22 |
| SMTP alert email |
TCP 25 |
| User name LDAP queries for reports |
TCP 389 or TCP 636 |
| Vulnerability Management updates |
TCP 443 |
RADIUS authentication
TACACS+ |
TCP 1812
TCP
49 |
Log aggregation client
Device registration of FortiGate or FortiManager units; remote access to quarantine , logs&reports from a FortiGate unit remote management from a FortiManager unit (configuration retrieval) (OFTP).
FortiAnalyzer listening ports
Windows share
Syslog, log forwarding
SSH administrative access to the CLI
Telnet administrative access to the CLI
HTTPS administrative access to the web-based manager
HTTPS administrative access to the web-based manager remote management from a FortiManager unit
Device registration of FortiGate or FortiManager units; remote access to quarantine , logs&reports from a FortiGate unit remote management from a FortiManager unit (configuration retrieval) (OFTP)
NFS share
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only). Protocol used will match the protocol used by the administrator when logging in to the web-based manager.
Log aggregation server.
Log aggregation server support requires model FortiAnalyzer 800 or greater.
Remote management from FortiManager unit
Remote MySQL database connection
FortiAnalyzer FDN ports
Vulnerability Management updates
|
TCP 3000
TCP
514
UDP137-139 and TCP 445
UDP 514
Note:If a secure connection has been configured between a FortiGate and FortiAnalyzer. Syslog will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, protocol IP/50
TCP 22
TCP 23
TCP 80
TCP 443
TCP 514
TCP 2049
TCP 2032
TCP 3000
TCP 8080
TCP 3306
TCP 443
|
FortiManager
| Functionality |
Port(s) |
| DNS lookup |
UDP 53 |
| NTP synchronization |
UDP 123 |
| SNMP traps |
UDP 162 |
| Syslog |
UDP 514 |
| Remote management of a FortiGate unit |
TCP 22 and TCP 443
FortiManager v4.0 and above : TCP 541 |
| Remote management of a FortiAnalyzer unit (OFTP and web services) |
TCP 443 and TCP 514 and TCP 8080 |
| Firmware image downloads; FortiGuard Antivirus, Antispam, IPS and Web Filtering updates |
TCP 443 |
| RADIUS authentication |
TCP 1812 |
| FortiClient Manager clustering |
TCP 6028 |
FortiClient
| Functionality |
Port(s) |
| Syslog |
UDP 514 |
| Keepalive with FortiManager units |
UDP 6022 and UDP 6023 |
| FortiGuard Antispam or Web Filtering rating lookup |
UDP 8888 |
| FortiGuard Antivirus updates |
TCP 80 |
| Device registration with FortiManager units |
TCP 6020 |
VPN settings from a FortiGate unit
FortiOS v3.0 can distribute VPN settings to FortiClients that provide a valid login. See the FortiGate CLI commandconfig vpn ipsec forticlient. |
TCP 8900 |
|
|
Receivable Traffic
(Listening Ports)
|
FortiGate
When operating in the default configuration, FortiGate units do not accept TCP or UDP connections on any port except the default internal interface, which accepts HTTPS connections on TCP port 443.
See also the related article "Closing TCP 113" which describes making your FortiGate unit completely invisible to probes.
| Functionality |
Port(s) |
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443. |
UDP 9443 |
| SSH administrative access to the CLI; remote management from a FortiManager unit |
TCP 22 |
Telnet administrative access to the CLI; HA synchronization (FGCP L2)
Changing the telnet administrative access port number also changes the HA synchronization port number. |
TCP 23 |
| HTTP administrative access to the web-based manager |
TCP 80 |
| HTTPS administrative access to the web-based manager; remote management from a FortiManager unit; user authentication for policy override |
TCP 443 |
| SSL management tunnel from FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later) |
TCP 541 |
HA heartbeat (FGCP L2)
FortiOS v2.8 used TCP 702. |
TCP 703 |
User authentication keepalive and logout for policy override (default value of port for HTTP traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command. |
TCP 1000 |
User authentication keepalive and logout for policy override (default value of port for HTTPS traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command. |
TCP 1003 |
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager. |
TCP 2302 |
| Windows Active Directory (AD) Collector Agent |
TCP 8000 |
| User authentication for policy override of HTTP traffic |
TCP 8008 |
FortiClient download portal
This feature is available on FortiGate-1000A, FortiGate-3600A, and FortiGate-5005FA2 only. |
TCP 8009 |
| User authentication for policy override of HTTPS traffic |
TCP 8010 |
VPN settings distribution to authenticated FortiClient installations
See originating port TCP 8900. |
TCP 8900 |
| SSL VPN |
TCP 10443 |
| HA |
ETH 8890 (Layer 2) |
FortiAnalyzer
| Functionality |
Port(s) |
| Windows share |
UDP 137-139 and TCP 445 |
Syslog
Note : If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50 |
UDP 514 |
| SSH administrative access to the CLI |
TCP 22 |
| Telnet administrative access to the CLI |
TCP 23 |
| HTTP administrative access to the web-based manager |
TCP 80 |
| HTTPS administrative access to the web-based manager; remote management from a FortiManager unit |
TCP 443 |
| Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval)(OFTP) |
TCP 514 |
| NFS share |
TCP 2049 |
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager. |
TCP 2302 |
Log aggregation server
Log aggregation server support requires model FortiAnalyzer-800 or greater. |
TCP 3000 |
| Remote management from a FortiManager unit (configuration installation) |
TCP 8080 |
FortiManager
| Functionality |
Port(s) |
| FortiGuard Antispam or Web Filtering rating lookup from a FortiClient or FortiGate unit |
UDP 53 or 8888 |
| SNMP traps |
UDP 162 |
| Keepalive from a FortiClient installation |
UDP 6022 and UDP 6023 |
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443. |
UDP 9443 |
| SSH administrative access to the CLI |
TCP 22 |
| Telnet administrative access to the CLI |
TCP 23 |
| HTTP administrative access to the web-based manager; FortiGuard Antivirus update request from a FortiClient installation |
TCP 80 |
| HTTPS administrative access to the web-based manager; FortiGuard Antispam, Antivirus, IPS or Web Filtering update request from a FortiGate unit |
TCP 443 |
| Device registration from a FortiClient installation |
TCP 6020 |
| FortiClient Manager clustering |
TCP 6028 |
| FortiGuard Antivirus or IPS update request from a FortiGate unit |
TCP 8890 |
| HA heartbeat or synchronization |
TCP 5199 |
|
|
FDN Ports
|
FortiGate, FortiAnalyzer, and FortiManager units and FortiClient installations communicate with the Fortinet Distribution Network (FDN) to receive updates or use services.
| Product(s) |
Functionality |
Port(s) |
| FortiManager v3.0 |
FortiGuard Web Filtering and Antispam rating replies |
Source: UDP 53 (default) or UDP 8888
Destination: UDP 1027 or UDP 1031 |
| FortiOS v3.0 |
FortiGuard Web Filtering and Antispam rating lookup
This can be to the FDN or to a FortiManager acting as a private FDS. |
Source: UDP 1027 or 1031
Destination: UDP 53 (default) or UDP 8888 |
| FortiOS v3.0 |
FDN server list
See also the related articles "How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?". |
UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031 |
| FortiOS v2.80 |
FortiGuard Web Filtering |
UDP 8888 |
| FortiOS v2.80 |
FortiGuard Antispam (FortiShield) |
UDP 8889 |
| FortiOS v3.0, FortiManager v3.0 |
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443. |
UDP 9443 |
| FortiClient |
FortiGuard Antivirus updates |
TCP 80 |
| FortiAnalyzer v3.0 |
Remote Vulnerability Scan (RVS) updates |
TCP 443 |
| FortiManager v3.0 |
Firmware images from FDN |
TCP 443 |
| FortiManager v3.0 |
FortiGuard Antispam or Web Filtering updates |
TCP 443 or TCP 8890 |
| FortiOS v3.0 |
FortiGuard Antivirus and IPS updates
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890. |
TCP 443 |
| FortiOS v2.80 |
FortiGuard Antivirus updates |
TCP 443 |
| FortiOS v3.0 |
FortiGuard Analysis and Management Service |
TCP 443 |
| FortiOS v3.0 |
FortiGuard Analysis and Management Service log transmission (OFTP) |
TCP 514 |
| FortiOS v3.0 MR6 or later |
SSL management tunnel to FortiGuard Analysis and Management Service |
TCP 541 |
| FortiOS v3.0 |
FortiGuard Analysis and Management Service contract validation |
TCP 10151 |
| FortiOS v2.50 |
FortiGuard Antivirus updates |
TCP 8890 |
|
Related Articles
Troubleshooting performance issues when FortiGuard Web Filtering is enabled - Low source port
FortiOS : Closing TCP port 113
Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products
Technical Note: Communication between FortiManager and FortiGate - TCP port 541
Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products
