This article describes how to allow FSSO ports when using Windows Server 2008 and later version. A new feature was implemented in Windows Server 2008 called 'Windows Firewall with Advanced Security'. This feature can sometimes block the FSSO ports from passing the traffic to the FortiGate.
TCP port 8000 and UDP 8002 should be allowed either via the GUI or by command line.
1) Using the GUI:
Go to Start Menu -> Control Panel -> Administrative Tools -> Windows Firewall with Advanced Security
2) Using the command line:
For Inbound Traffic:
C:\>netsh advfirewall firewall add rule name="FSSO_TCP_8000" dir=in action=allow protocol=TCP localport=8000
C:\>netsh advfirewall firewall add rule name="FSSO_UDP_8002" dir=in action=allow protocol=UDP localport=8002
For Outbound Traffic:
C:\>netsh advfirewall firewall add rule name="FSSO_TCP_8000" dir=out action=allow protocol=TCP localport=8000
C:\>netsh advfirewall firewall add rule name="FSSO_UDP_8002" dir=out action=allow protocol=UDP localport=8002After having added in the ports, either via GUI or by command line, the following entries should be seen:
NOTE: If these ports are changed in GUI of Collector Agent(s) default port for FSSO - TCP 8000 needs to be changed in CLI in FortiOS. Reflect these changes in Windows firewall too.
CLI command to change default TCP 8000 in FortiOS are as follows:config user fsso
set port <-- Enter an integer value from <1> to <65535> (default = <8000>)