Technical Note : Allowing FSSO Ports when using Windows Server 2008 and higher
Products
FortiGate
Description
This article describes how to allow FSSO ports when using Windows Server 2008 and later version. A new feature was implemented in Windows Server 2008 called 'Windows Firewall with Advanced Security'. This feature can sometimes block the FSSO ports from passing the traffic to the FortiGate.
Solution
TCP port 8000 and UDP 8002 should be allowed either via the GUI or by command line.

   1) Using the GUI:

    Go to Start Menu -> Control Panel -> Administrative Tools -> Windows Firewall with Advanced Security

   2) Using the command line:

For Inbound Traffic:

 

C:\>netsh advfirewall firewall add rule name="FSSO_TCP_8000" dir=in action=allow protocol=TCP localport=8000

C:\>netsh advfirewall firewall add rule name="FSSO_UDP_8002" dir=in action=allow protocol=UDP localport=8002

 

For Outbound Traffic:

 

C:\>netsh advfirewall firewall add rule name="FSSO_TCP_8000" dir=out action=allow protocol=TCP localport=8000

C:\>netsh advfirewall firewall add rule name="FSSO_UDP_8002" dir=out action=allow protocol=UDP localport=8002


After having added in the ports, either via GUI or by command line, the following entries should be seen:





NOTE: If these ports are changed in GUI of Collector Agent(s) default port for FSSO - TCP 8000 needs to be  changed in CLI in FortiOS. Reflect these changes in Windows firewall too.

CLI command to change default TCP 8000 in FortiOS are as follows:

config user fsso
    edit fsso_server
        set port            <-- Enter an integer value from <1> to <65535> (default = <8000>)
    end



Last Modified Date: 05-02-2019 Document ID: FD33504