Technical Tip: List of TCP and UDP ports used by the FSSO Collector Agent
Products
FortiGate v5.0
FortiGate v5.2
FortiGate v5.4
FortiGate v5.6
FortiGate v6.0
FortiGate v6.2
FortiGate v6.4
Description
This article presents a list of TCP and UDP ports, used by the FSSO Collector Agent software of later versions of minimum 5.0.0276.

For open ports of FortiGate and other products see.
https://docs.fortinet.com/document/fortigate/6.2.0/ports-and-protocols/303168/fortigate-open-ports

More configuration on FortiGate.
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/879117/fsso-fortinet-single-sign-on
Solution
Inbound.
UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM

Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method)
TCP/445 – Remote access to logon events, Workstation check (remote registry)
TCP/389 – Group lookup using LDAP
TCP/636 - Group lookup using LDAPS
TCP/3268 – Group lookup using LDAP with global catalog
TCP/3269 – Group lookup using LDAPS with global catalog
UDP/53 – DNS for resolving hostnames of the logon events.

Be sure to allow inbound connection to the FSSO Collector Agent by the integrated Windows Firewall.

To test the connection from a FortiGate run the following commands.
# diag debug enable
# diag debug auth fsso server
# exec telnet <CollectorAgentIP> 8000

Last Modified Date: 10-15-2020 Document ID: FD34641