Ports used by Fortinet

Ports used by Fortinet

May 9, 2014

01-520-112804-20140509

Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and

FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other

Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All

other product or company names may be trademarks of their respective owners. Performance

and other metrics contained herein were attained in internal lab tests under ideal conditions,

and actual performance and other resultsmay vary. Network variables, different network

environments and other conditions may affect performance results. Nothing herein represents

any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or

implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s

General Counsel, with a purchaser that expressly warrants that the identified product will

perform according to certain expressly-identified performance metrics and, in such event, only

the specific performance metrics expressly identified in such binding written contract shall be

binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the

same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants,

representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves

the right to change, modify, transfer, or otherwise revise this publication without notice, and the

most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback techdocs@fortinet.com

Table of contents

Network Port Connectivity ......................................................................... 1

TCP/IP Port Basics ......................................................................................... 1

Open Ports and Security ................................................................................ 1

Planning and Troubleshooting ...................................................................... 2

Fortinet Port Numbers Diagram ............................................................. 3

Table of TCP/UDP Ports used by Fortinet Products and Services .................................................................................................... 4

1

TCP/UDP Ports used by Fortinet Products andServices

Network Port ConnectivityIn network security, an open port typically refers to the TCP or UDP port number that is configured by anapplication to listen for specific protocols. Using open ports allows remote clients to access network resources,but if a port is not open, services behind that port will be unreachable. This is known as a closed port.

TCP/IP Port BasicsIn TCP/IP, the network communication session between two devices starts and ends with a TCP, UDP, orSCTP port. Fortinet devices do not communicate using SCTP, so we will concentrate on the TCP and UDPports.The starting port of a session is usually referred to as the Source Port and the port at the far end is referred toas the Destination Port. It is also referred to as the Listening Port, because it is configured to listen for anytraffic being directed to that port number. Both TCP and UDP ports can send and receive data, but notsimultaneously.In order to avoid confusion, some ports are considered 'standard' in that they listen for the traffic of commonlyused protocols. If you wish to use non-standard ports for such commonly used protocols, then you mustperform additional manual configuration. Because standard ports are used to listen to specific types of traffic,and because those same ports cannot also be used to send traffic, the Source Port is usually assigned arandom port number that is not a standard port used for listening. For example, Port 80 is the standard portlistening for HTTP traffic. Since most networked devices have HTTP traffic going in and out, a randomlyassigned port between 1025 and 65535 is opened and used as the Source Port. Ports 1 through 1024 are setaside because most of the commonly used ports are identified in this range.At its simplest, a port has one of three states:1. A port can be open and listening for traffic.2. A port can be closed, potentially waiting to be used as a source port (if it is not between 1 and 1024).3. A port can be active, sending out traffic as a Source Port.

Open Ports and SecurityIn order for a networked device to be ready to receive traffic from allowed sources it has to open up ports forthat traffic. If all of the ports are left open, the ability to communicate with the device is easy and unobstructed.This is troubling because others can see those open ports as well. The services on a fully open network areexposed to external scrutiny, such as port scanning software that listens on those ports for exploits. This isextremely undesirable.It is common in network security for all network ports to be closed, except for those required for specificservices, such as FTP or web pages. As an administrator, it is your responsibility to ensure that all of thenecessary ports are open and that all of the unnecessary ports are closed.

1

2

Planning and TroubleshootingThe purpose of this document is primarily to assist in planning and troubleshooting. While every network isdifferent, this document should help determine which ports need to be open on your network so thatcommunication and traffic to and from Fortinet devices, especially those which enhance the performance ofyour environment, are not impeded. In addition, if you are experiencing connectivity issues, this guide canassist in troubleshooting the possible areas where traffic is inadvertently blocked. Due to the nature of firewalls,any ports or services that are not expressly permitted will be blocked. As such, it is useful to have an idea ofwhich ports and services you may want open, with appropriate restrictions of course.The guide also contains a one-page diagram of network port connectivity for a quick reference print-out. Referto the following table for more information, including explanations of each port, the protocol in question, theapplication and its function, and most importantly the devices involved.

2

3

Table of TCP/UDP Ports used by FortinetProducts and ServicesDestination

Port Protocol(s) Application(s) Function(s)

21 TCP FTP • Log and Report uploads from FortiAnalyzer

• Anti-defacement backup and restoration (FTP). Listening onFortiWeb

• FTP configuration backup from FortiWeb to other device

22 TCP SSH • SSH Command line based management:

• From Admin Workstation to Fortinet Device

22 TCP FTP over SSH • Log and Report uploads:

• To and from FortiCloud

• To and from FortiAnalyzer

• Anti-defacement backup and restoration (SSH/SCP) from FortiWebto other device

• SFTP configuration backup from FortiWeb to other device

23 TCP Telnet • Telnet Command line based management from Admin Workstationto Fortinet devices

• HA (FGCP) between HA FortiGates

25 TCP SMTP • Alert Emails

• From FortiAnalyzer to SMTP Mail Server

• From FortiGate to SMTP Mail Server

• From FortiWeb to SMTP Mail Server

• Encrypted Virus Samples auto submitted to FortiGuard

49 TCP TACACS+ • TACACS+ from FortiAnalyzer

53 UDP DNS • DNS Lookups

• To DNS Servers

• To FortiGuard

4

4

53 UDP Fortinet Queries • FortiGuard Server List requests to FortiGuard

• AntiSpam or Web Filtering rating lookup queries to FortiGuard

• URL/AS rating lookup queries to FortiGuard

• Real-time Black List(RBL) lookup requests to RBL services

67 UDP DHCP • DHCP to and from FortiGate

68 UDP DHCP Relay • DHCP Relay to and from FortiGate

69 UDP TFTP • TFTP for backups, restoration, and firmware updates from FortiWebto other device

80 TCP • Default unsecure Web-based Management of Fortinet Device

• Admin Workstation to FortiAnalyzer

• Admin Workstation to FortiAuthenticator

• Admin Workstation to FortiGate

• Admin Workstation to FortiManager

• Admin Workstation to FortiWeb

80 TCP HTTP • Proxied HTTP traffic from FortiGate

80 TCP HTTP • Fortinet Device Registration to FortiGuard

• AV update requests from FortiClient to FortiManager

• Server health checks from FortiWeb to other device

• Predefined HTTP service. Only occurs if the service is used by apolicy, listening on FortiWeb

80 TCP Simple Certificate EnrollmentProtocol (SCEP)

• Issuing and revocation of digital certificates

• Listening on FortiAuthenticator

88 TCP Kerboros • Account Authentication traffic from FortiAuthenticator to ActiveDirectory Controllers

123 UDP NTP • Time Synchronization from Fortinet Device to NTP Server

135 TCP Client/Server (WMI, SEL) • FortiAuthenticator to Active Directory Controllers

137 UDP • Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

• Anti-defacement backup and restoration (Windows-style share) fromFortiWeb to other device.

138 UDP • Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

• Anti-defacement backup and restoration (Windows-style share) fromFortiWeb to other device.

5

5

139 TCP/UDP NetBIOS • Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

• Anti-defacement backup and restoration (Windows-style share) fromFortiWeb to other device.

161 UDP Simple Network ManagementProtocol (SNMP)

• SNMP Poll

• FortiManager to FortiGate

• Listening on FortiAuthenticator

• Listening on FortiWeb

162 UDP Simple Network ManagementProtocol (SNMP) Traps

• To SysLog server

• To FortiAnalyzer

• To FortiManager

389 TCP/UDP LDAP • LDAP Lookups, Authentication Requests and Report queries

• PKI Authentication

• To Active Directory Domain Controllers

• To FortiAuthenticator

• To LDAP Server

443 TCP HTTPS • Default Secure Web-based Management of Fortinet Device

• Admin Workstation to Fortinet Device

• Firmware and Signature Downloads from FortiGuard

• FGD SMS to FortiGuard

• FC FTM to FortiGuard

• FC Licensing to FortiGuard

• Policy Override Auth to FortiGuard

• AntiVirus/IPS updates to FortiGuard

• URL/AS update requests to FortiGuard

• Remote Vulnerability Scan updates to FortiGuard

• Device Registration requests to FortiGuard

• Server health checks from FortiWeb to other devices

• Proxied HTTPS traffic from FortiGate to Proxy Server

• FSSO Portal and Widget traffic

6

6

443 TCP Representational state transfer(REST) API / HTTP

• Listening on FortiAnalyzer

445 TCP Microsoft-DS Active Directory,Windows shares

• Domain Controller Polling

• FortiAuthenticator to Active Directory Domain Controller

• Listening on FortiAnalyzer

• NTLM authentication queries.

• Anti-defacement backup and restoration (Windows-style share)from FortiWeb to other device.

500 UDP IPsec • Secure SNMP over IPsec connection

• FortiGate to FortiAnalyzer

514 TCP/UDP Syslog messages OFTP • Device Registration

• From FortiManager to FortiAnalyzer

• From FortiGate to FortiAnalyzer

• Quarantined files to FortiAnalyzer

• Logs and Reports

• To SysLog server

• To FortiAnalyzer

• To FortiCloud

• To FortiManager

• OFTP for file submission and statistics exchange

• Between FortiGate and FortiSandbox (FortiCloud)

520 UDP Routing Information Protocol (RIP) • Listening on FortiGate

541 TCP • Device Registration • Central Management from FortiManager

• SSL Management Tunnel to FortiCloud

636 TCP Lightweight Directory AccessProtocol over TLS/SSL (LDAPS)

• Encrypted LDAP authentication traffic from

• Fortinet Devices to Active Directory Domain Controllers

• Fortinet Devices to LDAP servers (including FortiAuthenticator)

703 TCP FGCP L2 • HA Heartbeat between HA FortiGates

1000 TCP • Policy Override Keepalive listening on FortiGate

(Closed by default, but can be enabled)

7

7

1003 TCP • Policy Override Keepalive listening on FortiGate

(Closed by default, but can be enabled)

1812 TCP RADIUS • RADIUS Authentication Requests

• To FortiAuthenticator

• To RADIUS Server

1813 UDP RADIUS • RADIUS Accounting to FortiAuthenticator

2049 TCP NFS • Network File System listening on FortiAnalyzer (Not supported inFAZ v5.0/5.2)

2302 TCP • HTTP or HTTPS administrative access to web-based manager's CLIdashboard widget(v3.0 MR5 only)

• Listening on FortiAnalyzer

• Listening on FortiGate

2560 TCP Online Certificate Status Protocol(OCSP)

• Obtaining the revocation status of an X.509 digital certificate,listening on FortiAuthenticator

3000 TCP • Log aggregation listening on FortiAnalyzer

(Log aggregation server support requires model FortiAnalyzer800 or greater)

3306 TCP • Remote MySQL database connection listening on FortiAnalyzer

3784 UDP BFD • Listening on FortiGate

4500 UDP IPsec • Secure SNMP over IPsec connection

• FortiGate to FortiAnalyzer

• FortiGate to FortiManager

5199 TCP • HA Heartbeat or synchronization listening on FortiManager

6055 UDP • HA heartbeat. Layer 2 multicast.

• From FortiWeb to other device

• Listening on FortiWeb

6056 UDP • HA configuration synchronization. Layer 2 multicast.

• From FortiWeb to other device

• Listening on FortiWeb

8

8

8000 TCP FSSO • Windows Active Directory Collector Agent for Fortinet Single Sign-On

• From Active Directory Collector to FortiGate

• From FortiAuthenticator to FortiGate

• From FortiGate to FortAuthenticator

8001 TCP SSO Mobiltity Agent • This port is used to pass userid and IP address information fromFortiClient to FortiAuthenticator.

(This functionality is not necessary for the completion of phase 1)

8002 TCP/UDP FSSO • UDP (for plain traffic), or TCP (for encrypted traffic)

• FortiAuthenticator listening for traffic - Hierarchical FSSO Info fromTier Supplier

8003 TCP FSSO • FortiAuthenticator listening for traffic from DS/TS Agents with FSSOLogin information

8008 TCP • User authentication for policy override of HTTP traffic listening onFortiGate

8009 TCP • FortiClient Portal listening on FortiGate 1000A, 3600A, and 5005FA2only

8010 TCP • User authentication for policy override of HTTPS traffic fromFortiClient to FortiGate

(This port and IP address must be load balanced between all fourFortiGate 1500Ds)

8333 TCP • Configuration replication.

• From FortiWeb to other device

• Listening on FortiWeb

8888 UDP • Application and Signature updates requests, FortiGuard AntiSpam orWeb Filtering rating lookup requests and URL/AS Rating requests

• FortiClient to FortiGuard

• FortiGate to FortiGuard

• FortiClient to FortiManager

• FortiGate to FortiManager

• FortiGuard Server List

• FortiClient to FortiGuard

• FortiGate to FortiGuard

9

9

8890 TCP • A/V, IPS signature, AntiSpam and Web Filtering update requests

• FortiGate to FortiManager

• FortiManger to FortiGuard

8890 ETH Layer2

• Between FortiGate and FortiManager for FortiGuard Updates

8900 TCP • VPN Settings distribution to authenticated FortiClient installations

• FortiClient to FortiGate

9443 UDP • AV/IPS Push

• FortiGuard to FortiGate

• FortiGuard to FortiManager

• FortiManager to FortiGate

10443 TCP • Connection to SSL-VPN Portals, listening on FortiGate

10151 TCP • Contract validation from FortiGate to FortiCloud

10