Fort i Net Open Ports

5/19/2018 Fort i Net Open Ports

1/14

Ports used by Fortinet


2/14

Ports used by FortinetMay 9, 2014

01-520-112804-20140509

Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and

FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other

Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All

other product or company names may be trademarks of their respective owners. Performance

and other metrics contained herein were attained in internal lab tests under ideal conditions,

and actual performance and other resultsmay vary. Network variables, different network

environments and other conditions may affect performance results. Nothing herein represents

any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or

implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets

General Counsel, with a purchaser that expressly warrants that the identified product will

perform according to certain expressly-identified performance metrics and, in such event, only

the specific performance metrics expressly identified in such binding written contract shall be

binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the

same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants,

representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves

the right to change, modify, transfer, or otherwise revise this publication without notice, and the

most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]
http://docs.fortinet.com/http://kb.fortinet.com/https://support.fortinet.com/http://training.fortinet.com/http://www.fortiguard.com/mailto:[email protected]?Subject=Technical%20Documentation%20Feedbackmailto:[email protected]?Subject=Technical%20Documentation%20Feedbackhttp://www.fortiguard.com/http://training.fortinet.com/https://support.fortinet.com/http://kb.fortinet.com/http://docs.fortinet.com/


3/14

Table of contents

Network Port Connectivity ......................................................................... 1

TCP/IP Port Basics .............. ............. .............. .............. .............. ............. ....... 1

Open Ports and Security .............. ............. .............. .............. .............. ........... 1

Planning and Troubleshooting ............. .............. ............. .............. .............. .. 2

Fortinet Port Numbers Diagram ............................................................. 3

Table of TCP/UDP Ports used by Fortinet Products

and Services .................................................................................................... 4


4/14

TCP/UDP Ports used by Fortinet Products andServices

Network Port ConnectivityIn network security, an open port typically refers to the TCP or UDP port number that is configured by an

application to listen for specific protocols. Using open ports allows remote clients to access network resources,

but if a port is not open, services behind that port will be unreachable. This is known as a closed port.

TCP/IP Port Basics

In TCP/IP, the network communication session between two devices starts and ends with a TCP, UDP, or

SCTP port. Fortinet devices do not communicate using SCTP, so we will concentrate on the TCP and UDP

ports.

The starting port of a session is usually referred to as the Source Port and the port at the far end is referred to

as the Destination Port. It is also referred to as the Listening Port, because it is configured to listen for anytraffic being directed to that port number. Both TCP and UDP ports can send and receive data, but not

simultaneously.

In order to avoid confusion, some ports are considered 'standard' in that they listen for the traffic of commonly

used protocols. If you wish to use non-standard ports for such commonly used protocols, then you must

perform additional manual configuration. Because standard ports are used to listen to specific types of traffic,

and because those same ports cannot also be used to send traffic, the Source Port is usually assigned a

random port number that is not a standard port used for listening. For example, Port 80 is the standard port

listening for HTTP traffic. Since most networked devices have HTTP traffic going in and out, a randomly

assigned port between 1025 and 65535 is opened and used as the Source Port. Ports 1 through 1024 are set

aside because most of the commonly used ports are identified in this range.

At its simplest, a port has one of three states:

1. A port can be open and listening for traffic.

2. A port can be closed, potentially waiting to be used as a source port (if it is not between 1 and 1024).

3. A port can be active, sending out traffic as a Source Port.

Open Ports and Security

In order for a networked device to be ready to receive traffic from allowed sources it has to open up ports for

that traffic. If all of the ports are left open, the ability to communicate with the device is easy and unobstructed.

This is troubling because others can see those open ports as well. The services on a fully open network are

exposed to external scrutiny, such as port scanning software that listens on those ports for exploits. This is

extremely undesirable.

It is common in network security for all network ports to be closed, except for those required for specific

services, such as FTP or web pages. As an administrator, it is your responsibility to ensure that all of the

necessary ports are open and that all of the unnecessary ports are closed.

1


5/14

Planning and Troubleshooting

The purpose of this document is primarily to assist in planning and troubleshooting. While every network is

different, this document should help determine which ports need to be open on your network so that

communication and traffic to and from Fortinet devices, especially those which enhance the performance of

your environment, are not impeded. In addition, if you are experiencing connectivity issues, this guide can

assist in troubleshooting the possible areas where traffic is inadvertently blocked. Due to the nature of firewalls,

any ports or services that are not expressly permitted will be blocked. As such, it is useful to have an idea of

which ports and services you may want open, with appropriate restrictions of course.

The guide also contains a one-page diagram of network port connectivity for a quick reference print-out. Refer

to the following table for more information, including explanations of each port, the protocol in question, the

application and its function, and most importantly the devices involved.

2


6/14


7/14

Table of TCP/UDP Ports used by FortinetProducts and Services

Destination

Port Protocol(s)

Application(s) Function(s)

21 TCP FTP Log and Report uploads from FortiAnalyzer

Anti-defacement backup and restoration (FTP). Listening on

FortiWeb

FTP configuration backup from FortiWeb to other device

22 TCP SSH SSH Command line based management:

From Admin Workstation to Fortinet Device

22 TCP FTP over SSH Log and Report uploads:

To and from FortiCloud

To and from FortiAnalyzer

Anti-defacement backup and restoration (SSH/SCP) from FortiWeb

to other device

SFTP configuration backup from FortiWeb to other device

23 TCP Telnet Telnet Command line based management from Admin Workstation

to Fortinet devices

HA (FGCP) between HA FortiGates

25 TCP SMTP Alert Emails

From FortiAnalyzer to SMTP Mail Server

From FortiGate to SMTP Mail Server

From FortiWeb to SMTP Mail Server

Encrypted Virus Samples auto submitted to FortiGuard

49 TCP TACACS+ TACACS+ from FortiAnalyzer

53 UDP DNS DNS Lookups

To DNS Servers

To Fort iGuard

4


8/14

53 UDP Fortinet Queries FortiGuard Server List requests to FortiGuard

AntiSpam or Web Filtering rating lookup queries to FortiGuard

URL/AS rating lookup queries to FortiGuard

Real-time Black List(RBL) lookup requests to RBL services

67 UDP DHCP DHCP to and from FortiGate

68 UDP DHCP Relay DHCP Relay to and from FortiGate

69 UDP TFTP TFTP for backups, restoration, and firmware updates from FortiWeb

to other device

80 TCP Default unsecure Web-based Management of Fortinet Device

Admin Workstation to FortiAnalyzer

Admin Workstation to FortiAuthenticator

Admin Workstation to FortiGate

Admin Workstation to FortiManager

Admin Workstation to FortiWeb

80 TCP HTTP Proxied HTTP traffic from FortiGate

80 TCP HTTP Fortinet Device Registration to FortiGuard

AV update requests from FortiClient to FortiManager

Server health checks from FortiWeb to other device

Predefined HTTP service. Only occurs if the service is used by apolicy, listening on FortiWeb

80 TCP Simple Certificate Enrollment

Protocol (SCEP)

Issuing and revocation of digital certificates

Listening on FortiAuthenticator

88 TCP Kerboros Account Authentication traffic from FortiAuthenticator to Active

Directory Controllers

123 UDP NTP Time Synchronization from Fortinet Device to NTP Server

135 TCP Client/Server (WMI, SEL) FortiAuthenticator to Active Directory Controllers

137 UDP Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)

Anti-defacement backup and restoration (Windows-style share) from

FortiWeb to other device.

138 UDP Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)



5


9/14

139 TCP/UDP NetBIOS Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)



161 UDP Simple Network Management

Protocol (SNMP)

SNMP Poll

FortiManager to FortiGate

Listening on FortiAuthenticator

Listening on FortiWeb

162 UDP Simple Network Management

Protocol (SNMP) Traps

To SysLog server

To FortiAnalyzer

To FortiManager

389 TCP/UDP LDAP LDAP Lookups, Authentication Requests and Report queries

PKI Authentication

To Active Directory Domain Controllers

To FortiAuthenticator

To LDAP Server

443 TCP HTTPS Default Secure Web-based Management of Fortinet Device

Admin Workstation to Fortinet Device

Firmware and Signature Downloads from FortiGuard

FGD SMS to FortiGuard

FC FTM to FortiGuard

FC Licensing to FortiGuard

Policy Override Auth to FortiGuard

AntiVirus/IPS updates to FortiGuard

URL/AS update requests to FortiGuard

Remote Vulnerability Scan updates to FortiGuard

Device Registration requests to FortiGuard

Server health checks from FortiWeb to other devices

Proxied HTTPS traffic from FortiGate to Proxy Server

FSSO Portal and Widget traffic

6


10/14

443 TCP Representational state transfer

(REST) API / HTTP

Listening on FortiAnalyzer

445 TCP Microsoft-DS Active Directory,

Windows shares

Domain Controller Polling

FortiAuthenticator to Active Directory Domain Controller


NTLM authentication queries.

Anti-defacement backup and restoration (Windows-style share)

from FortiWeb to other device.

500 UDP IPsec Secure SNMP over IPsec connection

FortiGate to FortiAnalyzer

514 TCP/UDP Syslog messages OFTP Device Registration

From FortiManager to FortiAnalyzer

From FortiGate to FortiAnalyzer

Quarantined files to FortiAnalyzer

Logs and Reports

To SysLog server

To FortiAnalyzer

To Fort iCloud

To FortiManager

OFTP for file submission and statistics exchange

Between FortiGate and FortiSandbox (FortiCloud)

520 UDP Routing Information Protocol (RIP) Listening on FortiGate

541 TCP Device Registration Central Management from FortiManager

SSL Management Tunnel to FortiCloud

636 TCP Lightweight Directory Access

Protocol over TLS/SSL (LDAPS)

Encrypted LDAP authentication traffic from

Fortinet Devices to Active Directory Domain Controllers

Fortinet Devices to LDAP servers (including FortiAuthenticator)

703 TCP FGCP L2 HA Heartbeat between HA FortiGates

1000 TCP Policy Override Keepalive listening on FortiGate

(Closed by default, but can be enabled)

7


11/14

1003 TCP Policy Override Keepalive listening on FortiGate

(Closed by default, but can be enabled)

1812 TCP RADIUS RADIUS Authentication Requests

To FortiAuthenticator

To RADIUS Server

1813 UDP RADIUS RADIUS Accounting to FortiAuthenticator

2049 TCP NFS Network File System listening on FortiAnalyzer (Not supported in

FAZ v5.0/5.2)

2302 TCP HTTP or HTTPS administrative access to web-based manager's CLI

dashboard widget(v3.0 MR5 only)


Listening on FortiGate

2560 TCP Online Certificate Status Protocol

(OCSP)

Obtaining the revocation status of an X.509 digital certificate,

listening on FortiAuthenticator

3000 TCP Log aggregation listening on FortiAnalyzer

(Log aggregation server support requires model FortiAnalyzer

800 or greater)

3306 TCP Remote MySQL database connection listening on FortiAnalyzer

3784 UDP BFD Listening on FortiGate

4500 UDP IPsec Secure SNMP over IPsec connection

FortiGate to FortiAnalyzer

FortiGate to FortiManager

5199 TCP HA Heartbeat or synchronization listening on FortiManager

6055 UDP HA heartbeat. Layer 2 multicast.

From FortiWeb to other device


6056 UDP HA configuration synchronization. Layer 2 multicast.



8


12/14

8000 TCP FSSO Windows Active Directory Collector Agent for Fortinet Single Sign-On

From Active Directory Collector to FortiGate

From FortiAuthenticator to FortiGate

From FortiGate to FortAuthenticator

8001 TCP SSO Mobiltity Agent This port is used to pass userid and IP address information from

FortiClient to FortiAuthenticator.

(This functionality is not necessary for the completion of phase 1)

8002 TCP/UDP FSSO UDP (for plain traffic), or TCP (for encrypted traffic)

FortiAuthenticator listening for traffic - Hierarchical FSSO Info from

Tier Supplier

8003 TCP FSSO FortiAuthenticator listening for traffic from DS/TS Agents with FSSO

Login information

8008 TCP User authentication for policy override of HTTP traffic listening onFortiGate

8009 TCP FortiClient Portal listening on FortiGate 1000A, 3600A, and 5005FA2

only

8010 TCP User authentication for policy override of HTTPS traffic from

FortiClient to FortiGate

(This port and IP address must be load balanced between all four

FortiGate 1500Ds)

8333 TCP Configuration replication.



8888 UDP Application and Signature updates requests, FortiGuard AntiSpam or

Web Filtering rating lookup requests and URL/AS Rating requests

FortiClient to FortiGuard

FortiGate to FortiGuard

FortiClient to FortiManager


FortiGuard Server List

FortiClient to FortiGuard

FortiGate to FortiGuard

9


13/14

8890 TCP A/V, IPS signature, AntiSpam and Web Filtering update requests


FortiManger to FortiGuard

8890 ETH Layer

2

Between FortiGate and FortiManager for FortiGuard Updates

8900 TCP VPN Settings distribution to authenticated FortiClient installations

FortiClient to FortiGate

9443 UDP AV/IPS Push

FortiGuard to FortiGate

FortiGuard to FortiManager

FortiManager to FortiGate

10443 TCP Connection to SSL-VPN Portals, listening on FortiGate

10151 TCP Contract validation from FortiGate to FortiCloud

10


14/14

Fort i Net Open Ports

Documents

Transcript of Fort i Net Open Ports