Skip to main content
matanaskovic
Staff
matanaskovic
Staff
October 26, 2022

Technical Tip: Restrict FortiAuthenticator traffic to the Internet

  • October 26, 2022
  • 0 replies
  • 1139 views
Description This article describes which ports and destinations FortiAuthenticator must use for communication with FortiGuard token services.
Scope FortiAuthenticator 6.4.
Solution

FortiAuthenticator traffic can be restricted to the Internet, using only ports and destinations for the FortiGuard token services.

 

For mobile and hardware tokens (local, not via FortiToken Cloud):


- activation/registration soft token: fortitokenmobile.fortinet.com (443).

 

activation/registration hard token: update.fortiguard.net (443).


- push notification proxy: push.fortinet.com (443).


- push response - incoming to whatever is configured in System Access.


- if sending activation tokens via FortiGuard SMS: msgctrl1.fortinet.com (443).

 

In addition, if FortiGate is serving as an edge firewall, it can be done with Fortinet Internet Services entries.

 

Policy & Objects -> Internet Service Database -> Fortinet.

 

matanaskovic_0-1666784010023.png

 

Fortinet Internet Service Database can be added to the firewall policy and in that way restrict FortiAuthenticator traffic to the Internet.

 

Related Articles:

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/206267/introduction
Terms & ConditionsAccessibility statement