Technical Tip: FortiGate listening port (Tcp/8900) VPN settings distribution to authenticated FortiClient installations
Description
- Usage of Tcp/8900 on FortiGate.
- Method to show the listening port on FortiGate and configuration.
- Method to disable the port Tcp/8900.
Solution
FortiGate will listen to port Tcp/8900 when FortiGate is configured with VPN IPSEC FortiClient to distribute VPN settings to FortiClients.
To check if the firewall is configured with VPN IPSEC FortiClient:
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/227667/vpn-ipsec-forticlient
This article discusses about:
- Method to show the listening port on FortiGate and configuration.
- Method to disable the port Tcp/8900.
Solution
FortiGate will listen to port Tcp/8900 when FortiGate is configured with VPN IPSEC FortiClient to distribute VPN settings to FortiClients.
To check if the firewall is configured with VPN IPSEC FortiClient:
# show vpn ipsec forticlientTo show the listening port Tcp/8900 on FortiGate:
# diagnose sys tcpsock | grep 8900Sample output:
0.0.0.0:8900->0.0.0.0:0->state=listen err=0 sockflag=0x1 rma=0 wma=0 fma=0 tma=0To disable the port Tcp/8900: (* if VPN settings distribution to authenticated FortiClient installations is not required.)
# configure vpn ipsec forticlientRelated document.
delete <realm name>
end
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/227667/vpn-ipsec-forticlient
Related Articles
Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products