Skip to main content
heng
Staff
heng
Staff
January 25, 2022

Technical Tip: How to change TLS version for incoming port TCP/8888, TCP/8890, TCP/8891 and TCP/8900

  • January 25, 2022
  • 0 replies
  • 2685 views
Description

This article describes how to change the TLS version for the incoming listening port TCP/8888, TCP/8890, TCP/8891 and TCP/8900 in FortiManager and FortiAnalyzer (if applicable).

 

TCP/8888 : For FortiGate Web Filter queries, AV & IPS updates.

TCP/8890 : For FortiGate Registration for license validation and UTM updates (AV, IPS).

TCP/8891 : FortiManager listens to FortiGuard for FortiClient AV/IPS database and Web Filter database updates.

TCP/8900 : For FortiGate FortiGuard Web Filter and Email Filter.

 

 Applies only when FortiManager is acting as a local FortiGuard server.

https://docs.fortinet.com/document/fortimanager/7.0.0/fortimanager-ports/465971/incoming-ports 
Scope  
Solution

By default all the said listening ports are set to TLSv1.2, to change to different TLS version for those ports, it is possible set via CLI as follows, example below was based on version 7.0.

 

# config fmupdate fds-settin
  set fds-ssl-protocol <version>
   sslv3 set SSLv3 as the lowest version.
   tlsv1.0 set TLSv1.0 as the lowest version.
   tlsv1.1 set TLSv1.1 as the lowest version.
   tlsv1.2 set TLSv1.2 as the lowest version (default).
   tlsv1.3 set TLSv1.3 as the lowest version. 
end

 

Note.

fds-ssl-protocol - The SSL protocols version for receiving FortiGate connection (default = tlsv1.2).
 

 
Terms & ConditionsAccessibility statement