As a best practice, it is advised to enable only the services used. Here are the services possible to enable when FortiAuthenticator is configured to act as a server:

• Self-service Portal (/login): It allows a self-service portal to be shown on this interface.
• Guest Portals (/guests): It allows guest portals to be shown on this interface.
• SAML IdP (/saml-idp): Enable when FortiAuthenticator is configured as an Identity Provider for SAML authentication (SAML IdP).
• SAML SP SSO (/saml-sp, /login/saml-auth): Enable when FortiAuthenticator acts as a Service Provider (SP) to request user identity information from a third-party Identity Provider (IDP).
• Kerberos SSO (/login/kerb-auth): Enable when the Kerberos user portal is configured for login.
  Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange after a redirect from a FortiGate device.
• SCEP (/cert/scep): It is used when expecting certificate enrollment requests on this interface from SCEP clients.
  FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server that can sign user CSRs and distribute CRLs and CA certificates.
• CRL Downloads (/cert/crl): Allows the download of Certificate Revocation Lists.
• FortiToken Mobile API (/api/v1/pushauthresp, /api/v1/transfertoken):This API 'pushauthresp' is for use by FTM2 to send back the OTP for login verification.This API 'transfertoken' is for use when migrating tokens.
• OAuth Service (/api/v1/oauth, /api/v1/pushpoll, /guests, /portal):Enable OAuth service access. FortiAuthenticator can act as an authorization server to issue and manage OAuth access tokens via a set of REST API endpoints.

Used when Fortinet Single Sign-On (FSSO):

• SAML IdP SSO (TCP/8143).
• FortiGate FSSO (TCP/8000).          
• FortiClient FSSO (TCP/8001).          
• Hierarchical FSSO (TCP/8003).     
• DC/TS Agent FSSO (TCP/8002).   

Known protocols and their ports:

• RADIUS Accounting Monitor (UDP/1646): used for earlier Radius accounting deployments, on new deployments is port 1813.
• RADIUS Auth (UDP/1812): Enable if RADIUS authentication is offering services.RADIUS encrypts only the users' password as it travels from the RADIUS client to the RADIUS server.
• RADIUS Accounting SSO (UDP/1813): FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server or network device, such as a wireless controller, collects additional group information, and then inserts it into FSSO to be used by multiple FortiGate or FortiCache for identity-based policies.
• RADSEC (TCP/2083): Radius Secure is a protocol for transporting RADIUS datagrams over TCP and TLS. Enable if to configure secure communication of RADIUS packets over TLS. 
• TACACS+ Auth (TCP/49): Used when a TACACS+ authentication is configured.TACACS+ encrypts all the information and therefore does not have the vulnerabilities present in the RADIUS protocol. 
• LDAP (TCP/389): When a remote LDAP server for authentication has been configured.
• LDAPS (TCP/636): Secure LDAP configured
• OCSP (TCP/2560): Online Certificate Status Protocol (OCSP), it is configured to check the certificate status.
• Syslog (UDP/514)  
• Syslog over TLS (TCP/6514)   

Note that Syslog and Syslog over TLS options are only available if Syslog SSO has been enabled.

The FortiAuthenticator can parse username and IP address information from a syslog feed from a third-party device and inject this information into FSSO so it can be used in FortiGate identity-based policies.

Keep in mind:

• A disabled service will not answer queries as it is not active.
• Enabling the service but leaving it unconfigured will make the service respond to queries, even with incorrect responses.
• This will use resources and may cause a potential attack.
• For a detailed solution on best practices for hardening FortiAuthenticator, please refer to the following Knowledge Base article, which provide guidelines on securing FortiAuthenticator deployments: Hardening FortiAuthenticator