Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
matanaskovic
Staff
Staff

Created on ‎10-26-2022 05:06 AM Edited on ‎10-26-2022 05:07 AM By Moderator

Article Id 228016

Technical Tip: Restrict FortiAuthenticator traffic to the Internet

Description This article describes which ports and destinations FortiAuthenticator must use for communication with FortiGuard token services.
Scope FortiAuthenticator 6.4.
Solution

FortiAuthenticator traffic can be restricted to the Internet, using only ports and destinations for the FortiGuard token services.

 

For mobile and hardware tokens (local, not via FortiToken Cloud):


- activation/registration soft token: fortitokenmobile.fortinet.com (443).

 

activation/registration hard token: update.fortiguard.net (443).


- push notification proxy: push.fortinet.com (443).


- push response - incoming to whatever is configured in System Access.


- if sending activation tokens via FortiGuard SMS: msgctrl1.fortinet.com (443).

 

In addition, if FortiGate is serving as an edge firewall, it can be done with Fortinet Internet Services entries.

 

Policy & Objects -> Internet Service Database -> Fortinet.

 

matanaskovic_0-1666784010023.png

 

Fortinet Internet Service Database can be added to the firewall policy and in that way restrict FortiAuthenticator traffic to the Internet.

 

Related Articles:

https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/206267/introduction
587
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.