DescriptionThis article describes how to allow FSSO ports when using Windows Server 2008 and later version. A new feature was implemented in Windows Server 2008 called 'Windows Firewall with Advanced Security'. This feature can sometimes block the FSSO ports from passing the traffic to the FortiGate.Solution
TCP port 8000 and UDP 8002 should be allowed either via the GUI or by command line.
1) Using the GUI:
Go to Start Menu -> Control Panel -> Administrative Tools -> Windows Firewall with Advanced Security
2) Using the command line:
For Inbound Traffic:
C:\>netsh advfirewall firewall add rule
name="FSSO_TCP_8000" dir=in action=allow protocol=TCP
localport=8000
C:\>netsh advfirewall firewall add rule
name="FSSO_UDP_8002" dir=in action=allow protocol=UDP
localport=8002
For Outbound Traffic:
C:\>netsh advfirewall firewall add rule
name="FSSO_TCP_8000" dir=out action=allow protocol=TCP
localport=8000
C:\>netsh advfirewall firewall add rule
name="FSSO_UDP_8002" dir=out action=allow protocol=UDP
localport=8002
|
After having added in the ports, either via GUI or by command line, the following entries should be seen:


NOTE: If these ports are changed in GUI of Collector Agent(s) default port for FSSO - TCP 8000 needs to be changed in CLI in FortiOS. Reflect these changes in Windows firewall too.
CLI command to change default TCP 8000 in FortiOS are as follows:
config user fsso
edit fsso_server
set port <-- Enter an integer value from <1> to <65535> (default = <8000>)
end