Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Interpreting TCP Ports FortiGate Li...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
| Description |
This article describes the purpose of the various open TCP sockets that FortiGate listens on, as shown in the output of the diagnose sys tcpsock command, and determines whether FortiGate responds to traffic directed to those listening ports. |
| Scope | FortiGate. |
| Solution |
The command 'diagnose sys tcpsock' only lists the the TCP socket information and the listed ports are the socket ports. FortiGate# diagnose sys tcpsock
The ports (10400, 10401, 10402, 10403, 10404) are internal to FortiOS for redirecting captive portal authentication requests of TELNET connections to authd daemon.
The ports (10500, 10501, 10502, 10503, 10504) are internal to FortiOS for redirecting SAML-based authentication requests of FortiClient remote access dialup IPsec VPN clients to authd daemon. SAML authentication traffic will first be received on the actual port configured in the system before being internally redirected to the above TCP ports.
The above TCP ports (10000, 10001, 10002, 10003, 10004) are internal to FortiOS for redirecting captive portal authentication requests of HTTP connections to authd daemon.
0.0.0.0:10100->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=35058 process=206/authd
The ports (10100, 10101, 10102, 10103, 10104) are internal to FortiOS for redirecting captive portal authentication requests of HTTPS connections to authd daemon and FortiGate does not respond to traffic directed to these internal ports of authd daemon although the output shows the socket is listening.
0.0.0.0:10300->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=33892 process=206/authd
The ports (10300, 10301, 10302, 10303,10304) are internal to FortiOS for redirecting captive portal authentication requests of FTP connections to authd daemon and FortiGate does not respond to traffic directed to these internal ports of authd daemon although the output shows the socket is listening. 0.0.0.0:1011->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=35065 process=206/authd
The ports (1011, 1012, 1013, 1014, 1015, 1016) are internal to FortiOS for redirecting http(port 80) traffic from the quarantined list of users to authd daemon and FortiGate does not respond to traffic directed to these internal ports of authd daemon although the output shows the socket is listening (diagnose user quarantine list). 0.0.0.0:10200->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=35123 process=206/authd 0.0.0.0:10201->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=35124 process=328/authd
0.0.0.0:1004->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=33566 process=207/foauthd
The ports 1004 and 1005 are internal to FortiOS for redirecting the HTTP/HTTPS port 8008/8010 connections to foauthd/wad daemon respectively to present UTM block/authentication pages. FortiGate does not respond to traffic directed to these internal ports of foauthd/wad daemon although the output shows the socket is listening.
set cache-mode ttl
0.0.0.0:10600->0.0.0.0:0->state=listen err=0 socktype=4 rma=0 wma=0 fma=0 tma=0 inode=37027 process=361/wad
The TCP ports are internal sockports to FortiOS and used by wad daemon for various traffic inspection purposes. FortiGate does not respond to traffic destined to these internal ports of wad daemon although the socket state indicates listening. 0.0.0.0:7824->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=37012 process=361/wad
TCP Port 7824, 853 are internal sockports for DNSoverTLS traffic destined to FortiGate. FortiGate may reply to TCP port 853 traffic only when there is an entry configured under #config system dns-server for DoH/DoT traffic. 0.0.0.0:22->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=37090 process=361/wad
FortiGate may respond to External traffic destined to SSH TCP Standard Port 22 only when SSH or SSH proxy inspection is enabled on WAN facing circuits/policies. 0.0.0.0:53->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=6713 process=244/dnsproxy
FortiGate responds to traffic destined to port53 when DNS service is enabled on the interface under #config system dns-server 0.0.0.0:4500->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=6620 process=223/iked
FortiGate responds to external traffic destined for TCP port 4500 when IPSec VPN is configured on WAN facing interfaces.
config system settings 0.0.0.0:910->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=24363 process=218/voipd
The TCP port 910 is internal to FortiOS and used during VOIP Inspection by voipd daemon when SIP ALG/VOIP profile is enabled in firewall policies. FortiGate does not respond to traffic destined to these internal ports of voipd daemon although the socket state indicates listening. 0.0.0.0:2000->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=24365 process=218/voipd
FortiGate external-facing interfaces may respond to traffic destined for port 2000 when a firewall policy allows this traffic, and SCCP/VOIP inspection is enabled in the VOIP profile.
config voip profile
The port 1007 is internal to FortiOS for redirecting the HTTP/HTTPS port 8015 connections to ipsmonitor/ipsengine for presenting UTM block/Authentication pages. FortiGate does not respond to traffic destined to this internal port of ipsengine although the socket state indicates listening. config webfilter fortiguard set cache-mode ttl
0.0.0.0:21->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=37085 process=361/wad
FortiGate does not respond to traffic destined to these internal ports of wad daemon although the socket state indicates listening- unless these ports are configured or enabled for other purposes, such as FortiGate GUI administration or FTP Virtual IP configuration. 0.0.0.0:1010->0.0.0.0:0->state=listen err=0 socktype=2 rma=0 wma=0 fma=0 tma=0 inode=37081 process=361/wad
In the context of diagnose sys tcpsock output, the TCP port 1010 is an internal socket port used during proxy based inspection 0.0.0.0:179->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=6938 process=176/bgpd
When BGP is configured/enabled, FortiGate will have an implict local in policy and an open socket listening on standard TCP port 179. 127.0.0.1:54100->0.0.0.0:0->state=listen err=0 socktype=1 rma=0 wma=0 fma=0 tma=0 inode=2220 process=247/fgfmd
By default, access to ZebOS shell through Telnet/SSH connections to 127.0.0.1 is blocked by FortiOS. The TCP port 54100 is an internal socket port used by FGFM daemon responsible for managing FortiGate-FortiManager connection. The fgfm protocol runs over SSL (Secure Sockets Layer) using TCP/541 for IPv4. FortiGate does not respond to traffic destined to this internal port (54100) of the fgfmd daemon even though the socket state indicates listening. |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.