Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff
Staff

Created on ‎11-29-2013 08:15 AM Edited on ‎08-31-2024 10:26 AM By Moderator

Article Id 194130

Technical Tip: List of TCP and UDP ports used by the FSSO Collector Agent

Description

 

The FSSO (Fortinet Single Sign-On) Collector Agent is integral to Fortinet's Single Sign-On mechanism. Understanding the TCP and UDP ports it uses is essential for configuring firewall rules, troubleshooting connectivity issues, and ensuring seamless network operations.


This list is pertinent for the FSSO Collector Agent software versions starting from 5.0.0276 and subsequent versions unless otherwise noted.

 

Note: Starting with FSSO Agent version 5.0.297 and onward, secure communication can be configured between the DC Agent and the Collector Agent. See the following Fortinet Community KB article for more information: Technical Tip: FSSO - Enabling Secure communication between Collector Agent and DC Agent.

For open ports of FortiGate and other products see FortiGate open ports.

For more configuration on FortiGate, see this section of the documentation.

 

Scope

 

FortiGate.

Solution


Inbound:


UDP/8002 – DC Agent keepalive and push logon info to Collector Agent

TCP/8003 - DC Agent keepalive and push logon info to Collector Agent (SSL enabled/secure)

TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM

Outbound:


TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method)
TCP/445 – Remote access to logon events, Workstation check (remote registry)
TCP/389 – Group lookup using LDAP
TCP/636 - Group lookup using LDAPS
TCP/3268 – Group lookup using LDAP with global catalog
TCP/3269 – Group lookup using LDAPS with global catalog
UDP/53 – DNS for resolving hostnames of the logon events.

Be sure to allow inbound connection to the FSSO Collector Agent by the integrated Windows Firewall.

To test the connection from a FortiGate, run the following commands.

 

diag debug enable
diag debug auth fsso server
exec telnet <CollectorAgentIP> 8000

 

To validate the connection between FortiGate and the FSSO Collector Agent:

 

  1. Activate debugging with: diag debug enable
  2. Focus on FSSO server debugging: diag debug auth fsso server
  3. Attempt a connection: exec telnet <CollectorAgentIP> 8000

 

Security Considerations:

  • Ensure only trusted entities have communication access on these ports.
  • Regularly monitor and audit traffic for anomalies.
  • Utilize secure connections (like LDAPS) wherever possible for enhanced security.

Always keep the FSSO Collector Agent and FortiGate firmware up-to-date to benefit from the latest security patches and feature enhancements. Regularly reviewing and updating firewall and port configurations will ensure optimal operation and security.

28885
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.