FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194130



The FSSO (Fortinet Single Sign-On) Collector Agent is integral to Fortinet's Single Sign-On mechanism. Understanding the TCP and UDP ports it uses is essential for configuring firewall rules, troubleshooting connectivity issues, and ensuring seamless network operations.

This list is pertinent for the FSSO Collector Agent software versions starting from 5.0.0276 and subsequent versions unless otherwise noted.

For open ports of FortiGate and other products see.

More configuration on FortiGate.







UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM


TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method)
TCP/445 – Remote access to logon events, Workstation check (remote registry)
TCP/389 – Group lookup using LDAP
TCP/636 - Group lookup using LDAPS
TCP/3268 – Group lookup using LDAP with global catalog
TCP/3269 – Group lookup using LDAPS with global catalog
UDP/53 – DNS for resolving hostnames of the logon events.

Be sure to allow inbound connection to the FSSO Collector Agent by the integrated Windows Firewall.

To test the connection from a FortiGate run the following commands.


diag debug enable
diag debug auth fsso server
exec telnet <CollectorAgentIP> 8000



To validate the connection between FortiGate and the FSSO Collector Agent:


  1. Activate debugging with: diag debug enable
  2. Focus on FSSO server debugging: diag debug auth fsso server
  3. Attempt a connection: exec telnet <CollectorAgentIP> 8000


Security Considerations:

  • Ensure only trusted entities have communication access on these ports.
  • Regularly monitor and audit traffic for anomalies.
  • Utilize secure connections (like LDAPS) wherever possible for enhanced security.

Always keep the FSSO Collector Agent and FortiGate firmware up-to-date to benefit from the latest security patches and feature enhancements. Regularly reviewing and updating firewall and port configurations will ensure optimal operation and security.