Description
This article describes which ports are used by FSSO (Fortinet Single Sign-On) Collector Agent to communicate with a FortiGate, and DC/TS-Agents.
Scope
FortiGate.
Solution
The FSSO (Fortinet Single Sign-On) Collector Agent is integral to Fortinet's Single Sign-On mechanism. Understanding the TCP and UDP ports it uses is essential for configuring firewall rules, troubleshooting connectivity issues, and ensuring seamless network operations.
This list is pertinent for the FSSO Collector Agent software versions starting from 5.0.0276 and subsequent versions unless otherwise noted.
Note:
Starting with FSSO Agent version 5.0.297 and onward, secure communication can be configured between the DC Agent and the Collector Agent. See the following KB article for more information: Technical Tip: FSSO - Enabling Secure communication between Collector Agent and DC Agent
- For open ports of FortiGate and other products, see FortiGate open ports
- For more configuration on FortiGate, see this section of the documentation
Inbound:
UDP/8002 – DC Agent/TS-Agent keepalive and push logon info to Collector Agent
TCP/8003 - DC Agent/TS-Agent keepalive and push logon info to Collector Agent (SSL enabled/secure)
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM
Outbound:
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method)
TCP/445 – Remote access to logon events, Workstation check (remote registry)
TCP/389 – Group lookup using LDAP
TCP/636 - Group lookup using LDAPS
TCP/3268 – Group lookup using LDAP with global catalog
TCP/3269 – Group lookup using LDAPS with global catalog
UDP/53 – DNS for resolving hostnames of the logon events.
Be sure to allow inbound connection to the FSSO Collector Agent by the integrated Windows Firewall. To test the connection from a FortiGate, run the following commands:
diag debug enable
diag debug auth fsso server
exec telnet <CollectorAgentIP> 8000
To validate the connection between the FortiGate and the FSSO Collector Agent:
diag debug enable
diag debug console timestamps enable
diag debug auth fsso server
exec telnet <CollectorAgentIP> 8000
To check these ports and validate that they are correctly opened, Telnet tests (TCP connections) must be executed from the FORTIGATE to the DC. If there are DC agents installed on some of the DCs, there should be 8002 and 8003 depending on if it is secure or not (8002-NoSecure or 8003-Secure) for the FortiGate connection is 8000 and 8001 depending on if it's secure or not (8000-NoSecure or 8001-Secure).
TCP/8003 – SSL enabled/secure.
UDP/8002 – No secure.
TCP/8001 – SSL enabled/secure.
TCP/8000 – No secure.
In case the communication for push login info to Collector Agent is running on port 8002 (Not secure), this port cannot be validated from FortiGate because Telnet works over TCP and this service is over UDP.
In case the communication for push logon info to Collector Agent is running on port 8003 (SSL enabled/secure), this port can be validated from Fortigate because Telnet works over TCP.
Security Considerations:
- Ensure only trusted entities have communication access on these ports.
- Regularly monitor and audit traffic for anomalies.
- Utilize secure connections (like LDAPS) wherever possible for enhanced security.
Always keep the FSSO Collector Agent and FortiGate firmware up-to-date to benefit from the latest security patches and feature enhancements. Regularly reviewing and updating firewall and port configurations will ensure optimal operation and security.
