Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff

Created on ‎09-20-2023 07:04 AM Edited on ‎12-19-2024 05:36 AM By Community Manager

Article Id 274749

Technical Tip: Port Scan showing port 541 open on FortiGate interface

Description This article describes why port 541 is seen open on a FortiGate interface when a Port Scan is completed.
Scope FortiGate.
Solution

When FMG-Access is enabled under Administrative Access on an interface it will open port 541 which is used for Management traffic from FortiManager and FortiGate Cloud Management.

 

MicrosoftTeams-image (69).png

 

Interface example to enable FGFM:

 

config system interface
    edit "port5"

        set ip 10.35.1.1 255.255.255.0
        set allowaccess ping https ssh telnet fgfm fabric

 

This can be checked in the CLI by using the following commands:

 

diag sys tcpsock | grep 541

...

0.0.0.0:541->0.0.0.0:0->state=listen err=983048 socktype=0 rma=0 wma=0 fma=0 tma=0 inode=154839222 process=24547/fgfm

 

diagnose firewall iprope list 010000e | grep 541 -B 11
policy index=4294967295 uuid_idx=10 action=accept
flag (1): log
schedule()
cos_fwd=0 cos_rev=0
group=0010000e av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 8 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 10.35.1.1-10.35.1.1, uuid_idx=0,
service(1):
[6:0x0:0/(0,65535)->(541,541)] flags:0 helper:auto


This port can be blocked by creating a local-in policy allowing only the FortiManager IP.

 

Example configuration:

 

config firewall address
    edit "FortiManager"
        set subnet <fortimanager IP>
    next
end


config firewall service custom
    edit "FortiManager - TCP 541"
        set tcp-portrange 541
    next
end

 

config firewall local-in-policy
...
    edit 3
        set intf "port5"
        set srcaddr "FortiManager"
        set dstaddr "all"
        set action accept
        set service "FortiManager- TCP 541"
        set schedule "always"
    next
        edit 4
            set intf "port5"
            set srcaddr "all"
            set dstaddr "all"
            set service "FortiManager- TCP 541"
            set schedule "always"

 

In the above example, policy 3 allows traffic only from the FortiManger IP address while policy 4 will block all other traffic.

 

NMAP test from non FortiManager server:


~$ nmap -p 541 10.35.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-19 12:52 CET
Nmap scan report for 10.35.1.1
Host is up (0.00063s latency).

PORT STATE SERVICE
541/tcp filtered uucp-rlogin

 

The ports shows as filtered (FortiGate drops the packet - no RST is sent).

 

The FortiManager FGFM tunnel is up, however:

diag fgfm session-list
...
FortiGate(516) sn(xxxx) ip(10.35.1.1)
state(tunnel) tunnel(169.254.0.11) uptime:Thu Dec 19 12:59:06 2024
Session count = 4 (tunnel 3, unknown 1)

 

If policy 3 from above is disabled, the FortiManager will be blocked as well as all traffic will match policy4.

Once disabled, the FGFM tunnel drops:

 

diag fgfm session-list
...
Session count = 3 (tunnel 2, unknown 1)

 

Related document:

Incoming ports 
14000
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.