FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 274921

This article describes that after enabling the FortiManager Cloud connector from the FortiGate, if a port scan is performed against the external interface (WAN) of the FortiGate, then the ports 541, 53, 80, and 443 show us as 'open' even though they are disabled at the interface level.

Scope FortiGate.

For a port scan that reveals ports 541, 53, 80, and 443 are open with respect to an external interface that has 'FMG-Access' enabled in the interface, but other administrative access disabled, the reasons why the said ports show open are as below:



  • Port 541 is the default port used for FortiManager traffic. Hence, enabling 'FMG-Access' will open up port 541 for sure.

Related document:

FGFM - FortiGate to FortiManager Protocol



Port 542 is utilized for IPv6 connection.



  • In FortiGate, central management is configured with respect to the FQDN of ''.
  •  Since FQDN is used, this needs to be resolved to an IP address for the FortiGate to communicate with it.
  • This is the reason why port 53 is important here for DNS resolution to occur.

Related document:

FortiManager Cloud service



FOR PORT 80 and 443:

  • Another important criterion in the connection between FortiGate and FortiManager/ FortiManager Cloud to establish is TLS versions should match or be compatible on both ends.

Related article:

Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager

  •  Since the SSL/TLS version is checked here, the ports used for the same are port 80 (HTTP) and port 443 (HTTPS).
  • In case the FortiManager Cloud access is required and the said ports show up as open to the Internet, then the FortiGate will allow/permit any inbound traffic from external sources, if and only if there are firewall policies configured for the same.