Description
This article describes the FortiManager Ports.
Solution
The following table identifies the incoming ports for FortiManager and how the ports interact with other products:
Incoming ports |
||
|
Product |
Purpose |
Protocol and Port |
|---|---|---|
|
FortiGate
|
IPv4 FGFM management |
TCP/541 |
|
IPv6 FGFM management |
TCP/542 |
|
|
WebFilter queries, AV & IPS updates* |
UDP/53, UDP/8888 |
|
|
TCP/80, TCP/8888 |
||
|
Antispam* |
TCP/8889 |
|
|
UDP/8889 |
||
|
FortiGuard and FortiClient Web Filter and Email Filter* |
TCP/8900 |
|
|
Registration for license validation and UTM updates (AV, IPS)* |
TCP/8890, TCP/443 |
|
|
Logging (all Fortinet products) |
OFTP |
TCP/514 |
|
FortiManager
|
HA |
TCP/5199 |
|
Log aggregation server (requires FortiManager 800 series or higher) |
TCP/300 |
|
|
File query/AntiVirus query service** |
TCP/8900 |
|
|
Cascade mode for FortiClient AV packages update |
TCP/8891 |
|
|
GeoIP service** |
TCP/8900 |
|
|
FortiGuard and FortiClient Web Filter and Email Filter* |
TCP/8900 |
|
|
Non-Fortinet products |
Syslog |
UDP/514, TCP/514 |
|
Chromebook |
Logging |
TCP/8443 |
|
Management
|
Ping |
ICMP |
|
SSH |
TCP/22 |
|
|
HTTP |
TCP/80 |
|
|
HTTPS |
TCP/443 |
|
|
Web Service (SOAP/XML API) |
TCP/8080 |
|
|
JSON API (HTTPS/HTTP respectively) |
TCP/443, TCP/80 |
|
|
SNMP query |
UDP/161 |
|
|
Remote access to FortiOS GUI from FortiManager*** |
TCP/8082 |
|
|
FortiGuard |
AV and IPS push updates |
UDP/9443 |
* Applies only when FortiManager is acting as a local FortiGuard server.
** In FortiManager 7.4.0, File query/AntiVirus query service uses TCP/8902 and GeoIP service uses TCP/8903.
*** The remote access to FortiOS GUI feature is available in FortiManager 7.4.2 and later.
Outgoing ports |
||
|
The following table identifies the outgoing ports for FortiManager and how the ports interact with other products: |
||
|
Product |
Purpose |
Protocol and Port |
|---|---|---|
|
FortiGate |
IPv4 FGFM management |
TCP/541 |
|
IPv6 FGFM management |
TCP/542 |
|
|
AV and IPS Push updates* |
UDP/9443 |
|
|
Non-Fortinet
|
SMTP email alerts |
TCP/25 |
|
TACACS+ authentication |
TCP/49 |
|
|
LDAP queries |
TCP/389, UDP 389 |
|
|
LDAPS queries |
TCP/636, UDP 636 |
|
|
Log aggregation client |
TCP/3000 |
|
|
RADIUS authentication |
TCP/1812 |
|
|
DNS lookup |
UDP/53 |
|
|
NTP synchronization |
UDP/123 |
|
|
SNMP traps |
UDP/162 |
|
|
Syslog, logforwarding |
UDP/514, TCP/514 |
|
| Google Maps integration** | ||
|
FortiManager
|
HA sync |
TCP/5199 |
|
FortiGuard and FortiClient Web Filter and Email Filter* |
TCP/8900 |
|
|
FortiGuard |
Firmware images update |
TCP/443 |
|
Sprite Map and webGUI updates |
||
|
AV & IPS updates |
||
|
Web Filtering and Anti-Spam updates |
||
|
File query and GEOIP DB updates |
||
|
Google Maps license management |
||
|
FortiClient signature updates |
||
|
Fortinet Registry |
Management Extension Applications download (for example, FortiWLM MEA) |
TCP/443, TCP/4443 |
* Applies only when FortiManager is acting as a local FortiGuard server.
** These URLs must be accessible by the admin user's PC for Google Maps integration. See Google Map integration.
Anycast and unicast services |
||
|
The following service are accessed by FortiManager: |
|
Service |
Non-Anycast FQDN address |
Anycast domain name |
|---|---|---|
| AV-IPS package |
fds1.fortinet.com usfds1.fortinet.com |
globalupdate.fortinet.net globalupdate2.fortinet.net* usupdate.fortinet.net usupdate2.fortinet.net* euupdate.fortinet.net |
| AV-IPS packages (FortiClient) |
forticlient.fortinet.com usforticlient.fortinet.com
|
globalfctupdate.fortinet.net fctusupdate.fortinet.net fcteuupdate.fortinet.net
|
| GeoIP |
gip.fortinet.net usfqsvr.fortinet.net |
globalupdate.fortinet.net globalupdate2.fortinet.net* usupdate.fortinet.net usupdate2.fortinet.net * |
|
Webfilter AntiSpam Outbreak Prevention Query Category File Query AntiVirus Query |
guard.fortinet.net usguard.fortinet.net |
globalupdate.fortinet.net globalupdate2.fortinet.net* usupdate.fortinet.net usupdate2.fortinet.net* |
|
IoT Collect |
Service only in Anycast |
globalupdate.fortinet.net usupdate.fortinet.net |
|
Device info Query |
Service only in Anycast |
globaldevquery.fortinet.net eudevquery.fortinet.net |
|
FortiCloud FortiClient |
forticlient.fortinet.net |
globalfctupdate.fortinet.net fcteuupdate.fortinet.net |
* These domain names are used when the FortiGuard Anycast source is set to AWS in FortiManager. See the FortiManager CLI Reference.
Note that, while a proxy is configured, FortiManager uses the following URLs to access the FortiGuard Distribution Network (FDN) for the following updates:
fds1.fortinet.com - FortiGate AV/IPS package downloads
guard.fortinet.com - Webfilter/AntiSpam DB and AVfileQuery DB downloads
forticlient.fortinet.com - FortiClient signature package downloads
fgd1.fortigate.com:8888 - FortiClient Webfilter queries to FortiGuard
