FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
Andy_G
Staff
Staff

Article

The information relating to the ports used by Fortinet products is now available in the document Fortinet Communications Ports and Protocols document which can be found in the FortiOS Handbook section of the Fortinet Document Library

Versions of the document are available from FortiOS 5.2.

The information contained in this article is no longer updated but may be of interest if running earlier versions of firmware.

 

Description

This article lists:

  • ports for traffic originating from units
  • ports for traffic receivable by units (listening ports)
  • ports used to connect to the Fortinet Distribution Network (FDN)

Traffic varies by enabled options and configured ports. Only default ports are listed.

This information is also available in diagram format at the end of this article, and as a downloadable PDF.

For similar information about FortiMail, see the related article "FortiMail Traffic Types and TCP/UDP Ports".

Components

  • FortiOS v4.0 , v3.0, v2.80 , and v2.50
  • FortiClient v2.x, v3.0
  • FortiManager v4.0 , v3.0
  • FortiAnalyzer v3.0
  • FortiProxy 2.0.x,7.0.x
  • Fortinet Distribution Network (FDN)

Originating Traffic

 

FortiGate

Functionality Port(s)
DNS lookup; RBL lookup UDP 53
FortiGuard Antispam or Web Filtering rating lookup UDP 53 or UDP 8888
FDN server list
Source and destination port numbers vary by originating or reply traffic. See also the related article "How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?".
UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031
NTP synchronization UDP 123
SNMP traps UDP 162
Syslog
All FortiOS versions can use syslog to send log messages to remote syslog servers. FortiOS v2.80 and v3.0 can also view logs stored remotely on a FortiAnalyzer unit. See originating port TCP 514.
Note : If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50
UDP 514
Configuration backup to FortiManager unit or FortiGuard Analysis and Management Service TCP 22
SMTP alert email; encrypted virus sample auto-submit TCP 25
LDAP or PKI authentication TCP 389 or TCP 636
FortiGuard Antivirus or IPS update
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890.
TCP 443
FortiGuard Analysis and Management Service TCP 443
FortiGuard Analysis and Management Service log transmission (OFTP) TCP 514
SSL management tunnel to FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later) TCP 541
FortiGuard Analysis and Management Service contract validation TCP 10151
Quarantine, remote access to logs & reports on a FortiAnalyzer unit, device registration with FortiAnalyzer units (OFTP) TCP 514
RADIUS authentication TCP 1812

 

FortiAnalyzer

Functionality Port(s)
DNS lookup UDP 53
NTP synchronization UDP 123
Windows share UDP 137-138
SNMP traps UDP 162
Syslog; log forwarding
Note : If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50.
UDP 514
Log & report upload TCP 21 or TCP 22
SMTP alert email TCP 25
User name LDAP queries for reports TCP 389 or TCP 636
Vulnerability Management updates TCP 443
RADIUS authentication

TACACS+
TCP 1812
TCP
49
Log aggregation client

Device registration of FortiGate or FortiManager units; remote access to quarantine , logs&reports from a FortiGate unit remote management from a FortiManager unit (configuration retrieval) (OFTP).

FortiAnalyzer listening ports

Windows share


Syslog, log forwarding


















SSH administrative access to the CLI

Telnet administrative access to the CLI

HTTPS administrative access to the web-based manager

HTTPS administrative access to the web-based manager remote management from a FortiManager unit

Device registration of FortiGate or FortiManager units; remote access to quarantine , logs&reports from a FortiGate unit remote management from a FortiManager unit (configuration retrieval) (OFTP)

NFS share

HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only). Protocol used will match the protocol used by the administrator when logging in to the web-based manager.

Log aggregation server.
Log aggregation server support requires model FortiAnalyzer 800 or greater.

Remote management from FortiManager unit

Remote MySQL database connection

FortiAnalyzer FDN ports

Vulnerability Management updates

TCP 3000

TCP
514






UDP137-139 and TCP 445

UDP 514
Note:If a secure connection has been configured between a FortiGate and FortiAnalyzer. Syslog will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, protocol IP/50

TCP 22

TCP 23

TCP 80


TCP 443


TCP 514




TCP 2049

TCP 2032





TCP 3000



TCP 8080

TCP 3306



TCP 443




 

FortiManager

Functionality Port(s)
DNS lookup UDP 53
NTP synchronization UDP 123
SNMP traps UDP 162
Syslog UDP 514
Remote management of a FortiGate unit TCP 22 and TCP 443

FortiManager v4.0 and above : TCP 541
Remote management of a FortiAnalyzer unit (OFTP and web services) TCP 443 and TCP 514 and TCP 8080
Firmware image downloads; FortiGuard Antivirus, Antispam, IPS and Web Filtering updates TCP 443
RADIUS authentication TCP 1812
FortiClient Manager clustering TCP 6028

 

FortiClient

Functionality Port(s)
Syslog UDP 514
Keepalive with FortiManager units UDP 6022 and UDP 6023
FortiGuard Antispam or Web Filtering rating lookup UDP 8888
FortiGuard Antivirus updates TCP 80
Device registration with FortiManager units TCP 6020
VPN settings from a FortiGate unit
FortiOS v3.0 can distribute VPN settings to FortiClients that provide a valid login. See the FortiGate CLI commandconfig vpn ipsec forticlient.
TCP 8900

Receivable Traffic

(Listening Ports)

 

FortiGate

 

When operating in the default configuration, FortiGate units do not accept TCP or UDP connections on any port except the default internal interface, which accepts HTTPS connections on TCP port 443.

See also the related article "Closing TCP 113" which describes making your FortiGate unit completely invisible to probes.

Functionality Port(s)
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.
UDP 9443
SSH administrative access to the CLI; remote management from a FortiManager unit TCP 22
Telnet administrative access to the CLI; HA synchronization (FGCP L2)
Changing the telnet administrative access port number also changes the HA synchronization port number.
TCP 23
HTTP administrative access to the web-based manager TCP 80
HTTPS administrative access to the web-based manager; remote management from a FortiManager unit; user authentication for policy override TCP 443
SSL management tunnel from FortiGuard Analysis and Management Service (FortiOS v3.0 MR6 or later) TCP 541
HA heartbeat (FGCP L2)
FortiOS v2.8 used TCP 702.
TCP 703
User authentication keepalive and logout for policy override (default value of port for HTTP traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command.
TCP 1000
User authentication keepalive and logout for policy override (default value of port for HTTPS traffic)
Beginning with FortiOS v3.0 MR2, by default, this port is closed until enabled by the auth-keepalive command.
TCP 1003
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager.
TCP 2302
Windows Active Directory (AD) Collector Agent TCP 8000
User authentication for policy override of HTTP traffic TCP 8008
FortiClient download portal
This feature is available on FortiGate-1000A, FortiGate-3600A, and FortiGate-5005FA2 only.
TCP 8009
User authentication for policy override of HTTPS traffic TCP 8010
VPN settings distribution to authenticated FortiClient installations
See originating port TCP 8900.
TCP 8900
SSL VPN TCP 10443
HA ETH 8890 (Layer 2)

 

FortiAnalyzer

Functionality Port(s)
Windows share UDP 137-139 and TCP 445
Syslog
Note : If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50
UDP 514
SSH administrative access to the CLI TCP 22
Telnet administrative access to the CLI TCP 23
HTTP administrative access to the web-based manager TCP 80
HTTPS administrative access to the web-based manager; remote management from a FortiManager unit TCP 443
Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval)(OFTP) TCP 514
NFS share TCP 2049
HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)
Protocol used will match the protocol used by the administrator when logging in to the web-based manager.
TCP 2302
Log aggregation server
Log aggregation server support requires model FortiAnalyzer-800 or greater.
TCP 3000
Remote management from a FortiManager unit (configuration installation) TCP 8080

 

FortiManager

Functionality Port(s)
FortiGuard Antispam or Web Filtering rating lookup from a FortiClient or FortiGate unit UDP 53 or 8888
SNMP traps UDP 162
Keepalive from a FortiClient installation UDP 6022 and UDP 6023
FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.
UDP 9443
SSH administrative access to the CLI TCP 22
Telnet administrative access to the CLI TCP 23
HTTP administrative access to the web-based manager; FortiGuard Antivirus update request from a FortiClient installation TCP 80
HTTPS administrative access to the web-based manager; FortiGuard Antispam, Antivirus, IPS or Web Filtering update request from a FortiGate unit TCP 443
Device registration from a FortiClient installation TCP 6020
FortiClient Manager clustering TCP 6028
FortiGuard Antivirus or IPS update request from a FortiGate unit TCP 8890
HA heartbeat or synchronization TCP 5199

FDN Ports

FortiGate, FortiAnalyzer, and FortiManager units and FortiClient installations communicate with the Fortinet Distribution Network (FDN) to receive updates or use services.

Product(s) Functionality Port(s)
FortiManager v3.0 FortiGuard Web Filtering and Antispam rating replies Source: UDP 53 (default) or UDP 8888
Destination: UDP 1027 or UDP 1031
FortiOS v3.0 FortiGuard Web Filtering and Antispam rating lookup
This can be to the FDN or to a FortiManager acting as a private FDS.
Source: UDP 1027 or 1031
Destination: UDP 53 (default) or UDP 8888
FortiOS v3.0 FDN server list
See also the related articles "How do I troubleshoot performance issues when FortiGuard Web Filtering is enabled?".
UDP 53 (default) or UDP 8888, and UDP 1027 or UDP 1031
FortiOS v2.80 FortiGuard Web Filtering UDP 8888
FortiOS v2.80 FortiGuard Antispam (FortiShield) UDP 8889
FortiOS v3.0, FortiManager v3.0 FortiGuard Antivirus and IPS update push
The FDN sends notice that an update is available. Update downloads then occur on standard originating ports for updates. See originating port TCP 443.
UDP 9443
FortiClient FortiGuard Antivirus updates TCP 80
FortiAnalyzer v3.0 Remote Vulnerability Scan (RVS) updates TCP 443
FortiManager v3.0 Firmware images from FDN TCP 443
FortiManager v3.0 FortiGuard Antispam or Web Filtering updates TCP 443 or TCP 8890
FortiOS v3.0 FortiGuard Antivirus and IPS updates
When requesting updates from a FortiManager unit instead of directly from the FDN, this port must be reconfigured as TCP 8890.
TCP 443
FortiOS v2.80 FortiGuard Antivirus updates TCP 443
FortiOS v3.0 FortiGuard Analysis and Management Service TCP 443
FortiOS v3.0 FortiGuard Analysis and Management Service log transmission (OFTP) TCP 514
FortiOS v3.0 MR6 or later SSL management tunnel to FortiGuard Analysis and Management Service TCP 541
FortiOS v3.0 FortiGuard Analysis and Management Service contract validation TCP 10151
FortiOS v2.50 FortiGuard Antivirus updates TCP 8890

rmetzger_10773_v3_0_MR6_port_numbers.JPG

Related Articles

Troubleshooting performance issues when FortiGuard Web Filtering is enabled - Low source port

FortiOS : Closing TCP port 113

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products

Technical Note: Communication between FortiManager and FortiGate - TCP port 541

Technical Note: Traffic Types and TCP/UDP Ports used by Fortinet Products