FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff
Staff
Description
This article presents a list of TCP and UDP ports, used by the FSSO Collector Agent software of later versions of minimum 5.0.0276.

For open ports of FortiGate and other products see.
https://docs.fortinet.com/document/fortigate/6.2.0/ports-and-protocols/303168/fortigate-open-ports

More configuration on FortiGate.
https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/879117/fsso-fortinet-single-s...

Solution
Inbound.
UDP/8002 – DC Agent keepalive and push logon info to Collector Agent
TCP/8001 – FortiGate to FSSO Collector Agent connection (SSL)
TCP/8000 – FortiGate to FSSO Collector Agent connection
TCP/8000 – NTLM

Outbound.
TCP/135, TCP/139, UDP/137 – Workstation check, polling mode (fallback method)
TCP/445 – Remote access to logon events, Workstation check (remote registry)
TCP/389 – Group lookup using LDAP
TCP/636 - Group lookup using LDAPS
TCP/3268 – Group lookup using LDAP with global catalog
TCP/3269 – Group lookup using LDAPS with global catalog
UDP/53 – DNS for resolving hostnames of the logon events.

Be sure to allow inbound connection to the FSSO Collector Agent by the integrated Windows Firewall.

To test the connection from a FortiGate run the following commands.
# diag debug enable
# diag debug auth fsso server
# exec telnet <CollectorAgentIP> 8000


Contributors