Fortinet black logo

Administration Guide

Required services and ports

Required services and ports

You must enable required ports and services for use by FortiClient and its associated applications on your server. The required ports and services enable FortiClient to communicate with servers running associated applications.

Communication

Usage

Protocol

Port

Incoming/outgoing

How to customize

FortiClient Telemetry

Endpoint management (on-premise EMS), participation in the Fortinet Security Fabric

TCP

8013

Outgoing

GUI

SYSLOG

Upload logs to syslog server

UDP

514

Outgoing

N/A

FortiSandbox

Send files to FortiSandbox for analysis

TCP

514

Outgoing

N/A

Remote access - SSL VPN

Establish VPN connection to the FortiGate

TCP

443 (default)

Outgoing

GUI

FortiAnalyzer/FortiManager

Upload logs and Windows host events to FortiAnalyzer or FortiManager

TCP

514

Outgoing

N/A

Remote access - IPsec VPN

Establish VPN connection to the FortiGate

UDP

IKE 500 ESP (IP 50) NAT-T 4500

Outgoing

N/A

FortiAuthenticator/FortiGate

Single sign on (SSO) mobility agent, FortiClient SSO

TCP

8001 (default)

Outgoing

GUI

FortiManager

Use FortiManager for FortiClient software and signature updates

TCP

80 (default)

Outgoing

GUI

SMTP/FortiGuard

Virus submission

TCP

25

Outgoing

N/A

FortiPAM

Use FortiPAM for privilege access management

TCP

9191

Outgoing

N/A

FortiGuard

Cloud-based malware detection

TCP

8888

Outgoing

N/A

FortiClient can also connect to FortiClient Cloud instead of on-premise EMS for endpoint management. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud connection

forticlient-emsproxy.forticloud.com

forticlient.forticloud.com

TCP

443 (default)

Outgoing

FortiClient connects to FortiGuard to query for URL ratings for Web Filter and to download AV and vulnerability scan engine and signature updates. FortiClient can connect to legacy FortiGuard or FortiGuard Anycast. The EMS administrator configures FortiGuard server options. See Web Filter and System Settings. The following table summarizes required services for FortiClient to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

URL rating with FortiGuard Anycast

fctguard.fortinet.net

fctusguard.fortinet.net

fcteuguard.fortinet.net

TCP

443

Outgoing

N/A

The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.

URL rating with FortiGuard (legacy)

fgd1.fortigate.com

usfgd1.fortigate.com

N/A

UDP

8888 (default)

Outgoing

N/A

The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

FortiClient can also connect to FortiClient Cloud Sandbox (SaaS) for integration with FortiSandbox. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud Sandbox (SaaS):

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud Sandbox (SaaS) connection

aptctrl1.fortinet.com

aptctrl1.fortinet.com sends a list of Sandbox server addresses to FortiClient. There are no fixed IP addresses, FQDNs, or ports for these servers. However, the returned port is usually 514.

TCP

443 (default)

Outgoing

N/A
note icon

For the list of required services and ports for EMS, see the FortiClient EMS Administration Guide.

Required services and ports

You must enable required ports and services for use by FortiClient and its associated applications on your server. The required ports and services enable FortiClient to communicate with servers running associated applications.

Communication

Usage

Protocol

Port

Incoming/outgoing

How to customize

FortiClient Telemetry

Endpoint management (on-premise EMS), participation in the Fortinet Security Fabric

TCP

8013

Outgoing

GUI

SYSLOG

Upload logs to syslog server

UDP

514

Outgoing

N/A

FortiSandbox

Send files to FortiSandbox for analysis

TCP

514

Outgoing

N/A

Remote access - SSL VPN

Establish VPN connection to the FortiGate

TCP

443 (default)

Outgoing

GUI

FortiAnalyzer/FortiManager

Upload logs and Windows host events to FortiAnalyzer or FortiManager

TCP

514

Outgoing

N/A

Remote access - IPsec VPN

Establish VPN connection to the FortiGate

UDP

IKE 500 ESP (IP 50) NAT-T 4500

Outgoing

N/A

FortiAuthenticator/FortiGate

Single sign on (SSO) mobility agent, FortiClient SSO

TCP

8001 (default)

Outgoing

GUI

FortiManager

Use FortiManager for FortiClient software and signature updates

TCP

80 (default)

Outgoing

GUI

SMTP/FortiGuard

Virus submission

TCP

25

Outgoing

N/A

FortiPAM

Use FortiPAM for privilege access management

TCP

9191

Outgoing

N/A

FortiGuard

Cloud-based malware detection

TCP

8888

Outgoing

N/A

FortiClient can also connect to FortiClient Cloud instead of on-premise EMS for endpoint management. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud connection

forticlient-emsproxy.forticloud.com

forticlient.forticloud.com

TCP

443 (default)

Outgoing

FortiClient connects to FortiGuard to query for URL ratings for Web Filter and to download AV and vulnerability scan engine and signature updates. FortiClient can connect to legacy FortiGuard or FortiGuard Anycast. The EMS administrator configures FortiGuard server options. See Web Filter and System Settings. The following table summarizes required services for FortiClient to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

URL rating with FortiGuard Anycast

fctguard.fortinet.net

fctusguard.fortinet.net

fcteuguard.fortinet.net

TCP

443

Outgoing

N/A

The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.

URL rating with FortiGuard (legacy)

fgd1.fortigate.com

usfgd1.fortigate.com

N/A

UDP

8888 (default)

Outgoing

N/A

The EMS administrator can configure Web Filter to use Anycast or legacy FortiGuard servers. See Web Filter.

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

FortiClient can also connect to FortiClient Cloud Sandbox (SaaS) for integration with FortiSandbox. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud Sandbox (SaaS):

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud Sandbox (SaaS) connection

aptctrl1.fortinet.com

aptctrl1.fortinet.com sends a list of Sandbox server addresses to FortiClient. There are no fixed IP addresses, FQDNs, or ports for these servers. However, the returned port is usually 514.

TCP

443 (default)

Outgoing

N/A
note icon

For the list of required services and ports for EMS, see the FortiClient EMS Administration Guide.