Fortinet black logo

FortiOS ports and protocols

Copy Link
Copy Doc ID 9878a9dc-a99a-11e9-81a4-00505692583a:529217
Download PDF

FortiOS ports and protocols

Communication to and from FortiOS is strictly controlled and only selected ports are opened for supported functionality such as administrator logins and communication with other Fortinet products or services.

Accessing FortiOS using an open port is protected by authentication, identification, and encryption requirements. As well, ports are only open if the feature using them is enabled.

FortiOS open ports

The following diagram and tables shows the incoming and outgoing ports that are potentially opened by FortiOS.

Incoming ports
Purpose Protocol/Port

FortiAP-S

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/443

CAPWAP

UDP/5246, UDP/5247

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

RADIUS disconnect

TCP/1700

FortiClient

Remote IPsec VPN access

UDP/IKE 500, ESP (IP 50), NAT-T 4500

Remote SSL VPN access

TCP/443

SSO Mobility Agent, FSSO

TCP/8001

Compliance and Security Fabric

TCP/8013 (by default; this port can be customized)

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

FortiGuard

Management

TCP/541

AV/IPS

UDP/9443

FortiManager

AV/IPS Push

UDP/9443

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

FortiPortal

API communications (FortiOS REST API, used for Wireless Analytics)

TCP/443

3rd-Party Servers

FSSO

TCP/8001 (by default; this port can be customized)

Others

Web Admin

TCP/80, TCP/443

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010

Policy Override Keepalive

TCP/1000, TCP/1003

SSL VPN

TCP/443

Outgoing ports
Purpose Protocol/Port

FortiAnalyzer

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/514

FortiAuthenticator

LDAP, PKI Authentication

TCP or UDP/389

RADIUS

UDP/1812

FSSO

TCP/8000

RADIUS Accounting

UDP/1813

SCEP

TCP/80, TCP/443

CRL Download

TCP/80

External Captive Portal

TCP/443

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

FortiGate Cloud

Registration, Quarantine, Log & Report, Syslog

TCP/443

OFTP

TCP/514

Management

TCP/541

Contract Validation

TCP/443

FortiGuard

AV/IPS Update

TCP/443, TCP/8890

Cloud App DB

TCP/9582

FortiGuard Queries

UDP/53, UDP/8888, TCP/53, TCP/8888

DNS

UDP/53, UDP/8888

Registration

TCP/80

Alert Email, Virus Sample

TCP/25

Management, Firmware, SMS, FTM, Licensing, Policy Override

TCP/443

Central Management, Analysis

TCP/541

FortiManager

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

Log & Report

TCP or UDP/514

FortiGuard Queries

UDP/53, UDP/8888, TCP/80, TCP/8888

FortiSandbox

OFTP

TCP/514

Others

FSSO

TCP/8001 (by default; this port can be customized)

note icon

Note that, while a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):

  • update.fortiguard.net
  • service.fortiguard.net
  • support.fortinet.com

Closing open ports

You can close open ports by disabling the feature that opens them. For example, if FortiOS is not managing a FortiAP then the CAPWAP feature for managing FortiAPs can be disabled, closing the CAPWAP port.

The following sections of this document described a number of options for closing open ports:

FortiOS ports and protocols

Communication to and from FortiOS is strictly controlled and only selected ports are opened for supported functionality such as administrator logins and communication with other Fortinet products or services.

Accessing FortiOS using an open port is protected by authentication, identification, and encryption requirements. As well, ports are only open if the feature using them is enabled.

FortiOS open ports

The following diagram and tables shows the incoming and outgoing ports that are potentially opened by FortiOS.

Incoming ports
Purpose Protocol/Port

FortiAP-S

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/443

CAPWAP

UDP/5246, UDP/5247

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

RADIUS disconnect

TCP/1700

FortiClient

Remote IPsec VPN access

UDP/IKE 500, ESP (IP 50), NAT-T 4500

Remote SSL VPN access

TCP/443

SSO Mobility Agent, FSSO

TCP/8001

Compliance and Security Fabric

TCP/8013 (by default; this port can be customized)

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

FortiGuard

Management

TCP/541

AV/IPS

UDP/9443

FortiManager

AV/IPS Push

UDP/9443

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

FortiPortal

API communications (FortiOS REST API, used for Wireless Analytics)

TCP/443

3rd-Party Servers

FSSO

TCP/8001 (by default; this port can be customized)

Others

Web Admin

TCP/80, TCP/443

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010

Policy Override Keepalive

TCP/1000, TCP/1003

SSL VPN

TCP/443

Outgoing ports
Purpose Protocol/Port

FortiAnalyzer

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/514

FortiAuthenticator

LDAP, PKI Authentication

TCP or UDP/389

RADIUS

UDP/1812

FSSO

TCP/8000

RADIUS Accounting

UDP/1813

SCEP

TCP/80, TCP/443

CRL Download

TCP/80

External Captive Portal

TCP/443

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

FortiGate Cloud

Registration, Quarantine, Log & Report, Syslog

TCP/443

OFTP

TCP/514

Management

TCP/541

Contract Validation

TCP/443

FortiGuard

AV/IPS Update

TCP/443, TCP/8890

Cloud App DB

TCP/9582

FortiGuard Queries

UDP/53, UDP/8888, TCP/53, TCP/8888

DNS

UDP/53, UDP/8888

Registration

TCP/80

Alert Email, Virus Sample

TCP/25

Management, Firmware, SMS, FTM, Licensing, Policy Override

TCP/443

Central Management, Analysis

TCP/541

FortiManager

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

Log & Report

TCP or UDP/514

FortiGuard Queries

UDP/53, UDP/8888, TCP/80, TCP/8888

FortiSandbox

OFTP

TCP/514

Others

FSSO

TCP/8001 (by default; this port can be customized)

note icon

Note that, while a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):

  • update.fortiguard.net
  • service.fortiguard.net
  • support.fortinet.com

Closing open ports

You can close open ports by disabling the feature that opens them. For example, if FortiOS is not managing a FortiAP then the CAPWAP feature for managing FortiAPs can be disabled, closing the CAPWAP port.

The following sections of this document described a number of options for closing open ports: