Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardening your FortiGate

    Home FortiGate / FortiOS 6.0.0 Hardening your FortiGate
    6.0.0
    6.4.0
    6.2.0
    6.0.0
    5.6.0

    FortiOS ports and protocols

    FortiOS ports and protocols

    Communication to and from FortiOS is strictly controlled and only selected ports are opened for supported functionality such as administrator logins and communication with other Fortinet products or services.

    Accessing FortiOS using an open port is protected by authentication, identification, and encryption requirements. As well, ports are only open if the feature using them is enabled.

    FortiOS open ports

    The following diagram and tables shows the incoming and outgoing ports that are potentially opened by FortiOS.

    Incoming ports
    Purpose Protocol/Port

    FortiAP-S

    Syslog, OFTP, Registration, Quarantine, Log & Report

    TCP/443

    CAPWAP

    UDP/5246, UDP/5247

    FortiAuthenticator

    Policy Authentication through Captive Portal

    TCP/1000

    RADIUS disconnect

    TCP/1700

    FortiClient

    Remote IPsec VPN access

    UDP/IKE 500, ESP (IP 50), NAT-T 4500

    Remote SSL VPN access

    TCP/443

    SSO Mobility Agent, FSSO

    TCP/8001

    Compliance and Security Fabric

    TCP/8013 (by default; this port can be customized)

    FortiGate

    HA Heartbeat

    ETH Layer 0x8890, 0x8891, and 0x8893

    HA Synchronization

    TCP/703, UDP/703

    Unicast Heartbeat for Azure

    UDP/730

    DNS for Azure

    UDP/53

    FortiGuard

    Management

    TCP/541

    AV/IPS

    UDP/9443

    FortiManager

    AV/IPS Push

    UDP/9443

    IPv4 FGFM management

    TCP/541

    IPv6 FGFM management

    TCP/542

    FortiPortal

    API communications (FortiOS REST API, used for Wireless Analytics)

    TCP/443

    3rd-Party Servers

    FSSO

    TCP/8001 (by default; this port can be customized)

    Others

    Web Admin

    TCP/80, TCP/443

    Policy Override Authentication

    TCP/443, TCP/8008, TCP/8010

    Policy Override Keepalive

    TCP/1000, TCP/1003

    SSL VPN

    TCP/443
    Outgoing ports
    Purpose Protocol/Port

    FortiAnalyzer

    Syslog, OFTP, Registration, Quarantine, Log & Report

    TCP/514

    FortiAuthenticator

    LDAP, PKI Authentication

    TCP or UDP/389

    RADIUS

    UDP/1812

    FSSO

    TCP/8000

    RADIUS Accounting

    UDP/1813

    SCEP

    TCP/80, TCP/443

    CRL Download

    TCP/80

    External Captive Portal

    TCP/443

    FortiGate

    HA Heartbeat

    ETH Layer 0x8890, 0x8891, and 0x8893

    HA Synchronization

    TCP/703, UDP/703

    Unicast Heartbeat for Azure

    UDP/730

    DNS for Azure

    UDP/53

    FortiGate Cloud

    Registration, Quarantine, Log & Report, Syslog

    TCP/443

    OFTP

    TCP/514

    Management

    TCP/541

    Contract Validation

    TCP/443

    FortiGuard

    AV/IPS Update

    TCP/443, TCP/8890

    Cloud App DB

    TCP/9582

    FortiGuard Queries

    UDP/53, UDP/8888, TCP/53, TCP/8888

    DNS

    UDP/53, UDP/8888

    Registration

    TCP/80

    Alert Email, Virus Sample

    TCP/25

    Management, Firmware, SMS, FTM, Licensing, Policy Override

    TCP/443

    Central Management, Analysis

    TCP/541

    FortiManager

    IPv4 FGFM management

    TCP/541

    IPv6 FGFM management

    TCP/542

    Log & Report

    TCP or UDP/514

    FortiGuard Queries

    UDP/53, UDP/8888, TCP/80, TCP/8888

    FortiSandbox

    OFTP

    TCP/514

    Others

    FSSO

    TCP/8001 (by default; this port can be customized)
    note icon

    Note that, while a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):

    • update.fortiguard.net
    • service.fortiguard.net
    • support.fortinet.com

    Closing open ports

    You can close open ports by disabling the feature that opens them. For example, if FortiOS is not managing a FortiAP then the CAPWAP feature for managing FortiAPs can be disabled, closing the CAPWAP port.

    The following sections of this document described a number of options for closing open ports:

    Previous
    Next

    FortiOS ports and protocols

    FortiOS ports and protocols

    Communication to and from FortiOS is strictly controlled and only selected ports are opened for supported functionality such as administrator logins and communication with other Fortinet products or services.

    Accessing FortiOS using an open port is protected by authentication, identification, and encryption requirements. As well, ports are only open if the feature using them is enabled.

    FortiOS open ports

    The following diagram and tables shows the incoming and outgoing ports that are potentially opened by FortiOS.

    Incoming ports
    Purpose Protocol/Port

    FortiAP-S

    Syslog, OFTP, Registration, Quarantine, Log & Report

    TCP/443

    CAPWAP

    UDP/5246, UDP/5247

    FortiAuthenticator

    Policy Authentication through Captive Portal

    TCP/1000

    RADIUS disconnect

    TCP/1700

    FortiClient

    Remote IPsec VPN access

    UDP/IKE 500, ESP (IP 50), NAT-T 4500

    Remote SSL VPN access

    TCP/443

    SSO Mobility Agent, FSSO

    TCP/8001

    Compliance and Security Fabric

    TCP/8013 (by default; this port can be customized)

    FortiGate

    HA Heartbeat

    ETH Layer 0x8890, 0x8891, and 0x8893

    HA Synchronization

    TCP/703, UDP/703

    Unicast Heartbeat for Azure

    UDP/730

    DNS for Azure

    UDP/53

    FortiGuard

    Management

    TCP/541

    AV/IPS

    UDP/9443

    FortiManager

    AV/IPS Push

    UDP/9443

    IPv4 FGFM management

    TCP/541

    IPv6 FGFM management

    TCP/542

    FortiPortal

    API communications (FortiOS REST API, used for Wireless Analytics)

    TCP/443

    3rd-Party Servers

    FSSO

    TCP/8001 (by default; this port can be customized)

    Others

    Web Admin

    TCP/80, TCP/443

    Policy Override Authentication

    TCP/443, TCP/8008, TCP/8010

    Policy Override Keepalive

    TCP/1000, TCP/1003

    SSL VPN

    TCP/443
    Outgoing ports
    Purpose Protocol/Port

    FortiAnalyzer

    Syslog, OFTP, Registration, Quarantine, Log & Report

    TCP/514

    FortiAuthenticator

    LDAP, PKI Authentication

    TCP or UDP/389

    RADIUS

    UDP/1812

    FSSO

    TCP/8000

    RADIUS Accounting

    UDP/1813

    SCEP

    TCP/80, TCP/443

    CRL Download

    TCP/80

    External Captive Portal

    TCP/443

    FortiGate

    HA Heartbeat

    ETH Layer 0x8890, 0x8891, and 0x8893

    HA Synchronization

    TCP/703, UDP/703

    Unicast Heartbeat for Azure

    UDP/730

    DNS for Azure

    UDP/53

    FortiGate Cloud

    Registration, Quarantine, Log & Report, Syslog

    TCP/443

    OFTP

    TCP/514

    Management

    TCP/541

    Contract Validation

    TCP/443

    FortiGuard

    AV/IPS Update

    TCP/443, TCP/8890

    Cloud App DB

    TCP/9582

    FortiGuard Queries

    UDP/53, UDP/8888, TCP/53, TCP/8888

    DNS

    UDP/53, UDP/8888

    Registration

    TCP/80

    Alert Email, Virus Sample

    TCP/25

    Management, Firmware, SMS, FTM, Licensing, Policy Override

    TCP/443

    Central Management, Analysis

    TCP/541

    FortiManager

    IPv4 FGFM management

    TCP/541

    IPv6 FGFM management

    TCP/542

    Log & Report

    TCP or UDP/514

    FortiGuard Queries

    UDP/53, UDP/8888, TCP/80, TCP/8888

    FortiSandbox

    OFTP

    TCP/514

    Others

    FSSO

    TCP/8001 (by default; this port can be customized)
    note icon

    Note that, while a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):

    • update.fortiguard.net
    • service.fortiguard.net
    • support.fortinet.com

    Closing open ports

    You can close open ports by disabling the feature that opens them. For example, if FortiOS is not managing a FortiAP then the CAPWAP feature for managing FortiAPs can be disabled, closing the CAPWAP port.

    The following sections of this document described a number of options for closing open ports:

    Previous
    Next