Fortinet black logo

FortiGate open ports

6.2.0
Copy Link
Copy Doc ID 119f8f7c-1f55-11e9-b86b-00505692583a:303168
Download PDF

FortiGate open ports

Incoming ports

Purpose

Protocol/Port

FortiAP-S

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/443

CAPWAP

UDP/5246, UDP/5247

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

RADIUS disconnect

TCP/1700

FortiClient

Remote IPsec VPN access

UDP/IKE 500, ESP (IP 50), NAT-T 4500

Remote SSL VPN access

TCP/443

SSO Mobility Agent, FSSO

TCP/8001

Compliance and Security Fabric

TCP/8013 (by default; this port can be customized)

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

Security Fabric

UDP/8014

FortiGuard

Management

TCP/541

AV/IPS

UDP/9443

FortiManager

AV/IPS Push

UDP/9443

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

FortiPortal

API communications (FortiOS REST API, used for Wireless Analytics)

TCP/443

3rd-Party Servers

FSSO

TCP/8001 (by default; this port can be customized)

Others

Web Admin

TCP/80, TCP/443

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010

Policy Override Keepalive

TCP/1000, TCP/1003

SSL VPN

TCP/443

Outgoing ports

Purpose

Protocol/Port

FortiAnalyzer

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/514

FortiAuthenticator

LDAP, PKI Authentication

TCP or UDP/389

RADIUS

UDP/1812

FSSO

TCP/8000

RADIUS Accounting

UDP/1813

SCEP

TCP/80, TCP/443

CRL Download

TCP/80

External Captive Portal

TCP/443

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

FortiGate Cloud

Registration, Quarantine, Log & Report, Syslog

TCP/443

OFTP

TCP/514

Management

TCP/541

Contract Validation

TCP/443

FortiGuard

AV/IPS Update

TCP/443, TCP/8890

Cloud App DB

TCP/9582

FortiGuard Queries

UDP/53, UDP/8888, TCP/53, TCP/8888, TCP/443 (as part of Anycast servers)

SDNS queries for DNS Filter

UDP/53, TCP/853 (as part of Anycast servers)

Registration

TCP/80

Alert Email, Virus Sample

TCP/25

Management, Firmware, SMS, FTM, Licensing, Policy Override

TCP/443

Central Management, Analysis

TCP/541

FortiManager

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

Log & Report

TCP or UDP/514

FortiGuard Queries

UDP/53, UDP/8888, TCP/80, TCP/8888

FortiSandbox

OFTP

TCP/514

Others

FSSO

TCP/8001 (by default; this port can be customized)

Note

While a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):

  • update.fortiguard.net
  • service.fortiguard.net
  • support.fortinet.com

FortiGate open ports

Incoming ports

Purpose

Protocol/Port

FortiAP-S

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/443

CAPWAP

UDP/5246, UDP/5247

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

RADIUS disconnect

TCP/1700

FortiClient

Remote IPsec VPN access

UDP/IKE 500, ESP (IP 50), NAT-T 4500

Remote SSL VPN access

TCP/443

SSO Mobility Agent, FSSO

TCP/8001

Compliance and Security Fabric

TCP/8013 (by default; this port can be customized)

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

Security Fabric

UDP/8014

FortiGuard

Management

TCP/541

AV/IPS

UDP/9443

FortiManager

AV/IPS Push

UDP/9443

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

FortiPortal

API communications (FortiOS REST API, used for Wireless Analytics)

TCP/443

3rd-Party Servers

FSSO

TCP/8001 (by default; this port can be customized)

Others

Web Admin

TCP/80, TCP/443

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010

Policy Override Keepalive

TCP/1000, TCP/1003

SSL VPN

TCP/443

Outgoing ports

Purpose

Protocol/Port

FortiAnalyzer

Syslog, OFTP, Registration, Quarantine, Log & Report

TCP/514

FortiAuthenticator

LDAP, PKI Authentication

TCP or UDP/389

RADIUS

UDP/1812

FSSO

TCP/8000

RADIUS Accounting

UDP/1813

SCEP

TCP/80, TCP/443

CRL Download

TCP/80

External Captive Portal

TCP/443

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, and 0x8893

HA Synchronization

TCP/703, UDP/703

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

FortiGate Cloud

Registration, Quarantine, Log & Report, Syslog

TCP/443

OFTP

TCP/514

Management

TCP/541

Contract Validation

TCP/443

FortiGuard

AV/IPS Update

TCP/443, TCP/8890

Cloud App DB

TCP/9582

FortiGuard Queries

UDP/53, UDP/8888, TCP/53, TCP/8888, TCP/443 (as part of Anycast servers)

SDNS queries for DNS Filter

UDP/53, TCP/853 (as part of Anycast servers)

Registration

TCP/80

Alert Email, Virus Sample

TCP/25

Management, Firmware, SMS, FTM, Licensing, Policy Override

TCP/443

Central Management, Analysis

TCP/541

FortiManager

IPv4 FGFM management

TCP/541

IPv6 FGFM management

TCP/542

Log & Report

TCP or UDP/514

FortiGuard Queries

UDP/53, UDP/8888, TCP/80, TCP/8888

FortiSandbox

OFTP

TCP/514

Others

FSSO

TCP/8001 (by default; this port can be customized)

Note

While a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):

  • update.fortiguard.net
  • service.fortiguard.net
  • support.fortinet.com