Fortinet black logo

Version:

7.2.0
7.0.0

Table of Contents

FortiOS Ports

7.0.0
7.2.0
7.0.0
Download PDF
Copy Link

Incoming ports

Product

Purpose

Ports and protocols

Configurable

FortiAP-S

Syslog, Registration, Quarantine, Log & Report

TCP/443

 

CAPWAP

UDP/5246-5247

 

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

 

RADIUS Disconnect

TCP/1700

 

FortiClient

Remote IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

 

Remote SSL VPN

TCP/443

Yes

Remote SSL VPN when DTLS enabled

UDP/443

Yes

SSO Mobility Agent, FSSO

TCP/8001

 

Compliance and Security Fabric

TCP/8013

Yes

FortiExtender

Control channel

UDP/5246

Yes

Data channel

UDP/25246

Yes

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, 0x8893

 

HA Synchronization

TCP/703

 

UDP/703

 

Administrator Access

TCP/22, TCP/80, TCP/443

Yes

ICMP

 

IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

 

IPsec VPN Forward Error Correction

UDP/50000

 

Unicast Heartbeat for Azure

UDP/730

 

DNS for Azure

UDP/53

 

Security Fabric

UDP/8014

 

FortiGuard

 

IPv4 FGFM tunnel

TCP/541

 

IPv6 FGFM tunnel

TCP/542

 

FortiManager

IPv4 FGFM tunnel

TCP/541

 

IPv6 FGFM tunnel

TCP/542

 

FortiPortal

API for communication (FortiOS REST API)

TCP/443

 

FortiToken Mobile

Approve/deny response from FortiToken Mobile

TCP/4433

Yes

FSSO server

FSSO

TCP/8001

Yes

Others

 

 

 

Administrator Access (SSH, HTTPS, HTTP)

TCP/22, TCP/80, TCP/443

Yes

ICMP

 

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010, TCP/8015, TCP/8020

Yes

Policy Override Keepalive

TCP/1000, TCP/1003

 

SSL VPN

TCP/443

Yes

ACME service

TCP/80, TCP/443

 

AeroScout Vendor port

UDP/1144

 

External captive portal authentication with FortiAP in bridge mode

UDP/2000

 

RADIUS DAS feature - RFC 5176

UDP/3799

 
Note

Enabling some services will cause additional standard ports to open as the protocol necessitates. For example, enabling BGP will open TCP port 179. See View open and in use ports for more information.
Previous
Next

Incoming ports

Product

Purpose

Ports and protocols

Configurable

FortiAP-S

Syslog, Registration, Quarantine, Log & Report

TCP/443

 

CAPWAP

UDP/5246-5247

 

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

 

RADIUS Disconnect

TCP/1700

 

FortiClient

Remote IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

 

Remote SSL VPN

TCP/443

Yes

Remote SSL VPN when DTLS enabled

UDP/443

Yes

SSO Mobility Agent, FSSO

TCP/8001

 

Compliance and Security Fabric

TCP/8013

Yes

FortiExtender

Control channel

UDP/5246

Yes

Data channel

UDP/25246

Yes

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, 0x8893

 

HA Synchronization

TCP/703

 

UDP/703

 

Administrator Access

TCP/22, TCP/80, TCP/443

Yes

ICMP

 

IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

 

IPsec VPN Forward Error Correction

UDP/50000

 

Unicast Heartbeat for Azure

UDP/730

 

DNS for Azure

UDP/53

 

Security Fabric

UDP/8014

 

FortiGuard

 

IPv4 FGFM tunnel

TCP/541

 

IPv6 FGFM tunnel

TCP/542

 

FortiManager

IPv4 FGFM tunnel

TCP/541

 

IPv6 FGFM tunnel

TCP/542

 

FortiPortal

API for communication (FortiOS REST API)

TCP/443

 

FortiToken Mobile

Approve/deny response from FortiToken Mobile

TCP/4433

Yes

FSSO server

FSSO

TCP/8001

Yes

Others

 

 

 

Administrator Access (SSH, HTTPS, HTTP)

TCP/22, TCP/80, TCP/443

Yes

ICMP

 

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010, TCP/8015, TCP/8020

Yes

Policy Override Keepalive

TCP/1000, TCP/1003

 

SSL VPN

TCP/443

Yes

ACME service

TCP/80, TCP/443

 

AeroScout Vendor port

UDP/1144

 

External captive portal authentication with FortiAP in bridge mode

UDP/2000

 

RADIUS DAS feature - RFC 5176

UDP/3799

 
Note

Enabling some services will cause additional standard ports to open as the protocol necessitates. For example, enabling BGP will open TCP port 179. See View open and in use ports for more information.
Previous
Next