The fgfm protocol runs over SSL (Secure Sockets Layer) using TCP port 541 under IPv4. FortiManager 6.2 supports the use of IPv6.
Both FortiGate and FortiManager units have a fgfm daemon running exclusively for FortiGate to FortiManager communication. The FortiManager unit listens on TCP port 541 for an incoming session request. The FortiGate unit establishes an SSL session with the FortiManager. Both units use TCP port 541 for sending and receiving messages.
The fgfm daemon handles all FortiGate to FortiManager (and vice versa) authentication, keep-alive messages and actions resulting from them (such as instructing another daemon on a FortiGate device to update its configuration or various database files).