Open ports
The number of open (listening) TCP/UDP ports configured by default on the FortiNAC appliance is based on current best practices. These ports are kept to a minimum to provide maximum security by explicitly restricting unnecessary access from the outside.
The best practice is to keep the number of open ports to a minimum, and block all other ports. If you need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.
Related Documents
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Validate Open Ports
The current listening port configuration can be viewed by running an nmap of the appliance. Another useful command is “netstat” to list all listening and connected ports on the current appliance (e.g. netstat -ln lists just the listening ports).
Use the “netstat” command to verify that a TCP/UDP port is open.
netstat -ln | grep <port number>
For example, use netstat -ln | grep 4568 to verify that the port used for Agent communications to FortiNAC is open.
tcp 0 0 0.0.0.0:4568 0.0.0.0:* LISTEN
FortiNAC Open Port List
The tables on the following pages list ports that should be open to end users, and ports that need to be open for FortiNAC communications.
|
Port |
Protocol |
Description |
Direction |
|---|---|---|---|
|
All ports outbound |
All |
Used by Device Profiler to classify devices. Uses NMAP as one of the profiling choices. Also can use SNMP to profile. |
eth0: Outbound eth1: Outbound |
|
UDP 21 |
FTP |
Product Updates |
eth0: Outbound to internet |
|
TCP 21 |
FTP |
Product Updates |
eth0: Outbound to internet |
|
TCP 22 |
SSH |
High Availability: MYSQL replication from Primary Server to Secondary Server Control Manager (M) eth0: Manage FortiNAC Servers |
Primary Server eth0: Outbound to Secondary Server eth0
Bi-directional between Managed Servers eth0 and Manager eth0 |
|
TCP 23 |
Telnet |
Network Device Management |
eth0: Outbound |
|
UDP 53 |
DNS |
Name Service |
eth0: Outbound eth1: Inbound |
|
TCP 53 |
DNS |
Name Service |
eth0: Outbound eth1: Inbound |
|
UDP 67 |
DHCP |
eth0: DHCP Fingerprinting eth1: Serving IP Addresses for Isolation Scopes |
eth0: Inbound eth1: Inbound |
|
UDP 68 |
DHCP |
eth0: DHCP Fingerprinting eth1: Serving IP Addresses for Isolation Scopes |
eth0: Inbound eth1: Outbound |
|
TCP 80 |
HTTP |
Web Server (Portal) |
eth0: Inbound eth1: Inbound |
|
TCP 22 |
SFTP |
Product Updates |
eth0: Outbound to internet |
|
UDP 123 |
NTP |
Time Service |
eth0: Outbound |
|
UDP 161 |
SNMP |
Network Device Management |
eth0: Outbound (Bi-directional if FortiNAC is configured to respond to SNMP queries. See section SNMP of the Administration Guide). |
|
UDP 162 |
SNMP Traps |
Device Changes Notification (Mostly Host Access Notification) |
eth0: Inbound |
|
TCP 389 |
Winbind |
Used by RADIUS Local Server for MSCHAPv2 authentication |
Outbound |
|
TCP 443 |
HTTPS |
Product Updates Web Server (Portal) Secure HTTP License Entitlements (fds1.fortinet.com) IoT data collection |
eth0: Outbound to internet eth1: Inbound |
|
UDP 514 |
Syslog |
Device Change Notification and RTR (inbound) Logging of events to external server (outbound) |
eth0: Bi-directional |
|
TCP 514 |
OFTP |
Communication with FortiAnalyzer (Available in FortiNAC version 8.5 and higher) |
eth0: Outbound |
|
TCP 1050 |
CORBA |
High Availability
Server Communication (See note on page 5)
|
Bi-directional between Primary and Secondary Server eth0
Bi-directional between Managed Servers and Manager eth0 |
|
UDP 1645 |
RADIUS |
Host/User Authentication (Local RADIUS Server default) |
eth0: Bi-directional |
|
UDP 1812 |
RADIUS |
Host/User Authentication (Proxy RADIUS mode default) |
eth0: Bi-directional |
|
UDP 1813 |
RADIUS Accounting |
Host/User Authentication Changes and RTR (Proxy RADIUS Mode default) |
eth0: Inbound |
|
UDP 3799 |
RADIUS COA |
Host/User Authentication Action (Moving/Removing) |
eth0: Outbound |
|
UDP 4567 |
Agent Server |
Persistent Agent Communication (No longer used by agent 5.x and above with NAC 8.2 and above – TCP 4568 only) |
eth0: Bi-directional eth1: Bi-directional |
|
TCP 4568 |
Agent Server |
Used to establish the Persistent Agent Communication (SSL) connection (Used by agent 3.x and above) |
eth0: Bi-directional eth1: Bi-directional |
|
TCP 5555 |
Fortinet Server |
Internally used by FortiNAC High Availability
|
Bi-directional between Primary and Secondary Server eth0
Bi-directional between Managed Servers and Manager eth0 |
|
TCP 5986 (user modifiable) |
WinRM |
WMI profiling method (Available in FortiNAC version 8.5 and higher) |
eth0 and eth1: Outbound |
|
TCP 8000 |
Private Protocol |
Fortinet Security Fabric (FSSO) communications (Available in FortiNAC version 8.5 and higher) |
eth0: Inbound |
|
TCP 8443 |
HTTPS |
Web Server Secure HTTP (Admin UI)
FortiGuard (globaldevquery.fortinet.net)
(Versions 8.8.9, 9.1.3 and above) Control Manager (M): Manage FortiNAC Servers |
eth0: Inbound
eth0: Outbound to internet
(Versions 8.8.9, 9.1.3 and above) Bi-directional between Managed Servers eth0 and Manager eth0 |
|
TCP 8080 |
HTTP Alternative |
Web Server (Admin UI) |
eth0: Inbound |
|
TCP 8180 |
Analytics Server |
Used to update/download the agent. |
eth0: Inbound |
|
TCP 8543 |
Analytics Server |
Used to transfer data to the Analytics Server and for queries from the web browser. |
eth0: Bi-directional |
|
UDP 547 |
DHCPv6 |
DHCP Fingerprinting |
Inbound |
Note: FortiNAC uses port 1050 for CORBA (Common Object Request Broker Architecture) Management for accessing server objects and for interprocess communication between FortiNAC subsystems and servers. When a requestor connects to this port, the appliance dynamically reassigns it to a port in the 30000-64000 range.
