Version:

Version:

Version:


Table of Contents

Administration Guide

Open ports

The number of open (listening) TCP/UDP ports configured by default on the FortiNAC appliance is based on current best practices. These ports are kept to a minimum to provide maximum security by explicitly restricting unnecessary access from the outside.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If you need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.

Related Documents

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Validate Open Ports

The current listening port configuration can be viewed by running an nmap of the appliance. Another useful command is “netstat” to list all listening and connected ports on the current appliance (e.g. netstat -ln lists just the listening ports).

Use the “netstat” command to verify that a TCP/UDP port is open.

netstat -ln | grep <port number>

For example, use netstat -ln | grep 4568 to verify that the port used for Agent communications to FortiNAC is open.

tcp 0 0 0.0.0.0:4568 0.0.0.0:* LISTEN

FortiNAC Open Port List

The tables on the following pages list ports that should be open to end users, and ports that need to be open for FortiNAC communications.

Port

Protocol

Description

Direction

All ports outbound

All

Used by Device Profiler to classify devices. Uses NMAP as one of the profiling choices. Also can use SNMP to profile.

eth0: Outbound

eth1: Outbound

UDP 21

FTP

Product Updates

eth0: Outbound to internet

TCP 21

FTP

Product Updates

eth0: Outbound to internet

TCP 22

SSH

High Availability: MYSQL replication from Primary Server to Secondary Server

Control Manager (M) eth0: Manage FortiNAC Servers

Primary Server eth0: Outbound to Secondary Server eth0

 

Bi-directional between Managed Servers eth0 and Manager eth0

TCP 23

Telnet

Network Device Management

eth0: Outbound

UDP 53

DNS

Name Service

eth0: Outbound

eth1: Inbound

TCP 53

DNS

Name Service

eth0: Outbound

eth1: Inbound

UDP 67

DHCP

eth0: DHCP Fingerprinting

eth1: Serving IP Addresses for Isolation Scopes

eth0: Inbound

eth1: Inbound

UDP 68

DHCP

eth0: DHCP Fingerprinting

eth1: Serving IP Addresses for Isolation Scopes

eth0: Inbound

eth1: Outbound

TCP 80

HTTP

Web Server (Portal)

eth0: Inbound

eth1: Inbound

TCP 22

SFTP

Product Updates

eth0: Outbound to internet

UDP 123

NTP

Time Service

eth0: Outbound

UDP 161

SNMP

Network Device Management

eth0: Outbound

(Bi-directional if FortiNAC is configured to respond to SNMP queries. See section SNMP of the Administration Guide).

UDP 162

SNMP Traps

Device Changes Notification (Mostly Host Access Notification)

eth0: Inbound

TCP 443

HTTPS

Product Updates

Web Server (Portal) Secure HTTP

License Entitlements (fds1.fortinet.com)

IoT data collection

eth0: Outbound to internet

eth1: Inbound

UDP 514

Syslog

Device Change Notification and RTR (inbound)

Logging of events to external server (outbound)

eth0: Bi-directional

TCP 514

OFTP

Communication with FortiAnalyzer

(Available in FortiNAC version 8.5 and higher)

eth0: Outbound

TCP 1050

CORBA

High Availability

 

Server Communication (See note on page 5)

 

 

Bi-directional between Primary and Secondary Server eth0

 

Bi-directional between Managed Servers and Manager eth0

UDP 1645

RADIUS

Host/User Authentication (Local RADIUS Server default)

eth0: Bi-directional

UDP 1812

RADIUS

Host/User Authentication (Proxy RADIUS mode default)

eth0: Bi-directional

UDP 1813

RADIUS Accounting

Host/User Authentication Changes and RTR

(Proxy RADIUS Mode default)

eth0: Inbound

UDP 3799

RADIUS COA

Host/User Authentication Action (Moving/Removing)

eth0: Outbound

UDP 4567

Agent Server

Persistent Agent Communication

(No longer used by agent 5.x and above with NAC 8.2 and above – TCP 4568 only)

eth0: Bi-directional

eth1: Bi-directional

TCP 4568

 

Agent Server

Used to establish the Persistent Agent Communication (SSL) connection

(Used by agent 3.x and above)

eth0: Bi-directional

eth1: Bi-directional

TCP 5555

Fortinet Server

Internally used by FortiNAC

High Availability

 

Bi-directional between Primary and Secondary Server eth0

 

Bi-directional between Managed Servers and Manager eth0

TCP 5986

(user modifiable)

WinRM

WMI profiling method

(Available in FortiNAC version 8.5 and higher)

eth0 and eth1: Outbound

TCP 8000

Private Protocol

Fortinet Security Fabric (FSSO) communications

(Available in FortiNAC version 8.5 and higher)

eth0: Inbound

TCP 8443

HTTPS

Web Server Secure HTTP (Admin UI)

 

FortiGuard (globaldevquery.fortinet.net)

 

(Versions 8.8.9, 9.1.3 and above) Control Manager (M): Manage FortiNAC Servers

 

eth0: Inbound

 

eth0: Outbound to internet

 

(Versions 8.8.9, 9.1.3 and above) Bi-directional between Managed Servers eth0 and Manager eth0

TCP 8080

HTTP Alternative

Web Server (Admin UI)

eth0: Inbound

TCP 8180

Analytics Server

Used to update/download the agent.

eth0: Inbound

TCP 8543

Analytics Server

Used to transfer data to the Analytics Server and for queries from the web browser.

eth0: Bi-directional

Note: FortiNAC uses port 1050 for CORBA (Common Object Request Broker Architecture) Management for accessing server objects and for interprocess communication between FortiNAC subsystems and servers. When a requestor connects to this port, the appliance dynamically reassigns it to a port in the 30000-64000 range.

Open ports

The number of open (listening) TCP/UDP ports configured by default on the FortiNAC appliance is based on current best practices. These ports are kept to a minimum to provide maximum security by explicitly restricting unnecessary access from the outside.

The best practice is to keep the number of open ports to a minimum, and block all other ports. If you need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.

Related Documents

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

Validate Open Ports

The current listening port configuration can be viewed by running an nmap of the appliance. Another useful command is “netstat” to list all listening and connected ports on the current appliance (e.g. netstat -ln lists just the listening ports).

Use the “netstat” command to verify that a TCP/UDP port is open.

netstat -ln | grep <port number>

For example, use netstat -ln | grep 4568 to verify that the port used for Agent communications to FortiNAC is open.

tcp 0 0 0.0.0.0:4568 0.0.0.0:* LISTEN

FortiNAC Open Port List

The tables on the following pages list ports that should be open to end users, and ports that need to be open for FortiNAC communications.

Port

Protocol

Description

Direction

All ports outbound

All

Used by Device Profiler to classify devices. Uses NMAP as one of the profiling choices. Also can use SNMP to profile.

eth0: Outbound

eth1: Outbound

UDP 21

FTP

Product Updates

eth0: Outbound to internet

TCP 21

FTP

Product Updates

eth0: Outbound to internet

TCP 22

SSH

High Availability: MYSQL replication from Primary Server to Secondary Server

Control Manager (M) eth0: Manage FortiNAC Servers

Primary Server eth0: Outbound to Secondary Server eth0

 

Bi-directional between Managed Servers eth0 and Manager eth0

TCP 23

Telnet

Network Device Management

eth0: Outbound

UDP 53

DNS

Name Service

eth0: Outbound

eth1: Inbound

TCP 53

DNS

Name Service

eth0: Outbound

eth1: Inbound

UDP 67

DHCP

eth0: DHCP Fingerprinting

eth1: Serving IP Addresses for Isolation Scopes

eth0: Inbound

eth1: Inbound

UDP 68

DHCP

eth0: DHCP Fingerprinting

eth1: Serving IP Addresses for Isolation Scopes

eth0: Inbound

eth1: Outbound

TCP 80

HTTP

Web Server (Portal)

eth0: Inbound

eth1: Inbound

TCP 22

SFTP

Product Updates

eth0: Outbound to internet

UDP 123

NTP

Time Service

eth0: Outbound

UDP 161

SNMP

Network Device Management

eth0: Outbound

(Bi-directional if FortiNAC is configured to respond to SNMP queries. See section SNMP of the Administration Guide).

UDP 162

SNMP Traps

Device Changes Notification (Mostly Host Access Notification)

eth0: Inbound

TCP 443

HTTPS

Product Updates

Web Server (Portal) Secure HTTP

License Entitlements (fds1.fortinet.com)

IoT data collection

eth0: Outbound to internet

eth1: Inbound

UDP 514

Syslog

Device Change Notification and RTR (inbound)

Logging of events to external server (outbound)

eth0: Bi-directional

TCP 514

OFTP

Communication with FortiAnalyzer

(Available in FortiNAC version 8.5 and higher)

eth0: Outbound

TCP 1050

CORBA

High Availability

 

Server Communication (See note on page 5)

 

 

Bi-directional between Primary and Secondary Server eth0

 

Bi-directional between Managed Servers and Manager eth0

UDP 1645

RADIUS

Host/User Authentication (Local RADIUS Server default)

eth0: Bi-directional

UDP 1812

RADIUS

Host/User Authentication (Proxy RADIUS mode default)

eth0: Bi-directional

UDP 1813

RADIUS Accounting

Host/User Authentication Changes and RTR

(Proxy RADIUS Mode default)

eth0: Inbound

UDP 3799

RADIUS COA

Host/User Authentication Action (Moving/Removing)

eth0: Outbound

UDP 4567

Agent Server

Persistent Agent Communication

(No longer used by agent 5.x and above with NAC 8.2 and above – TCP 4568 only)

eth0: Bi-directional

eth1: Bi-directional

TCP 4568

 

Agent Server

Used to establish the Persistent Agent Communication (SSL) connection

(Used by agent 3.x and above)

eth0: Bi-directional

eth1: Bi-directional

TCP 5555

Fortinet Server

Internally used by FortiNAC

High Availability

 

Bi-directional between Primary and Secondary Server eth0

 

Bi-directional between Managed Servers and Manager eth0

TCP 5986

(user modifiable)

WinRM

WMI profiling method

(Available in FortiNAC version 8.5 and higher)

eth0 and eth1: Outbound

TCP 8000

Private Protocol

Fortinet Security Fabric (FSSO) communications

(Available in FortiNAC version 8.5 and higher)

eth0: Inbound

TCP 8443

HTTPS

Web Server Secure HTTP (Admin UI)

 

FortiGuard (globaldevquery.fortinet.net)

 

(Versions 8.8.9, 9.1.3 and above) Control Manager (M): Manage FortiNAC Servers

 

eth0: Inbound

 

eth0: Outbound to internet

 

(Versions 8.8.9, 9.1.3 and above) Bi-directional between Managed Servers eth0 and Manager eth0

TCP 8080

HTTP Alternative

Web Server (Admin UI)

eth0: Inbound

TCP 8180

Analytics Server

Used to update/download the agent.

eth0: Inbound

TCP 8543

Analytics Server

Used to transfer data to the Analytics Server and for queries from the web browser.

eth0: Bi-directional

Note: FortiNAC uses port 1050 for CORBA (Common Object Request Broker Architecture) Management for accessing server objects and for interprocess communication between FortiNAC subsystems and servers. When a requestor connects to this port, the appliance dynamically reassigns it to a port in the 30000-64000 range.