DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
- Hardening
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- OT Devices
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center and Standalone)
- Anomaly tab
- Connection tab
- Session tab
- Malware Attack Scenario
  - Attack scenario navigation and timeline
  - Understanding kill chain and scenario engine
- Malware Observed
Investigations (Center)
- Global query
- Advanced Query Language
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Cloud Storage
- Fabric Connectors
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment (Standalone, Sensor and Center)
- Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
- Netflow ML discovery
- Netflow ML Configuration
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor/Center settings
- Firmware
- Settings
- SNMP
- Artifact Storage (Standalone and Sensor)
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
- Creating remote wildcard administrators
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
- NetFlow logs samples
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported IPS (including OT), Application Control, and protocols
Appendix H: File types and protocols
Appendix I: Center Sensor Deployment
Appendix J: Custom IPS signatures
- Detection Logic and tuning
- Example configuration
Change Log

Home FortiNDR 7.6.3 Administration Guide

7.6.3

Appendix C: FortiNDR ports

FortiNDR requires the following ports.

Item	Protocol and port number	Direction
API submission, such as FortiSandbox	TCP 443	Inbound
Auto sample submit,	TCP 25	Outbound to fndr.fortinet.com
CLI	TCP 22	Inbound SSH
Data synchronization	TCP 20003	Inbound and outbound between FortiNDR units in an HA group.
DB synchronization	TCP 9561	Inbound and outbound between FortiNDR units in an HA group.
File synchronization	TCP 20002	Inbound and outbound between FortiNDR units in an HA group.
FortiGate quarantine	TCP 443	Outbound to FortiGate
FortiGuard update	TCP 443 TCP 8890 (When using FortiManager)	Initial outbound to: fai.fortinet.net globalupdate.fortinet.net (Default when Anycast is enabled) fds1.fortinet.com (When Anycast disabled) update.fortiguard.net (When Anycast disabled) For a complete list of the current FortiGuard update servers, use the CLI `diagnose fds list`. To enable/disable Anycast, please use the CLI `config system fortiguard update` and then set `anycast` to `disabled`. Please be aware this list of IPs can and will change over time without notice.
GUI	TCP 443	Inbound web browser
ICAP	TCP 1344, 11344	Inbound
IOC lookup	TCP 443 TCP 8888 (When using FortiManager)	Outbound to productapi.fortinet.com
IOT lookup	TCP 443	Outbound to globalguardservice.fortinet.net
Microsoft Active Directory	TCP 636,389	Inbound and outbound
NetFlow listen ports	UDP 2055,6343,9995	Inbound
Network File Share/PCAP Artifact Storage	TCP 139, 445, 2049 (NFS)	Outbound to file server
OFTP server	TCP 514	Inbound
Security Fabric with FortiGate	TCP 443	Outbound to root FortiGate for Security Fabric communication
Security Fabric with FortiGate	TCP 8013	Outbound to root FortiGate in Security Fabric
Sensor Center command communication	UDP 5566	Sensor to Center (SSL encrypted)
Sensor Center data synchronization	TCP 9094 9096	Sensor to Center (SSL encrypted)
SYSLOG	UDP 514	SYSLOG outbound
Web Filter query	UDP 53 TCP 8888 (When using FortiManager)	Outbound to service.fortiguard.net

Appendix C: FortiNDR ports

FortiNDR requires the following ports.

Item	Protocol and port number	Direction
API submission, such as FortiSandbox	TCP 443	Inbound
Auto sample submit,	TCP 25	Outbound to fndr.fortinet.com
CLI	TCP 22	Inbound SSH
Data synchronization	TCP 20003	Inbound and outbound between FortiNDR units in an HA group.
DB synchronization	TCP 9561	Inbound and outbound between FortiNDR units in an HA group.
File synchronization	TCP 20002	Inbound and outbound between FortiNDR units in an HA group.
FortiGate quarantine	TCP 443	Outbound to FortiGate
FortiGuard update	TCP 443 TCP 8890 (When using FortiManager)	Initial outbound to: fai.fortinet.net globalupdate.fortinet.net (Default when Anycast is enabled) fds1.fortinet.com (When Anycast disabled) update.fortiguard.net (When Anycast disabled) For a complete list of the current FortiGuard update servers, use the CLI `diagnose fds list`. To enable/disable Anycast, please use the CLI `config system fortiguard update` and then set `anycast` to `disabled`. Please be aware this list of IPs can and will change over time without notice.
GUI	TCP 443	Inbound web browser
ICAP	TCP 1344, 11344	Inbound
IOC lookup	TCP 443 TCP 8888 (When using FortiManager)	Outbound to productapi.fortinet.com
IOT lookup	TCP 443	Outbound to globalguardservice.fortinet.net
Microsoft Active Directory	TCP 636,389	Inbound and outbound
NetFlow listen ports	UDP 2055,6343,9995	Inbound
Network File Share/PCAP Artifact Storage	TCP 139, 445, 2049 (NFS)	Outbound to file server
OFTP server	TCP 514	Inbound
Security Fabric with FortiGate	TCP 443	Outbound to root FortiGate for Security Fabric communication
Security Fabric with FortiGate	TCP 8013	Outbound to root FortiGate in Security Fabric
Sensor Center command communication	UDP 5566	Sensor to Center (SSL encrypted)
Sensor Center data synchronization	TCP 9094 9096	Sensor to Center (SSL encrypted)
SYSLOG	UDP 514	SYSLOG outbound
Web Filter query	UDP 53 TCP 8888 (When using FortiManager)	Outbound to service.fortiguard.net

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Appendix C: FortiNDR ports

Appendix C: FortiNDR ports

Appendix C: FortiNDR ports

Appendix C: FortiNDR ports