Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.4.4 Administration Guide
    4.4.4
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Port and access control information

    Port and access control information

    This topic contains information about the default ports by interface as well as the endpoints that need to be reachable by FortiSandbox.

    Default Ports

    The following section provides information about ports by interface, ports by FortiSandbox model, and ports by configuration.

    *For more information, see Air Gapped Mode.

    Ports by interface

    The following table lists the services and ports for each FortiSandbox interface.

    Interface

    Services and Ports

    Port1 Default for inbound traffic for Administration TCP ports 22 (SSH), 23 (Telnet), 80 and 443 (GUI).
    Port3

    Reserved for the outgoing traffic initiated by the guest VMs.

    For effective detection of 0-day, we strongly suggest to directly connect Port3 to the Internet via a perimeter firewall. Also, make sure that connectivity is isolated from your Intranet (internal network) to prevent lateral movement. If connected directly to a FortiGate device, make sure that the egress WAN interface does not have the Scan Outgoing Connections to Botnet Sites feature enabled, nor any active security profiles as this can affect the detection rate.

    All ports except Port3

    Inbound:

    The following services define the ports for inbound:

    • File, URL and Traffic submission via OFTP (TCP) port 514.
    • MTA and BCC Adapter uses TCP port 25 for inbound submission.
    • ICAP Adapter TCP port 1344. The port number is configurable.
    • Administration TCP ports 80 and 443 if manually configured via CLI command set admin-port.
    • SNMP local query port TCP or UDP 161. The port number is configurable.

    Outbound:

    The following services define the ports for outbound. The interface of the services is based on the static route configuration:

    • FortiGuard Distribution Servers (FDS) TCP port 8890 for downloading database and engine updates.
    • FortiGuard Web Filtering UDP port 53 or 8888 for URL category check. For secure connection which is configurable under System > FortiGuard > FortiGuard Web Filter Settings, it uses TCP/53 & TCP/8888.
    • FortiSandbox VM Download TCP port 443 for downloading VM images.
    • FortiSandbox Community Cloud query both UDP port 53 or 8888 and TCP port 443 to query submissions by other FortiSandbox.
    • FortiSandbox Community Cloud submission TCP port 25, 465 or 587 to upload detected suspicious Zero-day detection information. It uses only one of the ports in sequence.

      All the ports are encrypted. FortiSandbox will attempt to connect to the ports in sequence with encryption. If the connection fails, FortiSandbox will re-attempt to connect in sequence without encryption.

    • FortiSandbox Windows Cloud VMs TCP port 514 to submit jobs to the Windows cloud VMs. License required.
    • FortiSandbox MAC Cloud VMs TCP port 443 to submit jobs to the MAC cloud VMs. License required.
    • Mail server port TCP 25, DNS server port UDP 53, remote Syslog server port TCP or UDP 514, LDAP server port TCP 389, SNMP managers port TCP or UDP 162, and NTP server port UDP 123. Make sure to check the Static Route configuration for the gateway and outgoing port to use. Also, the port number for the following are configurable: Mail, Remote Syslog, LDAP, SNMP.

    • CIFS (SMB v1.0, v2.0, v2.1, v3.0): TCP Port 445

    • NFSv2, NFSv3, NFSv4: TCP Port 2049

    • Azure File Share: TCP Port 445

    • AWS S3, AWS S3 BJ, AWS S3 NX, Azure Blob Storage: TCP Port 443

    • Log Servers

      • FortiAnalyzer: TCP/514

      • Syslog: TCP and UDP/514
    Cluster ports (all other ports except Port1 and Port3) In cluster mode, FortiSandbox uses TCP ports 2015 and 2018 for cluster internal communication. If the unit works as a Collector to receive threat information from other units, it uses TCP port 2443.
    Note

    All ports mentioned above are the same for both IPv4 and IPv6 protocols.

    For redundancy and increase throughput, consider setting up Aggregate interface. See, Create an aggregate interface.

    For any outgoing traffic, FortiSandbox uses a random port picked by the kernel.

    You can dynamically change the system firewall rules using the iptables CLI command. However, the updated rules will be lost after a system reboot.

    The following table lists the available ports for each FortiSandbox model.

    Interface Type

    3000F/3000E/2000E/1500G

    1000F

    500G/500F
    RJ45 Port 1-4 Port 1-4 Port 1-4
    SFP GbE Port 5-8
    SFP+ Port 5-6

    Access Control List

    The table below provides the default servers and options when configured. For further info on the services, refer to the notes column. We recommend periodically checking these entries for changes.

    Services Destination Notes
    FortiGuard Distribution Network (FDN)
    Database and Engine Download

    fds1.fortinet.com:8890/TCP

    When configured to override region:

    • Nearest: fds1.fortinet.com:8890/TCP

    • US Region: usfds1.fortinet.com:8890/TCP

    • Global: globalupdate.fortinet.net:443/TCP

      When using Global as FDN Server Location, FortiSandbox queries global FDN server with https port 443

    Default is Nearest. Configurable.

    For more information, see FortiGuard > FortiGuard Server Location in the FortiSandbox Administration Guide.

    Web Filtering Service

    securewf.fortiguard.net:53|8888/TCP

    When configured to override region:

    53|443|8888/TCP List of FQDN and IP Addresses:

    • Nearest: securewf.fortiguard.net
    • Europe: 149.5.232.18
    • US Region: ussecurewf.fortiguard.net or 12.34.97.18 or 140.174.22.68
    • Japan: 210.7.96.18
    • Global: securewf.fortiguard.net or 173.243.138.210

    Default is Nearest.

    .IP address is valid when Secure Connection is enabled.

    When Secure Connection under FortiGuard Web Filter Settings is disabled, replace the TCP with UDP.

    For more information, see FortiGuard > Secure Connection in the FortiSandbox Administration Guide.

    FortiSandbox
    Community Cloud Query fqsvr.fortinet.net:53/UDP

    For more information, see Scan Profile Advanced Tab > Community Cloud Query.

    Available only in Global (Canada).

    Community Cloud Upload

    fortinetvirussubmit.com:25/TCP

    or

    465/TCP or 587/TCP

    For more information, see Scan Profile Advanced Tab > Upload malicious and suspicious file in the FortiSandbox Administration Guide.

    Available only in Global (Canada).

    Rating Cloud Service (RSE) fqdl.fortinet.net:443/TCP

    For more information, see Scan Profile Advanced Tab > Enable Rating Cloud Service.

    Available only in Global (Canada).

    Windows Cloud VM Service

    aptctrl1.fortinet.com:443/TCP

    or

    514/TCP List of IP Addresses:

    • Europe: 83.231.212.128/25, 154.45.1.0/24, 154.52.11.0/24

    • US Region: 208.184.237.0/24, 209.222.141.128/26

    • Japan: 210.7.96.0/24, 154.52.7.0/24

    • Global: 173.243.139.0/24, 184.94.112.0/24, 154.52.26.0/24

    Initially download a list of IP via the APTCTRL1 as configured on WindowsCloudVM Settings.

    For more information, see FortiGuard > WindowsCloudVM Settings in the FortiSandbox Administration Guide.

    macOS Cloud VM Service mac.fortisandbox.net:443/TCP or mac2.fortisandbox.net:443/TCP Available only in Global (Canada).
    VM Images Service fsavm.fortinet.net:443/TCP Uses GeoIP to select between two regions for faster download speed of the VM images. Available in Global (Canada) and Germany.

    Real-Time Zero-Day Anti-Phishing Service Settings

    canwest.ucs.fortiguard.com:443/TCP

    • 154.52.1.45:443/TCP

    Download a list of IPs via the canwest.ucs.fortiguard.com.

    For more information, see Scan Profile Advanced Tab > Enable Real-time Zero-Day Anti-Phishing Service

    Previous
    Next

    Port and access control information

    Port and access control information

    This topic contains information about the default ports by interface as well as the endpoints that need to be reachable by FortiSandbox.

    Default Ports

    The following section provides information about ports by interface, ports by FortiSandbox model, and ports by configuration.

    *For more information, see Air Gapped Mode.

    Ports by interface

    The following table lists the services and ports for each FortiSandbox interface.

    Interface

    Services and Ports

    Port1 Default for inbound traffic for Administration TCP ports 22 (SSH), 23 (Telnet), 80 and 443 (GUI).
    Port3

    Reserved for the outgoing traffic initiated by the guest VMs.

    For effective detection of 0-day, we strongly suggest to directly connect Port3 to the Internet via a perimeter firewall. Also, make sure that connectivity is isolated from your Intranet (internal network) to prevent lateral movement. If connected directly to a FortiGate device, make sure that the egress WAN interface does not have the Scan Outgoing Connections to Botnet Sites feature enabled, nor any active security profiles as this can affect the detection rate.

    All ports except Port3

    Inbound:

    The following services define the ports for inbound:

    • File, URL and Traffic submission via OFTP (TCP) port 514.
    • MTA and BCC Adapter uses TCP port 25 for inbound submission.
    • ICAP Adapter TCP port 1344. The port number is configurable.
    • Administration TCP ports 80 and 443 if manually configured via CLI command set admin-port.
    • SNMP local query port TCP or UDP 161. The port number is configurable.

    Outbound:

    The following services define the ports for outbound. The interface of the services is based on the static route configuration:

    • FortiGuard Distribution Servers (FDS) TCP port 8890 for downloading database and engine updates.
    • FortiGuard Web Filtering UDP port 53 or 8888 for URL category check. For secure connection which is configurable under System > FortiGuard > FortiGuard Web Filter Settings, it uses TCP/53 & TCP/8888.
    • FortiSandbox VM Download TCP port 443 for downloading VM images.
    • FortiSandbox Community Cloud query both UDP port 53 or 8888 and TCP port 443 to query submissions by other FortiSandbox.
    • FortiSandbox Community Cloud submission TCP port 25, 465 or 587 to upload detected suspicious Zero-day detection information. It uses only one of the ports in sequence.

      All the ports are encrypted. FortiSandbox will attempt to connect to the ports in sequence with encryption. If the connection fails, FortiSandbox will re-attempt to connect in sequence without encryption.

    • FortiSandbox Windows Cloud VMs TCP port 514 to submit jobs to the Windows cloud VMs. License required.
    • FortiSandbox MAC Cloud VMs TCP port 443 to submit jobs to the MAC cloud VMs. License required.
    • Mail server port TCP 25, DNS server port UDP 53, remote Syslog server port TCP or UDP 514, LDAP server port TCP 389, SNMP managers port TCP or UDP 162, and NTP server port UDP 123. Make sure to check the Static Route configuration for the gateway and outgoing port to use. Also, the port number for the following are configurable: Mail, Remote Syslog, LDAP, SNMP.

    • CIFS (SMB v1.0, v2.0, v2.1, v3.0): TCP Port 445

    • NFSv2, NFSv3, NFSv4: TCP Port 2049

    • Azure File Share: TCP Port 445

    • AWS S3, AWS S3 BJ, AWS S3 NX, Azure Blob Storage: TCP Port 443

    • Log Servers

      • FortiAnalyzer: TCP/514

      • Syslog: TCP and UDP/514
    Cluster ports (all other ports except Port1 and Port3) In cluster mode, FortiSandbox uses TCP ports 2015 and 2018 for cluster internal communication. If the unit works as a Collector to receive threat information from other units, it uses TCP port 2443.
    Note

    All ports mentioned above are the same for both IPv4 and IPv6 protocols.

    For redundancy and increase throughput, consider setting up Aggregate interface. See, Create an aggregate interface.

    For any outgoing traffic, FortiSandbox uses a random port picked by the kernel.

    You can dynamically change the system firewall rules using the iptables CLI command. However, the updated rules will be lost after a system reboot.

    The following table lists the available ports for each FortiSandbox model.

    Interface Type

    3000F/3000E/2000E/1500G

    1000F

    500G/500F
    RJ45 Port 1-4 Port 1-4 Port 1-4
    SFP GbE Port 5-8
    SFP+ Port 5-6

    Access Control List

    The table below provides the default servers and options when configured. For further info on the services, refer to the notes column. We recommend periodically checking these entries for changes.

    Services Destination Notes
    FortiGuard Distribution Network (FDN)
    Database and Engine Download

    fds1.fortinet.com:8890/TCP

    When configured to override region:

    • Nearest: fds1.fortinet.com:8890/TCP

    • US Region: usfds1.fortinet.com:8890/TCP

    • Global: globalupdate.fortinet.net:443/TCP

      When using Global as FDN Server Location, FortiSandbox queries global FDN server with https port 443

    Default is Nearest. Configurable.

    For more information, see FortiGuard > FortiGuard Server Location in the FortiSandbox Administration Guide.

    Web Filtering Service

    securewf.fortiguard.net:53|8888/TCP

    When configured to override region:

    53|443|8888/TCP List of FQDN and IP Addresses:

    • Nearest: securewf.fortiguard.net
    • Europe: 149.5.232.18
    • US Region: ussecurewf.fortiguard.net or 12.34.97.18 or 140.174.22.68
    • Japan: 210.7.96.18
    • Global: securewf.fortiguard.net or 173.243.138.210

    Default is Nearest.

    .IP address is valid when Secure Connection is enabled.

    When Secure Connection under FortiGuard Web Filter Settings is disabled, replace the TCP with UDP.

    For more information, see FortiGuard > Secure Connection in the FortiSandbox Administration Guide.

    FortiSandbox
    Community Cloud Query fqsvr.fortinet.net:53/UDP

    For more information, see Scan Profile Advanced Tab > Community Cloud Query.

    Available only in Global (Canada).

    Community Cloud Upload

    fortinetvirussubmit.com:25/TCP

    or

    465/TCP or 587/TCP

    For more information, see Scan Profile Advanced Tab > Upload malicious and suspicious file in the FortiSandbox Administration Guide.

    Available only in Global (Canada).

    Rating Cloud Service (RSE) fqdl.fortinet.net:443/TCP

    For more information, see Scan Profile Advanced Tab > Enable Rating Cloud Service.

    Available only in Global (Canada).

    Windows Cloud VM Service

    aptctrl1.fortinet.com:443/TCP

    or

    514/TCP List of IP Addresses:

    • Europe: 83.231.212.128/25, 154.45.1.0/24, 154.52.11.0/24

    • US Region: 208.184.237.0/24, 209.222.141.128/26

    • Japan: 210.7.96.0/24, 154.52.7.0/24

    • Global: 173.243.139.0/24, 184.94.112.0/24, 154.52.26.0/24

    Initially download a list of IP via the APTCTRL1 as configured on WindowsCloudVM Settings.

    For more information, see FortiGuard > WindowsCloudVM Settings in the FortiSandbox Administration Guide.

    macOS Cloud VM Service mac.fortisandbox.net:443/TCP or mac2.fortisandbox.net:443/TCP Available only in Global (Canada).
    VM Images Service fsavm.fortinet.net:443/TCP Uses GeoIP to select between two regions for faster download speed of the VM images. Available in Global (Canada) and Germany.

    Real-Time Zero-Day Anti-Phishing Service Settings

    canwest.ucs.fortiguard.com:443/TCP

    • 154.52.1.45:443/TCP

    Download a list of IPs via the canwest.ucs.fortiguard.com.

    For more information, see Scan Profile Advanced Tab > Enable Real-time Zero-Day Anti-Phishing Service

    Previous
    Next