Fortinet black logo

External Systems Configuration Guide

FortiSIEM External Ports

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

Supervisor Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Supervisor

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Supervisor

Inbound

ICMP

Monitoring via ICMP

FortiSIEM Management User

Supervisor

Inbound

TCP/443

GUI access via HTTPS

Collector, Worker, Windows Agent, Linux Agent

Supervisor

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Inbound

TCP/5432

PostGreSQL

Supervisor

Report Server

Outbound

TCP/5432

PostGreSQL (report loading)

Worker

Supervisor

Inbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Inbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Outbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Inbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker

Outbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Inbound

TCP/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Outbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Inbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Inbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Outbound

TCP/6666

Redis communication

Supervisor

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Supervisor

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Supervisor

Inbound

UDP/162

SNMP Trap

External Device

Supervisor

Inbound

UDP/514

UDP syslog

External Device

Supervisor

Inbound

TCP/514

TCP syslog

External Device

Supervisor

Inbound

SSL/6514

Syslog over TLS

External Device

Supervisor

Inbound

UDP/2055

NetFlow

Supervisor

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Supervisor

External Devices

Outbound

TCP/389

LDAP discovery

Supervisor

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Supervisor

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Supervisor

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Supervisor

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Supervisor

External Device

Outbound

TCP/443

HTTPS based log collection

Supervisor

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Supervisor

Mail Gateway

Outbound

TCP/SMTP

Sending email notification

Supervisor

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9300 or HTTPS/443 (configurable)

Querying events for Elasticsearch based deployments

Supervisor

Spark Master Node

Outbound

HTTPS/7077 (configurable)

Querying events for HDFS based deployments

Supervisor

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Worker Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Worker

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Worker

Inbound

ICMP

ICMP

Collector

Worker

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Outbound

TCP/5432

PostGreSQL

Worker

Supervisor

Outbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Outbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Inbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Outbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker 5.3

Inbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Outbound

TCP/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Outbound

SSL/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Inbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Outbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Outbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Inbound

TCP/6666

Redis communication

Worker

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Worker

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Worker

Inbound

UDP/162

SNMP Trap

External Device

Worker

Inbound

UDP/514

UDP syslog

External Device

Worker

Inbound

TCP/514

TCP syslog

External Device

Worker

Inbound

SSL/6514

Syslog over TLS

External Device

Worker

Inbound

UDP/2055

NetFlow

Worker

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Worker

External Devices

Outbound

TCP/389

LDAP discovery

Worker

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Worker

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Worker

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Worker

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Worker

External Device

Outbound

TCP/443

HTTPS based log collection

Worker

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Worker

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Worker

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Worker

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Worker

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Worker

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Worker

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Collector Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Collector

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Collector

Inbound

ICMP

ICMP

Collector

Collector

Outbound

TCP/443

REST API access via HTTPS

Collector

Supervisor

Outbound

TCP/443

REST API access via HTTPS

Collector

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Collector

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Collector

Inbound

UDP/162

SNMP Trap

External Device

Collector

Inbound

UDP/514

UDP syslog

External Device

Collector

Inbound

TCP/514

TCP syslog

External Device

Collector

Inbound

SSL/6514

Syslog over TLS

External Device

Collector

Inbound

UDP/2055

NetFlow

Collector

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Collector

External Devices

Outbound

TCP/389

LDAP discovery

Collector

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Collector

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Collector

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Collector

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Collector

External Device

Outbound

TCP/443

HTTPS based log collection

Collector

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Collector

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Collector

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Collector

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

Supervisor Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Supervisor

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Supervisor

Inbound

ICMP

Monitoring via ICMP

FortiSIEM Management User

Supervisor

Inbound

TCP/443

GUI access via HTTPS

Collector, Worker, Windows Agent, Linux Agent

Supervisor

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Inbound

TCP/5432

PostGreSQL

Supervisor

Report Server

Outbound

TCP/5432

PostGreSQL (report loading)

Worker

Supervisor

Inbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Inbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Outbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Inbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker

Outbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Inbound

TCP/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Outbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Inbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Inbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Outbound

TCP/6666

Redis communication

Supervisor

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Supervisor

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Supervisor

Inbound

UDP/162

SNMP Trap

External Device

Supervisor

Inbound

UDP/514

UDP syslog

External Device

Supervisor

Inbound

TCP/514

TCP syslog

External Device

Supervisor

Inbound

SSL/6514

Syslog over TLS

External Device

Supervisor

Inbound

UDP/2055

NetFlow

Supervisor

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Supervisor

External Devices

Outbound

TCP/389

LDAP discovery

Supervisor

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Supervisor

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Supervisor

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Supervisor

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Supervisor

External Device

Outbound

TCP/443

HTTPS based log collection

Supervisor

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Supervisor

Mail Gateway

Outbound

TCP/SMTP

Sending email notification

Supervisor

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9300 or HTTPS/443 (configurable)

Querying events for Elasticsearch based deployments

Supervisor

Spark Master Node

Outbound

HTTPS/7077 (configurable)

Querying events for HDFS based deployments

Supervisor

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Worker Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Worker

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Worker

Inbound

ICMP

ICMP

Collector

Worker

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Outbound

TCP/5432

PostGreSQL

Worker

Supervisor

Outbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Outbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Inbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Outbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker 5.3

Inbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Outbound

TCP/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Outbound

SSL/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Inbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Outbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Outbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Inbound

TCP/6666

Redis communication

Worker

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Worker

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Worker

Inbound

UDP/162

SNMP Trap

External Device

Worker

Inbound

UDP/514

UDP syslog

External Device

Worker

Inbound

TCP/514

TCP syslog

External Device

Worker

Inbound

SSL/6514

Syslog over TLS

External Device

Worker

Inbound

UDP/2055

NetFlow

Worker

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Worker

External Devices

Outbound

TCP/389

LDAP discovery

Worker

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Worker

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Worker

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Worker

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Worker

External Device

Outbound

TCP/443

HTTPS based log collection

Worker

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Worker

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Worker

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Worker

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Worker

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Worker

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Worker

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Collector Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Collector

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Collector

Inbound

ICMP

ICMP

Collector

Collector

Outbound

TCP/443

REST API access via HTTPS

Collector

Supervisor

Outbound

TCP/443

REST API access via HTTPS

Collector

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Collector

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Collector

Inbound

UDP/162

SNMP Trap

External Device

Collector

Inbound

UDP/514

UDP syslog

External Device

Collector

Inbound

TCP/514

TCP syslog

External Device

Collector

Inbound

SSL/6514

Syslog over TLS

External Device

Collector

Inbound

UDP/2055

NetFlow

Collector

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Collector

External Devices

Outbound

TCP/389

LDAP discovery

Collector

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Collector

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Collector

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Collector

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Collector

External Device

Outbound

TCP/443

HTTPS based log collection

Collector

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Collector

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Collector

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Collector

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)