FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

Supervisor Communication
Worker Communication
Collector Communication

Supervisor Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Supervisor	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Supervisor	Inbound	ICMP	Monitoring via ICMP
FortiSIEM Management User	Supervisor	Inbound	TCP/443	GUI access via HTTPS
Collector, Worker, Windows Agent, Linux Agent	Supervisor	Inbound	TCP/443	REST API access via HTTPS
Worker	Supervisor	Inbound	TCP/5432	PostGreSQL
Supervisor	Report Server	Outbound	TCP/5432	PostGreSQL (report loading)
Worker	Supervisor	Inbound	TCP/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Worker	Supervisor	Inbound	TCP/7900	phMonitorWorker to phMonitorSuper communication
Supervisor	Worker	Outbound	TCP/7900	phMonitorSuper to phMonitorWorker Communication
Worker	Supervisor	Inbound	TCP/7918	phQueryWorker to phQueryMaster Communication
Supervisor	Worker	Outbound	TCP/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Inbound	TCP/7922	phRuleWorker to phRuleMaster communication
Supervisor 5.3	Worker	Outbound	TCP/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Inbound	TCP/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Inbound	TCP/7938	phIdentityWorker to phIpIdentityMaster
Supervisor	Worker	Outbound	TCP/6666	Redis communication
Supervisor	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Supervisor	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Supervisor	Inbound	UDP/162	SNMP Trap
External Device	Supervisor	Inbound	UDP/514	UDP syslog
External Device	Supervisor	Inbound	TCP/514	TCP syslog
External Device	Supervisor	Inbound	SSL/6514	Syslog over TLS
External Device	Supervisor	Inbound	UDP/2055	NetFlow
Supervisor	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Supervisor	External Devices	Outbound	TCP/389	LDAP discovery
Supervisor	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Supervisor	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Supervisor	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Supervisor	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Supervisor	External Device	Outbound	TCP/443	HTTPS based log collection
Supervisor	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Supervisor	Mail Gateway	Outbound	TCP/SMTP	Sending email notification
Supervisor	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9300 or HTTPS/443 (configurable)	Querying events for Elasticsearch based deployments
Supervisor	Spark Master Node	Outbound	HTTPS/7077 (configurable)	Querying events for HDFS based deployments
Supervisor	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Worker Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Worker	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Worker	Inbound	ICMP	ICMP
Collector	Worker	Inbound	TCP/443	REST API access via HTTPS
Worker	Supervisor	Outbound	TCP/5432	PostGreSQL
Worker	Supervisor	Outbound	TCP/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Worker	Supervisor	Outbound	TCP/7900	phMonitorWorker to phMonitorSuper communication
Supervisor	Worker	Inbound	TCP/7900	phMonitorSuper to phMonitorWorker Communication
Worker	Supervisor	Outbound	TCP/7918	phQueryWorker to phQueryMaster Communication
Supervisor	Worker 5.3	Inbound	TCP/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Outbound	TCP/7922	phRuleWorker to phRuleMaster communication
Worker	Supervisor	Outbound	SSL/7922	phRuleWorker to phRuleMaster communication
Supervisor 5.3	Worker	Inbound	TCP/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Outbound	TCP/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Outbound	TCP/7938	phIdentityWorker to phIpIdentityMaster
Supervisor	Worker	Inbound	TCP/6666	Redis communication
Worker	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Worker	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Worker	Inbound	UDP/162	SNMP Trap
External Device	Worker	Inbound	UDP/514	UDP syslog
External Device	Worker	Inbound	TCP/514	TCP syslog
External Device	Worker	Inbound	SSL/6514	Syslog over TLS
External Device	Worker	Inbound	UDP/2055	NetFlow
Worker	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Worker	External Devices	Outbound	TCP/389	LDAP discovery
Worker	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Worker	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Worker	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Worker	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Worker	External Device	Outbound	TCP/443	HTTPS based log collection
Worker	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Worker	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Worker	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Worker	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Worker	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Worker	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Worker	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Collector Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Collector	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Collector	Inbound	ICMP	ICMP
Collector	Collector	Outbound	TCP/443	REST API access via HTTPS
Collector	Supervisor	Outbound	TCP/443	REST API access via HTTPS
Collector	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Collector	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Collector	Inbound	UDP/162	SNMP Trap
External Device	Collector	Inbound	UDP/514	UDP syslog
External Device	Collector	Inbound	TCP/514	TCP syslog
External Device	Collector	Inbound	SSL/6514	Syslog over TLS
External Device	Collector	Inbound	UDP/2055	NetFlow
Collector	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Collector	External Devices	Outbound	TCP/389	LDAP discovery
Collector	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Collector	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Collector	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Collector	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Collector	External Device	Outbound	TCP/443	HTTPS based log collection
Collector	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Collector	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Collector	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Collector	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

Supervisor Communication
Worker Communication
Collector Communication

Supervisor Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Supervisor	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Supervisor	Inbound	ICMP	Monitoring via ICMP
FortiSIEM Management User	Supervisor	Inbound	TCP/443	GUI access via HTTPS
Collector, Worker, Windows Agent, Linux Agent	Supervisor	Inbound	TCP/443	REST API access via HTTPS
Worker	Supervisor	Inbound	TCP/5432	PostGreSQL
Supervisor	Report Server	Outbound	TCP/5432	PostGreSQL (report loading)
Worker	Supervisor	Inbound	TCP/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Worker	Supervisor	Inbound	TCP/7900	phMonitorWorker to phMonitorSuper communication
Supervisor	Worker	Outbound	TCP/7900	phMonitorSuper to phMonitorWorker Communication
Worker	Supervisor	Inbound	TCP/7918	phQueryWorker to phQueryMaster Communication
Supervisor	Worker	Outbound	TCP/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Inbound	TCP/7922	phRuleWorker to phRuleMaster communication
Supervisor 5.3	Worker	Outbound	TCP/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Inbound	TCP/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Inbound	TCP/7938	phIdentityWorker to phIpIdentityMaster
Supervisor	Worker	Outbound	TCP/6666	Redis communication
Supervisor	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Supervisor	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Supervisor	Inbound	UDP/162	SNMP Trap
External Device	Supervisor	Inbound	UDP/514	UDP syslog
External Device	Supervisor	Inbound	TCP/514	TCP syslog
External Device	Supervisor	Inbound	SSL/6514	Syslog over TLS
External Device	Supervisor	Inbound	UDP/2055	NetFlow
Supervisor	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Supervisor	External Devices	Outbound	TCP/389	LDAP discovery
Supervisor	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Supervisor	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Supervisor	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Supervisor	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Supervisor	External Device	Outbound	TCP/443	HTTPS based log collection
Supervisor	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Supervisor	Mail Gateway	Outbound	TCP/SMTP	Sending email notification
Supervisor	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9300 or HTTPS/443 (configurable)	Querying events for Elasticsearch based deployments
Supervisor	Spark Master Node	Outbound	HTTPS/7077 (configurable)	Querying events for HDFS based deployments
Supervisor	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Worker Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Worker	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Worker	Inbound	ICMP	ICMP
Collector	Worker	Inbound	TCP/443	REST API access via HTTPS
Worker	Supervisor	Outbound	TCP/5432	PostGreSQL
Worker	Supervisor	Outbound	TCP/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Worker	Supervisor	Outbound	TCP/7900	phMonitorWorker to phMonitorSuper communication
Supervisor	Worker	Inbound	TCP/7900	phMonitorSuper to phMonitorWorker Communication
Worker	Supervisor	Outbound	TCP/7918	phQueryWorker to phQueryMaster Communication
Supervisor	Worker 5.3	Inbound	TCP/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Outbound	TCP/7922	phRuleWorker to phRuleMaster communication
Worker	Supervisor	Outbound	SSL/7922	phRuleWorker to phRuleMaster communication
Supervisor 5.3	Worker	Inbound	TCP/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Outbound	TCP/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Outbound	TCP/7938	phIdentityWorker to phIpIdentityMaster
Supervisor	Worker	Inbound	TCP/6666	Redis communication
Worker	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Worker	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Worker	Inbound	UDP/162	SNMP Trap
External Device	Worker	Inbound	UDP/514	UDP syslog
External Device	Worker	Inbound	TCP/514	TCP syslog
External Device	Worker	Inbound	SSL/6514	Syslog over TLS
External Device	Worker	Inbound	UDP/2055	NetFlow
Worker	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Worker	External Devices	Outbound	TCP/389	LDAP discovery
Worker	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Worker	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Worker	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Worker	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Worker	External Device	Outbound	TCP/443	HTTPS based log collection
Worker	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Worker	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Worker	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Worker	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Worker	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Worker	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Worker	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Collector Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Collector	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Collector	Inbound	ICMP	ICMP
Collector	Collector	Outbound	TCP/443	REST API access via HTTPS
Collector	Supervisor	Outbound	TCP/443	REST API access via HTTPS
Collector	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Collector	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Collector	Inbound	UDP/162	SNMP Trap
External Device	Collector	Inbound	UDP/514	UDP syslog
External Device	Collector	Inbound	TCP/514	TCP syslog
External Device	Collector	Inbound	SSL/6514	Syslog over TLS
External Device	Collector	Inbound	UDP/2055	NetFlow
Collector	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Collector	External Devices	Outbound	TCP/389	LDAP discovery
Collector	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Collector	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Collector	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Collector	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Collector	External Device	Outbound	TCP/443	HTTPS based log collection
Collector	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Collector	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Collector	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Collector	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Table of Contents

External Systems Configuration Guide

FortiSIEM External Ports

Supervisor Communication

Worker Communication

Collector Communication

FortiSIEM External Ports

Supervisor Communication

Worker Communication

Collector Communication