Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

Supervisor Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Supervisor

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Supervisor

Inbound

ICMP

Monitoring via ICMP

FortiSIEM Management User

Supervisor

Inbound

TCP/443

GUI access via HTTPS

Collector, Worker, Windows Agent, Linux Agent

Supervisor

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Inbound

TCP/5432

PostGreSQL

Supervisor

Report Server

Outbound

TCP/5432

PostGreSQL (report loading)

Worker

Supervisor

Inbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Inbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Outbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Inbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker

Outbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Inbound

TCP/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Outbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Inbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Inbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Outbound

TCP/6666

Redis communication

Supervisor

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Supervisor

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Supervisor

Inbound

UDP/162

SNMP Trap

External Device

Supervisor

Inbound

UDP/514

UDP syslog

External Device

Supervisor

Inbound

TCP/514

TCP syslog

External Device

Supervisor

Inbound

SSL/6514

Syslog over TLS

External Device

Supervisor

Inbound

UDP/2055

NetFlow

Supervisor

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Supervisor

External Devices

Outbound

TCP/389

LDAP discovery

Supervisor

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Supervisor

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Supervisor

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Supervisor

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Supervisor

External Device

Outbound

TCP/443

HTTPS based log collection

Supervisor

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Supervisor

Mail Gateway

Outbound

TCP/SMTP

Sending email notification

Supervisor

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9300 or HTTPS/443 (configurable)

Querying events for Elasticsearch based deployments

Supervisor

Spark Master Node

Outbound

HTTPS/7077 (configurable)

Querying events for HDFS based deployments

Supervisor

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Worker Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Worker

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Worker

Inbound

ICMP

ICMP

Collector

Worker

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Outbound

TCP/5432

PostGreSQL

Worker

Supervisor

Outbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Outbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Inbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Outbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker 5.3

Inbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Outbound

TCP/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Outbound

SSL/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Inbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Outbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Outbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Inbound

TCP/6666

Redis communication

Worker

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Worker

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Worker

Inbound

UDP/162

SNMP Trap

External Device

Worker

Inbound

UDP/514

UDP syslog

External Device

Worker

Inbound

TCP/514

TCP syslog

External Device

Worker

Inbound

SSL/6514

Syslog over TLS

External Device

Worker

Inbound

UDP/2055

NetFlow

Worker

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Worker

External Devices

Outbound

TCP/389

LDAP discovery

Worker

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Worker

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Worker

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Worker

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Worker

External Device

Outbound

TCP/443

HTTPS based log collection

Worker

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Worker

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Worker

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Worker

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Worker

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Worker

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Worker

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Collector Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Collector

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Collector

Inbound

ICMP

ICMP

Collector

Collector

Outbound

TCP/443

REST API access via HTTPS

Collector

Supervisor

Outbound

TCP/443

REST API access via HTTPS

Collector

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Collector

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Collector

Inbound

UDP/162

SNMP Trap

External Device

Collector

Inbound

UDP/514

UDP syslog

External Device

Collector

Inbound

TCP/514

TCP syslog

External Device

Collector

Inbound

SSL/6514

Syslog over TLS

External Device

Collector

Inbound

UDP/2055

NetFlow

Collector

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Collector

External Devices

Outbound

TCP/389

LDAP discovery

Collector

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Collector

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Collector

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Collector

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Collector

External Device

Outbound

TCP/443

HTTPS based log collection

Collector

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Collector

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Collector

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Collector

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

Supervisor Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Supervisor

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Supervisor

Inbound

ICMP

Monitoring via ICMP

FortiSIEM Management User

Supervisor

Inbound

TCP/443

GUI access via HTTPS

Collector, Worker, Windows Agent, Linux Agent

Supervisor

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Inbound

TCP/5432

PostGreSQL

Supervisor

Report Server

Outbound

TCP/5432

PostGreSQL (report loading)

Worker

Supervisor

Inbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Inbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Outbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Inbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker

Outbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Inbound

TCP/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Outbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Inbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Inbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Outbound

TCP/6666

Redis communication

Supervisor

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Supervisor

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Supervisor

Inbound

UDP/162

SNMP Trap

External Device

Supervisor

Inbound

UDP/514

UDP syslog

External Device

Supervisor

Inbound

TCP/514

TCP syslog

External Device

Supervisor

Inbound

SSL/6514

Syslog over TLS

External Device

Supervisor

Inbound

UDP/2055

NetFlow

Supervisor

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Supervisor

External Devices

Outbound

TCP/389

LDAP discovery

Supervisor

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Supervisor

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Supervisor

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Supervisor

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Supervisor

External Device

Outbound

TCP/443

HTTPS based log collection

Supervisor

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Supervisor

Mail Gateway

Outbound

TCP/SMTP

Sending email notification

Supervisor

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9300 or HTTPS/443 (configurable)

Querying events for Elasticsearch based deployments

Supervisor

Spark Master Node

Outbound

HTTPS/7077 (configurable)

Querying events for HDFS based deployments

Supervisor

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Worker Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Worker

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Worker

Inbound

ICMP

ICMP

Collector

Worker

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Outbound

TCP/5432

PostGreSQL

Worker

Supervisor

Outbound

TCP/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Worker

Supervisor

Outbound

TCP/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Inbound

TCP/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Outbound

TCP/7918

phQueryWorker to phQueryMaster Communication

Supervisor

Worker 5.3

Inbound

TCP/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Outbound

TCP/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Outbound

SSL/7922

phRuleWorker to phRuleMaster communication

Supervisor 5.3

Worker

Inbound

TCP/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Outbound

TCP/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Outbound

TCP/7938

phIdentityWorker to phIpIdentityMaster

Supervisor

Worker

Inbound

TCP/6666

Redis communication

Worker

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Worker

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Worker

Inbound

UDP/162

SNMP Trap

External Device

Worker

Inbound

UDP/514

UDP syslog

External Device

Worker

Inbound

TCP/514

TCP syslog

External Device

Worker

Inbound

SSL/6514

Syslog over TLS

External Device

Worker

Inbound

UDP/2055

NetFlow

Worker

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Worker

External Devices

Outbound

TCP/389

LDAP discovery

Worker

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Worker

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Worker

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Worker

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Worker

External Device

Outbound

TCP/443

HTTPS based log collection

Worker

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Worker

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Worker

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Worker

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Worker

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Worker

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Worker

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Collector Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Collector

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Collector

Inbound

ICMP

ICMP

Collector

Collector

Outbound

TCP/443

REST API access via HTTPS

Collector

Supervisor

Outbound

TCP/443

REST API access via HTTPS

Collector

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Collector

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Collector

Inbound

UDP/162

SNMP Trap

External Device

Collector

Inbound

UDP/514

UDP syslog

External Device

Collector

Inbound

TCP/514

TCP syslog

External Device

Collector

Inbound

SSL/6514

Syslog over TLS

External Device

Collector

Inbound

UDP/2055

NetFlow

Collector

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Collector

External Devices

Outbound

TCP/389

LDAP discovery

Collector

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Collector

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Collector

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Collector

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Collector

External Device

Outbound

TCP/443

HTTPS based log collection

Collector

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Collector

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Collector

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Collector

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)