Fortinet black logo

External Systems Configuration Guide

Ports Used by FortiSIEM for Discovery and Monitoring

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

In release 6.2, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.2, then that entry is valid for releases 6.2 and above.

Supervisor Communication

From

To

Inbound or Outbound

Ports

Services

Supervisor

Whois Servers

Outbound

43

Whois lookup service

  • whois.geektools.com
  • whois.arin.net
  • whois.networksolutions.com
  • whois.internic.net
  • whois.nic.af
  • whois.ripe.net
  • whois.apnic.net
  • whois.amnic.net
  • whois.nic.gov
  • whois.nic.ad.jp
  • whois.nic.mx
  • whois.nic.us

FortiSIEM Management User

Supervisor

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Supervisor

Inbound

ICMP

Monitoring via ICMP

FortiSIEM Management User

Supervisor

Inbound

TCP/443

GUI access via HTTPS

Collector, Worker, Windows Agent, Linux Agent

Supervisor

Inbound

TCP/443

REST API access via HTTPS

Supervisor

Report Server

Outbound

TCP/5432

PostGreSQL (report loading)

Worker

Supervisor

Inbound

SSL/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Outbound

SSL/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Inbound

SSL/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Supervisor

Worker

Outbound

SSL/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Inbound

SSL/7918

phQueryWorker to phQueryMaster Communication

Worker 6.1 Supervisor Outbound SSL/7920 phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Inbound

SSL/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Inbound

TLS (Supporting V1.3)/7928

phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

Worker

Supervisor

Inbound

SSL/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Inbound

SSL/7938

phIdentityWorker to phIpIdentityMaster

Worker

Supervisor

Inbound

TCP/5555

phFortiInsightAI module data collection

Supervisor

Worker

Outbound

TCP/6666

Redis communication

Supervisor

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Supervisor

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Supervisor

Inbound

UDP/162

SNMP Trap

External Device

Supervisor

Inbound

UDP/514

UDP syslog

External Device

Supervisor

Inbound

TCP/514

TCP syslog

External Device

Supervisor

Inbound

SSL/6514

Syslog over TLS

External Device

Supervisor

Inbound

UDP/2055

NetFlow

External Device Supervisor Inbound UDP/6343 sFlow

Supervisor

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Supervisor

External Devices

Outbound

TCP/389

LDAP discovery

Supervisor

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Supervisor

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Supervisor

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Supervisor

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Supervisor

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/443

HTTPS based log collection

Supervisor

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Supervisor

Mail Gateway

Outbound

TCP/SMTP

Sending email notification

Supervisor

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9300 or HTTPS/443 (configurable)

Querying events for Elasticsearch based deployments

Supervisor

Spark Master Node

Outbound

HTTPS/7077 (configurable)

Querying events for HDFS based deployments

Supervisor

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Worker Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Worker

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Worker

Inbound

ICMP

ICMP

Collector

Worker

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Outbound

SSL/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Inbound

SSL/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Outbound

SSL/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Supervisor

Worker

Inbound

SSL/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Outbound

SSL/7918

phQueryWorker to phQueryMaster Communication

Worker 6.1

Supervisor

Outbound

SSL/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Outbound

SSL/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Outbound

TLS (Supporting V1.3)/7928

phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

Worker

Supervisor

Outbound

SSL/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Outbound

SSL/7938

phIdentityWorker to phIpIdentityMaster

Worker

Supervisor

Outbound

TCP/5555

phFortiInsightAI module data collection

Supervisor

Worker

Inbound

TCP/6666

Redis communication

Worker

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Worker

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Worker

Inbound

UDP/162

SNMP Trap

External Device

Worker

Inbound

UDP/514

UDP syslog

External Device

Worker

Inbound

TCP/514

TCP syslog

External Device

Worker

Inbound

SSL/6514

Syslog over TLS

External Device

Worker

Inbound

UDP/2055

NetFlow

External Device Worker Inbound UDP/6343 sFlow

Worker

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Worker

External Devices

Outbound

TCP/389

LDAP discovery

Worker

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Worker

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Worker

External Device

Outbound

TCP/443

HTTPS based log collection

Worker

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Worker

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Worker

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Worker

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Worker

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Worker

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Worker

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Worker

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Worker

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Collector Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Collector

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Collector

Inbound

ICMP

ICMP

Collector

Collector

Outbound

TCP/443

REST API access via HTTPS

Collector

Supervisor

Outbound

TCP/443

REST API access via HTTPS

Collector

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Collector

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Collector

Inbound

UDP/162

SNMP Trap

External Device

Collector

Inbound

UDP/514

UDP syslog

External Device

Collector

Inbound

TCP/514

TCP syslog

External Device

Collector

Inbound

SSL/6514

Syslog over TLS

External Device

Collector

Inbound

UDP/2055

NetFlow

External Device Collector Inbound UDP/6343 sFlow

Collector

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Collector

External Devices

Outbound

TCP/389

LDAP discovery

Collector

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Collector

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Collector

External Device

Outbound

TCP/443

HTTPS based log collection

Collector

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Collector

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Collector

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Collector

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Collector

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Collector

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

FortiSIEM External Ports

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

In release 6.2, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.2, then that entry is valid for releases 6.2 and above.

Supervisor Communication

From

To

Inbound or Outbound

Ports

Services

Supervisor

Whois Servers

Outbound

43

Whois lookup service

  • whois.geektools.com
  • whois.arin.net
  • whois.networksolutions.com
  • whois.internic.net
  • whois.nic.af
  • whois.ripe.net
  • whois.apnic.net
  • whois.amnic.net
  • whois.nic.gov
  • whois.nic.ad.jp
  • whois.nic.mx
  • whois.nic.us

FortiSIEM Management User

Supervisor

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Supervisor

Inbound

ICMP

Monitoring via ICMP

FortiSIEM Management User

Supervisor

Inbound

TCP/443

GUI access via HTTPS

Collector, Worker, Windows Agent, Linux Agent

Supervisor

Inbound

TCP/443

REST API access via HTTPS

Supervisor

Report Server

Outbound

TCP/5432

PostGreSQL (report loading)

Worker

Supervisor

Inbound

SSL/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Outbound

SSL/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Inbound

SSL/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Supervisor

Worker

Outbound

SSL/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Inbound

SSL/7918

phQueryWorker to phQueryMaster Communication

Worker 6.1 Supervisor Outbound SSL/7920 phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Inbound

SSL/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Inbound

TLS (Supporting V1.3)/7928

phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

Worker

Supervisor

Inbound

SSL/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Inbound

SSL/7938

phIdentityWorker to phIpIdentityMaster

Worker

Supervisor

Inbound

TCP/5555

phFortiInsightAI module data collection

Supervisor

Worker

Outbound

TCP/6666

Redis communication

Supervisor

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Supervisor

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Supervisor

Inbound

UDP/162

SNMP Trap

External Device

Supervisor

Inbound

UDP/514

UDP syslog

External Device

Supervisor

Inbound

TCP/514

TCP syslog

External Device

Supervisor

Inbound

SSL/6514

Syslog over TLS

External Device

Supervisor

Inbound

UDP/2055

NetFlow

External Device Supervisor Inbound UDP/6343 sFlow

Supervisor

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Supervisor

External Devices

Outbound

TCP/389

LDAP discovery

Supervisor

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Supervisor

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Supervisor

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Supervisor

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Supervisor

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/443

HTTPS based log collection

Supervisor

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Supervisor

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Supervisor

Mail Gateway

Outbound

TCP/SMTP

Sending email notification

Supervisor

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Supervisor

Elasticsearch Coordinating Node

Outbound

HTTPS/9300 or HTTPS/443 (configurable)

Querying events for Elasticsearch based deployments

Supervisor

Spark Master Node

Outbound

HTTPS/7077 (configurable)

Querying events for HDFS based deployments

Supervisor

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Worker Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Worker

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Worker

Inbound

ICMP

ICMP

Collector

Worker

Inbound

TCP/443

REST API access via HTTPS

Worker

Supervisor

Outbound

SSL/7900

phMonitorWorker to phMonitorSuper communication

Supervisor

Worker

Inbound

SSL/7900

phMonitorSuper to phMonitorWorker Communication

Worker

Supervisor

Outbound

SSL/7914

phParser on Worker to phParser on Supervisor for EPS enforcement

Supervisor

Worker

Inbound

SSL/7916

phQueryMaster to phQueryWorker communication

Worker

Supervisor

Outbound

SSL/7918

phQueryWorker to phQueryMaster Communication

Worker 6.1

Supervisor

Outbound

SSL/7920

phQueryMaster to phDataManager for trigger event query

Worker

Supervisor

Outbound

SSL/7922

phRuleWorker to phRuleMaster communication

Worker

Supervisor

Outbound

TLS (Supporting V1.3)/7928

phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

Worker

Supervisor

Outbound

SSL/7934

phReportWorker to phReportMaster Communication

Worker

Supervisor

Outbound

SSL/7938

phIdentityWorker to phIpIdentityMaster

Worker

Supervisor

Outbound

TCP/5555

phFortiInsightAI module data collection

Supervisor

Worker

Inbound

TCP/6666

Redis communication

Worker

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Worker

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Worker

Inbound

UDP/162

SNMP Trap

External Device

Worker

Inbound

UDP/514

UDP syslog

External Device

Worker

Inbound

TCP/514

TCP syslog

External Device

Worker

Inbound

SSL/6514

Syslog over TLS

External Device

Worker

Inbound

UDP/2055

NetFlow

External Device Worker Inbound UDP/6343 sFlow

Worker

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Worker

External Devices

Outbound

TCP/389

LDAP discovery

Worker

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Worker

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Worker

External Device

Outbound

TCP/443

HTTPS based log collection

Worker

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Worker

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Worker

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Worker

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Worker

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Worker

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection

Worker

NFS Server

Outbound

UDP/111, TCP/111

NFS Portmapper for writing events in NFS based deployments

Worker

Elasticsearch Coordinating Node

Outbound

HTTPS/9200 (configurable)

Storing events for Elasticsearch based deployments

Worker

HDFS Name Node

Outbound

HTTPS/9000 (configurable)

Archiving events for HDFS based deployments

Collector Communication

From

To

Inbound or Outbound

Ports

Services

FortiSIEM Management User

Collector

Inbound

TCP/22

Admin access via SSH

FortiSIEM Management User

Collector

Inbound

ICMP

ICMP

Collector

Collector

Outbound

TCP/443

REST API access via HTTPS

Collector

Supervisor

Outbound

TCP/443

REST API access via HTTPS

Collector

External Device

Outbound

UDP/161

SNMP based monitoring

External Device

Collector

Inbound

TCP/21

FTP (for receiving Bluecoat logs via ftp)

External Device

Collector

Inbound

UDP/162

SNMP Trap

External Device

Collector

Inbound

UDP/514

UDP syslog

External Device

Collector

Inbound

TCP/514

TCP syslog

External Device

Collector

Inbound

SSL/6514

Syslog over TLS

External Device

Collector

Inbound

UDP/2055

NetFlow

External Device Collector Inbound UDP/6343 sFlow

Collector

External Windows Devices

Outbound

TCP/135

WMI based monitoring and log collection

Collector

External Devices

Outbound

TCP/389

LDAP discovery

Collector

External Devices

Outbound

TCP/1433

JDBC based monitoring and data collection

Collector

External Devices

Outbound

UDP/8686

JMX based monitoring and data collection

Collector

External Device

Outbound

TCP/443

HTTPS based log collection

Collector

External Device

Outbound

TCP/110

POP3 for email monitoring (STM)

Collector

External Device

Outbound

TCP/143

IMAP for email monitoring (STM)

Collector

External Device

Outbound

TCP/993

IMAP/SSL for email monitoring (STM)

Collector

External Device

Outbound

TCP/995

POP/SSL for email monitoring (STM)

Collector

Checkpoint

Outbound

TCP/18184

Checkpoint LEA based log collection

Collector

Checkpoint

Outbound

TCP/18190

Checkpoint CPMI based data collection