FortiSIEM External Ports
This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:
In release 6.4, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.4, then that entry is valid for releases 6.4 and above.
Supervisor Communication
|
From |
To |
Inbound or Outbound |
Ports |
Services |
|
Supervisor (Primary) |
Supervisor (Secondary for DR) |
Inbound, Outbound |
TCP/7900 |
Disaster Recovery Setup |
|
Supervisor |
Whois Servers |
Outbound |
43 |
Whois lookup service
|
|
FortiSIEM Management User |
Supervisor |
Inbound |
TCP/22 |
Admin access via SSH |
|
FortiSIEM Management User |
Supervisor |
Inbound |
ICMP |
Monitoring via ICMP |
|
FortiSIEM Management User |
Supervisor |
Inbound |
TCP/443 |
GUI access via HTTPS |
|
Collector, Worker, Windows Agent, Linux Agent |
Supervisor |
Inbound |
TCP/443 |
REST API access via HTTPS |
|
Supervisor |
Report Server |
Outbound |
TCP/5432 |
PostGreSQL (report loading) |
|
Worker |
Supervisor |
Inbound |
SSL/7914 |
phParser on Worker to phParser on Supervisor for EPS enforcement |
|
Worker |
Supervisor |
Inbound |
SSL/7900 |
phMonitorWorker to phMonitorSuper communication |
|
Supervisor |
Worker |
Outbound |
SSL/7900 |
phMonitorSuper to phMonitorWorker Communication |
|
Worker |
Supervisor |
Inbound |
SSL/7918 |
phQueryWorker to phQueryMaster Communication |
|
Supervisor |
Worker |
Outbound |
SSL/7916 |
phQueryMaster to phQueryWorker communication |
|
Worker |
Supervisor |
Inbound |
SSL/7922 |
phRuleWorker to phRuleMaster communication |
| Worker 6.1 | Supervisor | Outbound | SSL/7920 | phQueryMaster to phDataManager for trigger event query |
|
Worker |
Supervisor |
Inbound |
SSL/7934 |
phReportWorker to phReportMaster Communication |
|
Worker |
Supervisor |
Inbound |
SSL/7938 |
phIdentityWorker to phIpIdentityMaster |
|
Supervisor |
Worker |
Outbound |
TCP/6666 |
Redis communication |
|
Worker |
Supervisor |
Inbound |
TCP/5555 |
phFortiInsightAI module data collection |
|
Supervisor |
External Device |
Outbound |
UDP/161 |
SNMP based monitoring |
|
External Device |
Supervisor |
Inbound |
TCP/21 |
FTP (for receiving Bluecoat logs via ftp) |
|
External Device |
Supervisor |
Inbound |
UDP/162 |
SNMP Trap |
|
External Device |
Supervisor |
Inbound |
UDP/514 |
UDP syslog |
|
External Device |
Supervisor |
Inbound |
TCP/514 |
TCP syslog |
|
External Device |
Supervisor |
Inbound |
SSL/6514 |
Syslog over TLS |
|
External Device |
Supervisor |
Inbound |
UDP/2055 |
NetFlow |
| External Device | Supervisor | Inbound | UDP/6343 | sFlow |
| Supervisor | External Windows Devices | Outbound | TCP/135, UDP/137, TCP/5985-5986 | OMI based monitoring and log collection |
|
Supervisor |
External Windows Devices |
Outbound |
TCP/135 |
WMI based monitoring and log collection |
|
Supervisor |
External Devices |
Outbound |
TCP/389 |
LDAP discovery |
|
Supervisor |
External Devices |
Outbound |
TCP/1433 |
JDBC based monitoring and data collection |
|
Supervisor |
External Devices |
Outbound |
UDP/8686 |
JMX based monitoring and data collection |
|
Supervisor |
Checkpoint |
Outbound |
TCP/18184 |
Checkpoint LEA based log collection |
|
Supervisor |
Checkpoint |
Outbound |
TCP/18190 |
Checkpoint CPMI based data collection |
|
Supervisor |
External Device |
Outbound |
TCP/443 |
HTTPS based log collection |
|
Supervisor |
External Device |
Outbound |
TCP/110 |
POP3 for email monitoring (STM) |
|
Supervisor |
External Device |
Outbound |
TCP/143 |
IMAP for email monitoring (STM) |
|
Supervisor |
External Device |
Outbound |
TCP/993 |
IMAP/SSL for email monitoring (STM) |
|
Supervisor |
External Device |
Outbound |
TCP/995 |
POP/SSL for email monitoring (STM) |
|
Supervisor |
Mail Gateway |
Outbound |
TCP/SMTP |
Sending email notification |
|
Supervisor |
NFS Server |
Outbound |
UDP/111, TCP/111 |
NFS Portmapper for writing events in NFS based deployments |
|
Supervisor |
Elasticsearch Coordinating Node |
Outbound |
HTTPS/9200 (configurable) |
Storing events for Elasticsearch based deployments |
|
Supervisor |
Elasticsearch Coordinating Node |
Outbound |
HTTPS/9300 or HTTPS/443 (configurable) |
Querying events for Elasticsearch based deployments |
|
Supervisor |
Spark Master Node |
Outbound |
HTTPS/7077 (configurable) |
Querying events for HDFS based deployments |
|
Supervisor |
HDFS Name Node |
Outbound |
HTTPS/9000 (configurable) |
Archiving events for HDFS based deployments |
Worker Communication
|
From |
To |
Inbound or Outbound |
Ports |
Services |
|---|---|---|---|---|
|
FortiSIEM Management User |
Worker |
Inbound |
TCP/22 |
Admin access via SSH |
|
FortiSIEM Management User |
Worker |
Inbound |
ICMP |
ICMP |
|
Collector |
Worker |
Inbound |
TCP/443 |
REST API access via HTTPS |
|
Worker |
Supervisor |
Outbound |
SSL/7914 |
phParser on Worker to phParser on Supervisor for EPS enforcement |
|
Worker |
Supervisor |
Outbound |
SSL/7900 |
phMonitorWorker to phMonitorSuper communication |
|
Supervisor |
Worker |
Inbound |
SSL/7900 |
phMonitorSuper to phMonitorWorker Communication |
|
Worker |
Supervisor |
Outbound |
SSL/7918 |
phQueryWorker to phQueryMaster Communication |
|
Supervisor |
Worker |
Inbound |
SSL/7916 |
phQueryMaster to phQueryWorker communication |
|
Worker |
Supervisor |
Outbound |
SSL/7922 |
phRuleWorker to phRuleMaster communication |
|
Worker 6.1 |
Supervisor |
Outbound |
SSL/7920 |
phQueryMaster to phDataManager for trigger event query |
|
Worker |
Supervisor |
Outbound |
SSL/7934 |
phReportWorker to phReportMaster Communication |
|
Worker |
Supervisor |
Outbound |
SSL/7938 |
phIdentityWorker to phIpIdentityMaster |
|
Supervisor |
Worker |
Inbound |
TCP/6666 |
Redis communication |
|
Worker |
Supervisor |
Outbound |
TCP/5555 |
phFortiInsightAI module data collection |
|
Worker |
External Device |
Outbound |
UDP/161 |
SNMP based monitoring |
|
External Device |
Worker |
Inbound |
TCP/21 |
FTP (for receiving Bluecoat logs via ftp) |
|
External Device |
Worker |
Inbound |
UDP/162 |
SNMP Trap |
|
External Device |
Worker |
Inbound |
UDP/514 |
UDP syslog |
|
External Device |
Worker |
Inbound |
TCP/514 |
TCP syslog |
|
External Device |
Worker |
Inbound |
SSL/6514 |
Syslog over TLS |
|
External Device |
Worker |
Inbound |
UDP/2055 |
NetFlow |
| External Device | Worker | Inbound | UDP/6343 | sFlow |
| Worker | External Windows Devices | Outbound | TCP/135, UDP/137, TCP/5985-5986 | OMI based monitoring and log collection |
|
Worker |
External Windows Devices |
Outbound |
TCP/135 |
WMI based monitoring and log collection |
|
Worker |
External Devices |
Outbound |
TCP/389 |
LDAP discovery |
|
Worker |
External Devices |
Outbound |
TCP/1433 |
JDBC based monitoring and data collection |
|
Worker |
External Devices |
Outbound |
UDP/8686 |
JMX based monitoring and data collection |
|
Worker |
Checkpoint |
Outbound |
TCP/18184 |
Checkpoint LEA based log collection |
|
Worker |
Checkpoint |
Outbound |
TCP/18190 |
Checkpoint CPMI based data collection |
|
Worker |
External Device |
Outbound |
TCP/443 |
HTTPS based log collection |
|
Worker |
External Device |
Outbound |
TCP/110 |
POP3 for email monitoring (STM) |
|
Worker |
External Device |
Outbound |
TCP/143 |
IMAP for email monitoring (STM) |
|
Worker |
External Device |
Outbound |
TCP/993 |
IMAP/SSL for email monitoring (STM) |
|
Worker |
External Device |
Outbound |
TCP/995 |
POP/SSL for email monitoring (STM) |
|
Worker |
NFS Server |
Outbound |
UDP/111, TCP/111 |
NFS Portmapper for writing events in NFS based deployments |
|
Worker |
Elasticsearch Coordinating Node |
Outbound |
HTTPS/9200 (configurable) |
Storing events for Elasticsearch based deployments |
|
Worker |
HDFS Name Node |
Outbound |
HTTPS/9000 (configurable) |
Archiving events for HDFS based deployments |
Collector Communication
|
From |
To |
Inbound or Outbound |
Ports |
Services |
|---|---|---|---|---|
|
FortiSIEM Management User |
Collector |
Inbound |
TCP/22 |
Admin access via SSH |
|
FortiSIEM Management User |
Collector |
Inbound |
ICMP |
ICMP |
|
Collector |
Collector |
Outbound |
TCP/443 |
REST API access via HTTPS |
|
Collector |
Supervisor |
Outbound |
TCP/443 |
REST API access via HTTPS |
|
Collector |
External Device |
Outbound |
UDP/161 |
SNMP based monitoring |
|
External Device |
Collector |
Inbound |
TCP/21 |
FTP (for receiving Bluecoat logs via ftp) |
|
External Device |
Collector |
Inbound |
UDP/162 |
SNMP Trap |
|
External Device |
Collector |
Inbound |
UDP/514 |
UDP syslog |
|
External Device |
Collector |
Inbound |
TCP/514 |
TCP syslog |
|
External Device |
Collector |
Inbound |
SSL/6514 |
Syslog over TLS |
|
External Device |
Collector |
Inbound |
UDP/2055 |
NetFlow |
| External Device | Collector | Inbound | UDP/6343 | sFlow |
| Collector | External Windows Devices | Outbound | TCP/135, UDP/137, TCP/5985-5986 | OMI based monitoring and log collection |
|
Collector |
External Windows Devices |
Outbound |
TCP/135 |
WMI based monitoring and log collection |
|
Collector |
External Devices |
Outbound |
TCP/389 |
LDAP discovery |
|
Collector |
External Devices |
Outbound |
TCP/1433 |
JDBC based monitoring and data collection |
|
Collector |
External Devices |
Outbound |
UDP/8686 |
JMX based monitoring and data collection |
|
Collector |
Checkpoint |
Outbound |
TCP/18184 |
Checkpoint LEA based log collection |
|
Collector |
Checkpoint |
Outbound |
TCP/18190 |
Checkpoint CPMI based data collection |
|
Collector |
External Device |
Outbound |
TCP/443 |
HTTPS based log collection |
|
Collector |
External Device |
Outbound |
TCP/110 |
POP3 for email monitoring (STM) |
|
Collector |
External Device |
Outbound |
TCP/143 |
IMAP for email monitoring (STM) |
|
Collector |
External Device |
Outbound |
TCP/993 |
IMAP/SSL for email monitoring (STM) |
|
Collector |
External Device |
Outbound |
TCP/995 |
POP/SSL for email monitoring (STM) |
