External Systems Configuration Guide

FortiSIEM External Systems Configuration Guide Online
Change Log
TABLE OF CONTENTS
Overview
FortiSIEM Port Usage
Supported Devices and Applications by Vendor
Applications
- Application Server
- Authentication Server
- Database Server
- DHCP and DNS Server
- Directory Server
  - Microsoft Active Directory
- Document Management Server
  - Microsoft SharePoint
- Healthcare IT
  - Epic EMR/EHR System
- Mail Server
  - Microsoft Exchange
- Management Server/Appliance
- Remote Desktop
  - Citrix Receiver (ICA)
- Source Code Control
- Unified Communication Server
- Web Server
Blade Servers
- Cisco UCS Server
- HP BladeSystem
Cloud Access Security Broker
- Fortinet FortiCASB
- Oracle Cloud Access Security Broker (CASB)
Cloud Applications
- Alicide.io KAudit
- AWS Access Key IAM Permissions and IAM Policies
- AWS CloudTrail API
- Amazon AWS EC2
- AWS EC2 CloudWatch API
- AWS Elastic Load Balancer
- AWS Kinesis
- AWS RDS
- AWS Security Hub
- AWS Simple Queue Service (SQS)
- Amazon Simple Storage Service (AWS S3)
- Box.com
- Cisco Umbrella
- Google Cloud Platform - Pub/Sub Integration
- Google Workspace (Formerly G Suite and Google Apps)
- Microsoft Azure Audit
- Microsoft Office365 Audit
- Microsoft Cloud App Security
- Microsoft Defender for Identity/Microsoft Azure ATP
- Microsoft Azure Compute
- Microsoft Azure Event Hub
- Okta
  - Adding Users from Okta
  - Configuring Okta Authentication
  - Logging In to Okta
  - Setting Up External Authentication
- Oracle Cloud Infrastructure
- Salesforce CRM Audit
- Zscaler Nanolog Streaming Service (NSS)
Console Access Devices
- Lantronix SLC Console Manager
End Point Security Software
- Bit9 Security Platform
- Carbon Black Security Platform
- Cisco AMP Cloud V0
- Cisco AMP Cloud V1
- Cisco Security Agent (CSA)
- CloudPassage Halo
- Crowdstrike
- Cybereason
- Digital Guardian CodeGreen DLP
- ESET NOD32 Anti-Virus
- FortiClient
- Fortinet FortiEDR
- Malwarebytes Breach Remediation
- MalwareBytes EndPoint Protection
- McAfee ePolicy Orchestrator (ePO)
- Microsoft Windows Defender ATP
- MobileIron Sentry and Connector
- Netwrix Auditor (via Correlog Windows Agent)
- Palo Alto Traps Endpoint Security Manager
- SentinelOne
- Sophos Central
- Sophos Endpoint Security and Control
- Symantec Endpoint Protection
- Symantec SEPM
- Tanium Connect
- Trend Micro Interscan Web Filter
- Trend Micro Intrusion Defense Firewall (IDF)
- Trend Micro OfficeScan
Firewalls
- Check Point FireWall-1
- Check Point Provider-1 Firewall
- Check Point VSX Firewall
- Cisco Adaptive Security Appliance (ASA)
- Cisco Firepower Threat Defense (FTD)
- Clavister Firewall
- Cyberoam Firewall
- Dell SonicWALL Firewall
- Fortinet FortiGate Firewall
- Hillstone Firewall
- Imperva Securesphere Web App Firewall
- Juniper Networks SSG Firewall
- McAfee Firewall Enterprise (Sidewinder)
- Palo Alto Firewall
- Sophos UTM Firewall
- Stormshield Network Security
- Tigera Calico
- UserGate UTM Firewall
- WatchGuard Firebox Firewall
Load Balancers and Application Firewalls
- Barracuda Web Application Firewall
- Brocade ServerIron ADX
- Citrix Netscaler Application Delivery Controller (ADC)
- F5 Networks Application Security Manager
- F5 Networks Local Traffic Manager
- F5 Networks Web Accelerator
- Fortinet FortiADC
- Qualys Web Application Firewall
- Zscaler Cloud Firewall
Log Aggregators
- Fortinet FortiAnalyzer
Network Compliance Management Applications
- Cisco Network Compliance Manager
- PacketFence Network Access Control (NAC) Integration
Network Detection and Response (NDR)
- Fortinet FortiNDR (Formerly FortiAI)
- Zeek Network Security Monitor (Previously known as Bro)
Network Intrusion Detection System
- Microsoft Advanced Threat Analytics (ATA) On Premise Platform
- Zeek Network Security Monitor (Previously known as Bro)
Network Intrusion Prevention Systems (IPS)
- 3COM TippingPoint UnityOne IPS
- AirTight Networks SpectraGuard
- Alert Logic IRIS API
- Armis Asset Intelligence Platform
- Cisco FireSIGHT and FirePower Threat Defense
- Cisco Intrusion Protection System
- Cisco Stealthwatch
- Claroty Continuous Threat Detection
- Corero Smartwall Threat Defense System
- Cylance Protect Endpoint Protection
- Cyphort Cortext Endpoint Protection
- Damballa Failsafe
- Darktrace CyberIntelligence Platform
- Dragos Platform
- FireEye Malware Protection System (MPS)
- FortiDDoS
- Fortinet FortiDeceptor
- Fortinet FortiNAC
- Fortinet FortiSandbox
- Fortinet FortiTester
- IBM Internet Security Series Proventia
- Juniper DDoS Secure
- Juniper Networks IDP Series
- McAfee IntruShield
- McAfee Stonesoft IPS
- Motorola AirDefense
- Nozomi
- Palo Alto Cortex XDR
- Radware DefensePro
- Snort Intrusion Prevention System
- Sourcefire 3D and Defense Center
- Trend Micro Deep Discovery
- Zeek (Bro) installed on Security Onion
Operational Technology
- APC Netbotz Environmental Monitor
- APC UPS
- Claroty Continuous Threat Detection
- Dragos Platform
- Generic UPS
- Hirschman SCADA Firewalls and Switches
- Liebert FPC
- Liebert HVAC
- Liebert UPS
- Microsoft Defender for IoT (Was CyberX OT/IoT Security)
- Nozomi Central Management Control
- Nozomi SCADAguardian
- OTORIO RAM2 (Risk Assessment, Monitoring and Management)
Routers and Switches
- Alcatel TiMOS and AOS Switch
- Arista Router and Switch
- ArubaOS-CX Switching Platform
- Brocade NetIron CER Routers
- Cisco 300 Series Routers
- Cisco IOS Router and Switch
  - How CPU and Memory Utilization is Collected for Cisco IOS
- Cisco Meraki Cloud Controller and Network Devices
- Cisco NX-OS Router and Switch
- Cisco ONS
- Cisco Viptela SDWAN Router
- Dell Force10 Router and Switch
- Dell NSeries Switch
- Dell PowerConnect Switch and Router
- Foundry Networks IronWare Router and Switch
- HP/3Com ComWare Switch
- HP ProCurve Switch
- HP Value Series (19xx) and HP 3Com (29xx) Switch
- Hirschman SCADA Firewalls and Switches
- Juniper Networks JunOS Switch
- Mikrotek Router
- Nortel ERS and Passport Switch
Security Gateways
- Barracuda Networks Spam Firewall
- Blue Coat Web Proxy
- Cisco IronPort Mail Gateway
- Cisco IronPort Web Gateway
- Fortinet FortiMail
- Fortinet FortiProxy
- Fortinet FortiWeb
- Imperva Securesphere DB Monitoring Gateway
- Imperva Securesphere Security Gateway
- McAfee Vormetric Data Security Manager
- McAfee Web Gateway
- Microsoft ISA Server
- Proofpoint
- Squid Web Proxy
- SSH Comm Security CryptoAuditor
- Websense Web Filter
Security Information and Event Management
- SAP Enterprise Threat Detection (ETD)
Security Orchestration (SOAR)
- Fortinet FortiSOAR
Servers and Workstations
- Apple MacOS Server
- HP UX Server
- IBM AIX Server
- IBM OS400 Server
- Linux Server
- Microsoft Windows Server
- QNAP Turbo NAS
- Sun Solaris Server
Storage
- Brocade SAN Switch
- Dell Compellant Storage
- Dell EqualLogic Storage
- EMC Clarion Storage
- EMC Isilon Storage
- EMC VNX Storage
- NetApp DataOnTap
- NetApp Filer Storage
- Nimble Storage
- Nutanix Storage
Threat Intelligence
- FortiInsight
- Fortinet FortiNDR (Formerly FortiAI)
- Lastline
- ThreatConnect
Virtualization
- HyperV
- HyTrust CloudControl
- KVM
- Nutanix Prism
- VMware ESX
VPN Gateways
- Cisco VPN 3000 Gateway
- Cyxtera AppGuard
- Juniper Networks SSL VPN Gateway
- Microsoft PPTP VPN Gateway
- Pulse Secure
Vulnerability Scanners
- AlertLogic
- Digital Defense Frontline Vulnerability Manager
- Green League WVSS
- McAfee Foundstone Vulnerability Scanner
- Qualys QualysGuard Scanner
- Qualys Vulnerability Scanner
- Rapid7 NeXpose Vulnerability Scanner (Vulnerability Management On-Premises)
- Rapid7 InsightVM (Platform Based Vulnerability Management)
- Tenable.io
- Tenable Nessus Vulnerability Scanner
- Tenable Security Center
- YXLink Vulnerability Scanner
WAN Accelerators
- Cisco Wide Area Application Server
- Riverbed SteelHead WAN Accelerator
Wireless LANs
- Aruba Networks Wireless LAN
- Cisco Wireless LAN
- CradlePoint
- FortiAP
- FortiWLC
- Motorola WiNG WLAN AP
- Ruckus Wireless LAN
- Ubiquiti
Using Virtual IPs to Access Devices in Clustered Environments
Syslog over TLS
SNMP V3 Traps
Flow Support
Appendix
- Access Credentials
- Ingesting JSON Formatted Events Received via HTTP(S) POST

Home FortiSIEM 6.5.1 External Systems Configuration Guide

6.5.1

FortiSIEM Port Usage

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

FortiSIEM Manager Communication
Supervisor Communication
Worker Communication
Collector Communication

In release 6.5, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.5, then that entry is valid for releases 6.5 and above.

Since there will be intercommunication between FortiSIEM nodes (Worker to Worker, Worker to Supervisor, Supervisor to Worker), Fortinet suggests not to firewall block any type of communication between internal FortiSIEM nodes.

FortiSIEM Manager Communication

From	To	Inbound or Outbound	Ports	Services
Supervisor	FortiSIEM Manager	Inbound	TCP/443	Handle FortiSIEM Instance Registration and Incidents, license, health upload from Instance
FortiSIEM Manager	Supervisor	Outbound	TCP/443	Incident drill down and Incident Management from FortiSIEM Manager

Supervisor Communication

From	To	Inbound or Outbound	Ports	Services
Supervisor	Whois Server	Outbound	43	Whois lookup service whois.geektools.com whois.arin.net whois.networksolutions.com whois.internic.net whois.nic.af whois.ripe.net whois.apnic.net whois.amnic.net whois.nic.gov whois.nic.ad.jp whois.nic.mx whois.nic.us
FortiSIEM Management User	Supervisor	Inbound	ICMP	Monitoring via ICMP
FortiSIEM Management User	Supervisor	Inbound	TCP/22	Admin access via SSH
FortiSIEM Manager	Supervisor	Inbound	TCP/443	Incident drill down and Incident Management from FortiSIEM Manager
FortiSIEM Management User	Supervisor	Inbound	TCP/443	GUI access via HTTPS
Supervisor	FortiSIEM Manager	Outbound	TCP/443	Register to FortiSIEM Manager and upload Incidents, license and health
Collector, Worker, Windows Agent, Linux Agent	Supervisor	Inbound	TCP/443	REST API access via HTTPS
Supervisor	Report Server	Outbound	TCP/5432	PostGreSQL (report loading)
External Device	Supervisor	Inbound	SSL/6514	Syslog over TLS
Worker	Supervisor	Inbound	SSL/7900	phMonitorWorker to phMonitorSuper communication
Supervisor	Worker	Outbound	SSL/7900	phMonitorSuper to phMonitorWorker Communication
Supervisor (Primary)	Supervisor (Secondary for DR)	Inbound, Outbound	TCP/7900	Disaster Recovery Setup
Worker	Supervisor	Inbound	SSL/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Supervisor	Worker	Outbound	SSL/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Inbound	SSL/7918	phQueryWorker to phQueryMaster Communication
Worker 6.1	Supervisor	Outbound	SSL/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Inbound	SSL/7922	phRuleWorker to phRuleMaster communication
Worker	Supervisor	Inbound	TLS (Supporting V1.3)/7928	phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change
Worker	Supervisor	Inbound	SSL/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Inbound	SSL/7938	phIdentityWorker to phIpIdentityMaster
Worker	Supervisor	Inbound	TCP/5555	phFortiInsightAI module data collection
Supervisor	Worker	Outbound	TCP/6666	Redis communication
Supervisor	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Supervisor	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Supervisor	Inbound	UDP/162	SNMP Trap
External Device	Supervisor	Inbound	UDP/514	UDP syslog
External Device	Supervisor	Inbound	TCP/514	TCP syslog
External Device	Supervisor	Inbound	UDP/2055	NetFlow
External Device	Supervisor	Inbound	UDP/6343	sFlow
Supervisor	External Windows Devices	Outbound	TCP/135, UDP/137, TCP/5985-5986	OMI based monitoring and log collection
Supervisor	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Supervisor	External Devices	Outbound	TCP/389	LDAP discovery
Supervisor	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Supervisor	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Supervisor	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Supervisor	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Supervisor	External Device	Outbound	TCP/443	HTTPS based log collection
Supervisor	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Supervisor	Mail Gateway	Outbound	TCP/SMTP	Sending email notification
Supervisor	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9300 or HTTPS/443 (configurable)	Querying events for Elasticsearch based deployments
Supervisor	Spark Master Node	Outbound	HTTPS/7077 (configurable)	Querying events for HDFS based deployments
Supervisor	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Worker Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Worker	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Worker	Inbound	ICMP	ICMP
Collector	Worker	Inbound	TCP/443	REST API access via HTTPS
Supervisor	Worker	Inbound	SSL/7900	phMonitorSuper to phMonitorWorker Communication
Worker	Supervisor	Outbound	SSL/7900	phMonitorWorker to phMonitorSuper communication
Worker	Supervisor	Outbound	SSL/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Supervisor	Worker	Inbound	SSL/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Outbound	SSL/7918	phQueryWorker to phQueryMaster Communication
Worker 6.1	Supervisor	Outbound	SSL/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Outbound	SSL/7922	phRuleWorker to phRuleMaster communication
Worker	Supervisor	Outbound	TLS (Supporting V1.3)/7928	phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change
Worker	Supervisor	Outbound	SSL/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Outbound	SSL/7938	phIdentityWorker to phIpIdentityMaster
Worker	Supervisor	Outbound	TCP/5555	phFortiInsightAI module data collection
Supervisor	Worker	Inbound	TCP/6666	Redis communication
Worker	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Worker	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Worker	Inbound	UDP/162	SNMP Trap
External Device	Worker	Inbound	UDP/514	UDP syslog
External Device	Worker	Inbound	TCP/514	TCP syslog
External Device	Worker	Inbound	SSL/6514	Syslog over TLS
External Device	Worker	Inbound	UDP/2055	NetFlow
External Device	Worker	Inbound	UDP/6343	sFlow
Worker	External Windows Devices	Outbound	TCP/135, UDP/137, TCP/5985-5986	OMI based monitoring and log collection
Worker	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Worker	External Devices	Outbound	TCP/389	LDAP discovery
Worker	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Worker	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Worker	External Device	Outbound	TCP/443	HTTPS based log collection
Worker	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Worker	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Worker	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Worker	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Worker	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Worker	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Worker	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Worker	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Worker	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Collector Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Collector	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Collector	Inbound	ICMP	ICMP
Collector	Collector	Outbound	TCP/443	REST API access via HTTPS
Collector	Supervisor	Outbound	TCP/443	REST API access via HTTPS
Collector	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Collector	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Collector	Inbound	UDP/162	SNMP Trap
External Device	Collector	Inbound	UDP/514	UDP syslog
External Device	Collector	Inbound	TCP/514	TCP syslog
External Device	Collector	Inbound	SSL/6514	Syslog over TLS
External Device	Collector	Inbound	UDP/2055	NetFlow
External Device	Collector	Inbound	UDP/6343	sFlow
Collector	External Windows Devices	Outbound	TCP/135, UDP/137, TCP/5985-5986	OMI based monitoring and log collection
Collector	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Collector	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Collector	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Collector	External Devices	Outbound	TCP/389	LDAP discovery
Collector	External Device	Outbound	TCP/443	HTTPS based log collection
Collector	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Collector	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Collector	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Collector	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Collector	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Collector	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection

FortiSIEM Port Usage

This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

FortiSIEM Manager Communication
Supervisor Communication
Worker Communication
Collector Communication

FortiSIEM Manager Communication

From	To	Inbound or Outbound	Ports	Services
Supervisor	FortiSIEM Manager	Inbound	TCP/443	Handle FortiSIEM Instance Registration and Incidents, license, health upload from Instance
FortiSIEM Manager	Supervisor	Outbound	TCP/443	Incident drill down and Incident Management from FortiSIEM Manager

Supervisor Communication

From	To	Inbound or Outbound	Ports	Services
Supervisor	Whois Server	Outbound	43	Whois lookup service whois.geektools.com whois.arin.net whois.networksolutions.com whois.internic.net whois.nic.af whois.ripe.net whois.apnic.net whois.amnic.net whois.nic.gov whois.nic.ad.jp whois.nic.mx whois.nic.us
FortiSIEM Management User	Supervisor	Inbound	ICMP	Monitoring via ICMP
FortiSIEM Management User	Supervisor	Inbound	TCP/22	Admin access via SSH
FortiSIEM Manager	Supervisor	Inbound	TCP/443	Incident drill down and Incident Management from FortiSIEM Manager
FortiSIEM Management User	Supervisor	Inbound	TCP/443	GUI access via HTTPS
Supervisor	FortiSIEM Manager	Outbound	TCP/443	Register to FortiSIEM Manager and upload Incidents, license and health
Collector, Worker, Windows Agent, Linux Agent	Supervisor	Inbound	TCP/443	REST API access via HTTPS
Supervisor	Report Server	Outbound	TCP/5432	PostGreSQL (report loading)
External Device	Supervisor	Inbound	SSL/6514	Syslog over TLS
Worker	Supervisor	Inbound	SSL/7900	phMonitorWorker to phMonitorSuper communication
Supervisor	Worker	Outbound	SSL/7900	phMonitorSuper to phMonitorWorker Communication
Supervisor (Primary)	Supervisor (Secondary for DR)	Inbound, Outbound	TCP/7900	Disaster Recovery Setup
Worker	Supervisor	Inbound	SSL/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Supervisor	Worker	Outbound	SSL/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Inbound	SSL/7918	phQueryWorker to phQueryMaster Communication
Worker 6.1	Supervisor	Outbound	SSL/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Inbound	SSL/7922	phRuleWorker to phRuleMaster communication
Worker	Supervisor	Inbound	TLS (Supporting V1.3)/7928	phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change
Worker	Supervisor	Inbound	SSL/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Inbound	SSL/7938	phIdentityWorker to phIpIdentityMaster
Worker	Supervisor	Inbound	TCP/5555	phFortiInsightAI module data collection
Supervisor	Worker	Outbound	TCP/6666	Redis communication
Supervisor	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Supervisor	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Supervisor	Inbound	UDP/162	SNMP Trap
External Device	Supervisor	Inbound	UDP/514	UDP syslog
External Device	Supervisor	Inbound	TCP/514	TCP syslog
External Device	Supervisor	Inbound	UDP/2055	NetFlow
External Device	Supervisor	Inbound	UDP/6343	sFlow
Supervisor	External Windows Devices	Outbound	TCP/135, UDP/137, TCP/5985-5986	OMI based monitoring and log collection
Supervisor	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Supervisor	External Devices	Outbound	TCP/389	LDAP discovery
Supervisor	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Supervisor	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Supervisor	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Supervisor	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Supervisor	External Device	Outbound	TCP/443	HTTPS based log collection
Supervisor	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Supervisor	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Supervisor	Mail Gateway	Outbound	TCP/SMTP	Sending email notification
Supervisor	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Supervisor	Elasticsearch Coordinating Node	Outbound	HTTPS/9300 or HTTPS/443 (configurable)	Querying events for Elasticsearch based deployments
Supervisor	Spark Master Node	Outbound	HTTPS/7077 (configurable)	Querying events for HDFS based deployments
Supervisor	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Worker Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Worker	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Worker	Inbound	ICMP	ICMP
Collector	Worker	Inbound	TCP/443	REST API access via HTTPS
Supervisor	Worker	Inbound	SSL/7900	phMonitorSuper to phMonitorWorker Communication
Worker	Supervisor	Outbound	SSL/7900	phMonitorWorker to phMonitorSuper communication
Worker	Supervisor	Outbound	SSL/7914	phParser on Worker to phParser on Supervisor for EPS enforcement
Supervisor	Worker	Inbound	SSL/7916	phQueryMaster to phQueryWorker communication
Worker	Supervisor	Outbound	SSL/7918	phQueryWorker to phQueryMaster Communication
Worker 6.1	Supervisor	Outbound	SSL/7920	phQueryMaster to phDataManager for trigger event query
Worker	Supervisor	Outbound	SSL/7922	phRuleWorker to phRuleMaster communication
Worker	Supervisor	Outbound	TLS (Supporting V1.3)/7928	phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change
Worker	Supervisor	Outbound	SSL/7934	phReportWorker to phReportMaster Communication
Worker	Supervisor	Outbound	SSL/7938	phIdentityWorker to phIpIdentityMaster
Worker	Supervisor	Outbound	TCP/5555	phFortiInsightAI module data collection
Supervisor	Worker	Inbound	TCP/6666	Redis communication
Worker	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Worker	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Worker	Inbound	UDP/162	SNMP Trap
External Device	Worker	Inbound	UDP/514	UDP syslog
External Device	Worker	Inbound	TCP/514	TCP syslog
External Device	Worker	Inbound	SSL/6514	Syslog over TLS
External Device	Worker	Inbound	UDP/2055	NetFlow
External Device	Worker	Inbound	UDP/6343	sFlow
Worker	External Windows Devices	Outbound	TCP/135, UDP/137, TCP/5985-5986	OMI based monitoring and log collection
Worker	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Worker	External Devices	Outbound	TCP/389	LDAP discovery
Worker	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Worker	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Worker	External Device	Outbound	TCP/443	HTTPS based log collection
Worker	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Worker	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Worker	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Worker	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Worker	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Worker	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection
Worker	NFS Server	Outbound	UDP/111, TCP/111	NFS Portmapper for writing events in NFS based deployments
Worker	Elasticsearch Coordinating Node	Outbound	HTTPS/9200 (configurable)	Storing events for Elasticsearch based deployments
Worker	HDFS Name Node	Outbound	HTTPS/9000 (configurable)	Archiving events for HDFS based deployments

Collector Communication

From	To	Inbound or Outbound	Ports	Services
FortiSIEM Management User	Collector	Inbound	TCP/22	Admin access via SSH
FortiSIEM Management User	Collector	Inbound	ICMP	ICMP
Collector	Collector	Outbound	TCP/443	REST API access via HTTPS
Collector	Supervisor	Outbound	TCP/443	REST API access via HTTPS
Collector	External Device	Outbound	UDP/161	SNMP based monitoring
External Device	Collector	Inbound	TCP/21	FTP (for receiving Bluecoat logs via ftp)
External Device	Collector	Inbound	UDP/162	SNMP Trap
External Device	Collector	Inbound	UDP/514	UDP syslog
External Device	Collector	Inbound	TCP/514	TCP syslog
External Device	Collector	Inbound	SSL/6514	Syslog over TLS
External Device	Collector	Inbound	UDP/2055	NetFlow
External Device	Collector	Inbound	UDP/6343	sFlow
Collector	External Windows Devices	Outbound	TCP/135, UDP/137, TCP/5985-5986	OMI based monitoring and log collection
Collector	External Windows Devices	Outbound	TCP/135	WMI based monitoring and log collection
Collector	External Device	Outbound	TCP/110	POP3 for email monitoring (STM)
Collector	External Device	Outbound	TCP/143	IMAP for email monitoring (STM)
Collector	External Devices	Outbound	TCP/389	LDAP discovery
Collector	External Device	Outbound	TCP/443	HTTPS based log collection
Collector	External Device	Outbound	TCP/993	IMAP/SSL for email monitoring (STM)
Collector	External Device	Outbound	TCP/995	POP/SSL for email monitoring (STM)
Collector	External Devices	Outbound	TCP/1433	JDBC based monitoring and data collection
Collector	External Devices	Outbound	UDP/8686	JMX based monitoring and data collection
Collector	Checkpoint	Outbound	TCP/18184	Checkpoint LEA based log collection
Collector	Checkpoint	Outbound	TCP/18190	Checkpoint CPMI based data collection

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

External Systems Configuration Guide

FortiSIEM Port Usage

FortiSIEM Port Usage

FortiSIEM Manager Communication

Supervisor Communication

Worker Communication

Collector Communication

FortiSIEM Port Usage

FortiSIEM Port Usage

FortiSIEM Manager Communication

Supervisor Communication

Worker Communication

Collector Communication