FortiSIEM Port Usage
This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:
- FortiSIEM Manager Communication
- Supervisor Communication
- Worker Communication
- Collector Communication
In release 6.6, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.6, then that entry is valid for releases 6.6 and above.
Since there will be intercommunication between FortiSIEM nodes (Worker to Worker, Worker to Supervisor, Supervisor to Worker), Fortinet suggests not to firewall block any type of communication between internal FortiSIEM nodes. |
FortiSIEM Manager Communication
From |
To |
Inbound or Outbound |
Ports |
Services |
Supervisor |
FortiSIEM Manager |
Inbound |
TCP/443 |
Handle FortiSIEM Instance Registration and Incidents, license, and health upload from Instance |
FortiSIEM Manager |
Supervisor |
Outbound |
TCP/443 |
Incident drill down and Incident Management from FortiSIEM Manager |
Supervisor Communication
From |
To |
Inbound or Outbound |
Ports |
Services |
FortiSIEM Management User |
Supervisor |
Inbound |
ICMP |
Monitoring via ICMP |
Supervisor |
Mail Gateway |
Outbound |
TCP/SMTP |
Sending email notification |
External Device |
Supervisor |
Inbound |
TCP/21 |
FTP (for receiving Bluecoat logs via ftp) |
FortiSIEM Management User |
Supervisor |
Inbound |
TCP/22 |
Admin access via SSH |
Supervisor |
Whois Servers |
Outbound |
43 |
Whois lookup service
|
Supervisor |
External Device |
Outbound |
TCP/110 |
POP3 for email monitoring (STM) |
Supervisor |
NFS Server |
Outbound |
UDP/111, TCP/111 |
NFS Portmapper for writing events in NFS based deployments |
Supervisor |
External Windows Devices |
Outbound |
TCP/135 |
WMI based monitoring and log collection |
Supervisor | External Windows Devices | Outbound | TCP/135, UDP/137, TCP/5985-5986 |
OMI based monitoring and log collection |
Supervisor |
External Device |
Outbound |
TCP/143 |
IMAP for email monitoring (STM) |
Supervisor |
External Device |
Outbound |
UDP/161 |
SNMP based monitoring |
External Device |
Supervisor |
Inbound |
UDP/162 |
SNMP Trap |
Supervisor |
External Devices |
Outbound |
TCP/389 |
LDAP discovery |
Supervisor |
Elasticsearch Coordinating Node |
Outbound |
HTTPS/443(configurable) or HTTPS/9300 |
Querying events for Elasticsearch based deployments |
Supervisor |
FortiSIEM Manager |
Outbound |
TCP/443 |
Register to FortiSIEM Manager and upload Incidents, license and health |
FortiSIEM Manager |
Supervisor |
Inbound |
TCP/443 |
Incident drill down and Incident Management from FortiSIEM Manager |
FortiSIEM Management User |
Supervisor |
Inbound |
TCP/443 |
GUI access via HTTPS |
Collector, Worker, Windows Agent, Linux Agent |
Supervisor |
Inbound |
TCP/443 |
REST API access via HTTPS |
Supervisor |
External Device |
Outbound |
TCP/443 |
HTTPS based log collection |
External Device |
Supervisor |
Inbound |
TCP/514 |
TCP syslog |
External Device |
Supervisor |
Inbound |
UDP/514 |
UDP syslog |
Supervisor |
External Device |
Outbound |
TCP/993 |
IMAP/SSL for email monitoring (STM) |
Supervisor |
External Device |
Outbound |
TCP/995 |
POP/SSL for email monitoring (STM) |
Supervisor |
External Devices |
Outbound |
TCP/1433 |
JDBC based monitoring and data collection |
External Device |
Supervisor |
Inbound |
TCP/1470 |
TCP syslog |
External Device |
Supervisor |
Inbound |
UDP/2055 |
NetFlow |
Supervisor |
Worker |
Inbound, Outbound |
RAFT/3888 |
ClickHouse Keeper Traffic if Supervisor node is part of ClickHouse Keeper Cluster |
Supervisor |
Report Server |
Outbound |
TCP/5432 |
PostGreSQL (report loading) |
Worker |
Supervisor |
Inbound |
TCP/5555 |
phFortiInsightAI module data collection |
External Device |
Supervisor |
Inbound |
UDP/6343 |
sFlow |
External Device |
Supervisor |
Inbound |
TLS (Supporting v1.2 & v1.3)/6514 |
Syslog over TLS |
Supervisor |
Worker |
Outbound |
TCP/6666 |
Redis communication |
Supervisor |
Spark Master Node |
Outbound |
HTTPS/7077 (configurable) |
Querying events for HDFS based deployments |
Supervisor (Primary) |
Supervisor (Secondary for DR) |
Inbound, Outbound |
TCP/7900 |
Disaster Recovery Setup |
Worker |
Supervisor |
Inbound |
TLS (Supporting v1.3)/7900 |
phMonitorWorker to phMonitorSuper communication |
Supervisor |
Worker |
Outbound |
TLS (Supporting v1.3)/7900 |
phMonitorSuper to phMonitorWorker Communication |
Worker |
Supervisor |
Inbound |
TLS (Supporting v1.3)/7914 |
phParser on Worker to phParser on Supervisor for EPS enforcement |
Supervisor |
Worker |
Outbound |
TLS (Supporting v1.3)/7916 |
phQueryMaster to phQueryWorker communication |
Worker |
Supervisor |
Inbound |
TLS (Supporting v1.3)/7918 |
phQueryWorker to phQueryMaster Communication |
Worker 6.1 | Supervisor | Outbound | TLS (Supporting v1.3)/7920 | phQueryMaster to phDataManager for trigger event query |
Worker |
Supervisor |
Inbound |
TLS (Supporting v1.3)/7922 |
phRuleWorker to phRuleMaster communication |
Worker |
Supervisor |
Inbound |
TLS (Supporting V1.3)/7928 |
phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change |
Worker |
Supervisor |
Inbound |
TLS(Supporting v1.3)/7934 |
phReportWorker to phReportMaster Communication |
Worker |
Supervisor |
Inbound |
TLS (Supporting v1.3)/7938 |
phIdentityWorker to phIpIdentityMaster |
Supervisor |
Worker |
Outbound |
HTTP/8123, HTTPS/8443 |
ClickHouse Database Query |
Supervisor |
Worker |
Outbound |
HTTP/8123, HTTPS/8443 |
ClickHouse Database Insert if Supervisor receives events from Collectors or Workers and it is not chosen as a Data Node |
Worker |
Supervisor |
Inbound |
HTTP/8123, HTTPS/8443 |
ClickHouse Database Insert if Supervisor is chosen as a Data Node |
Supervisor |
External Devices |
Outbound |
UDP/8686 |
JMX based monitoring and data collection |
Supervisor |
HDFS Name Node |
Outbound |
HTTPS/9000 (configurable) |
Archiving events for HDFS based deployments |
Supervisor |
Worker |
Inbound, Outbound |
9000, 9440 |
ClickHouse Internal Communication |
Supervisor |
Worker |
Inbound, Outbound |
HTTP/9009, HTTPS/9010 |
ClickHouse Database Replication if Supervisor is chosen as a Data Node |
Supervisor |
Elasticsearch Coordinating Node |
Outbound |
HTTPS/9200 (configurable) |
Storing events for Elasticsearch based deployments |
Supervisor |
Checkpoint |
Outbound |
TCP/18184 |
Checkpoint LEA based log collection |
Supervisor |
Checkpoint |
Outbound |
TCP/18190 |
Checkpoint CPMI based data collection |
Collector |
Supervisor |
Inbound |
TCP/19999 |
Collector to Supervisor Reverse SSH Tunnel (disabled by default) |
Supervisor |
Collector |
Outbound |
TCP/20000-30000 |
Collector to Super Reverse SSH Tunnel (disabled by default) |
Spark Nodes |
Supervisor |
Inbound |
TCP/60002-60003 |
Elasticsearch to HDFS Archive |
Worker Communication
From |
To |
Inbound or Outbound |
Ports |
Services |
---|---|---|---|---|
FortiSIEM Management User |
Worker |
Inbound |
ICMP |
ICMP |
External Device |
Worker |
Inbound |
TCP/21 |
FTP (for receiving Bluecoat logs via ftp) |
FortiSIEM Management User |
Worker |
Inbound |
TCP/22 |
Admin access via SSH |
Worker |
External Device |
Outbound |
TCP/110 |
POP3 for email monitoring (STM) |
Worker |
NFS Server |
Outbound |
UDP/111, TCP/111 |
NFS Portmapper for writing events in NFS based deployments |
Worker |
External Windows Devices |
Outbound |
TCP/135 |
WMI based monitoring and log collection |
Worker |
External Windows Devices |
Outbound |
TCP/135, UDP/137, TCP/5985-5986 |
OMI based monitoring and log collection |
Worker |
External Device |
Outbound |
TCP/143 |
IMAP for email monitoring (STM) |
Worker |
External Device |
Outbound |
UDP/161 |
SNMP based monitoring |
External Device |
Worker |
Inbound |
UDP/162 |
SNMP Trap |
Worker |
External Devices |
Outbound |
TCP/389 |
LDAP discovery |
Worker |
External Device |
Outbound |
TCP/443 |
HTTPS based log collection |
Collector |
Worker |
Inbound |
TCP/443 |
REST API access via HTTPS |
External Device |
Worker |
Inbound |
TCP/514 |
TCP syslog |
External Device |
Worker |
Inbound |
UDP/514 |
UDP syslog |
Worker |
External Device |
Outbound |
TCP/993 |
IMAP/SSL for email monitoring (STM) |
Worker |
External Device |
Outbound |
TCP/995 |
POP/SSL for email monitoring (STM) |
Worker |
External Devices |
Outbound |
TCP/1433 |
JDBC based monitoring and data collection |
External Device |
Supervisor |
Inbound |
TCP/1470 |
TCP syslog |
External Device |
Worker |
Inbound |
UDP/2055 |
NetFlow |
Worker |
Worker (ClickHouse Keeper) |
Inbound, Outbound |
TCP/2181 |
Worker (Data/Query) Node to Keeper node traffic |
Worker |
Worker |
Inbound, Outbound |
RAFT/3888 |
ClickHouse Keeper Traffic for Worker nodes that are part of ClickHouse Keeper Cluster |
Worker |
Supervisor |
Outbound |
TCP/5555 |
phFortiInsightAI module data collection |
External Device |
Worker |
Inbound |
UDP/6343 |
sFlow |
External Device |
Worker |
Inbound |
TLS (Supporting v1.2 & v1.3)/6514 |
Syslog over TLS |
Supervisor |
Worker |
Inbound |
TCP/6666 |
Redis communication |
Worker |
Supervisor |
Outbound |
TLS (Supporting v1.3)/7900 |
phMonitorWorker to phMonitorSuper communication |
Supervisor |
Worker |
Inbound |
TLS (Supporting v1.3)/7900 |
phMonitorSuper to phMonitorWorker Communication |
Worker |
Supervisor |
Outbound |
TLS (Supporting v1.3)/7914 |
phParser on Worker to phParser on Supervisor for EPS enforcement |
Supervisor |
Worker |
Inbound |
TLS (Supporting v1.3)/7916 |
phQueryMaster to phQueryWorker communication |
Worker |
Supervisor |
Outbound |
TLS (Supporting v1.3)/7918 |
phQueryWorker to phQueryMaster Communication |
Worker 6.1 |
Supervisor |
Outbound |
TLS (Supporting v1.3)/7920 |
phQueryMaster to phDataManager for trigger event query |
Worker |
Supervisor |
Outbound |
TLS(Supporting v1.3)/7922 |
phRuleWorker to phRuleMaster communication |
Worker |
Supervisor |
Outbound |
TLS (Supporting V1.3)/7928 |
phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change |
Worker |
Supervisor |
Outbound |
TLS (Supporting v1.3)/7934 |
phReportWorker to phReportMaster Communication |
Worker |
Supervisor |
Outbound |
TLS (Supporting v1.3)/7938 |
phIdentityWorker to phIpIdentityMaster |
Worker |
Worker |
Inbound, Outbound |
HTTP/8123, HTTPS/8443 |
ClickHouse Database Insert |
Worker |
External Devices |
Outbound |
UDP/8686 |
JMX based monitoring and data collection |
Worker |
HDFS Name Node |
Outbound |
HTTPS/9000 (configurable) |
Archiving events for HDFS based deployments |
Worker |
Worker |
Inbound, Outbound |
9000, 9440 |
ClickHouse Internal Communication |
Worker |
Worker |
Inbound, Outbound |
HTTP/9009, HTTPS/9010 |
ClickHouse Database Replication |
Worker |
Elasticsearch Coordinating Node |
Outbound |
HTTPS/9200 (configurable) |
Storing events for Elasticsearch based deployments |
Worker |
Checkpoint |
Outbound |
TCP/18184 |
Checkpoint LEA based log collection |
Worker |
Checkpoint |
Outbound |
TCP/18190 |
Checkpoint CPMI based data collection |
Spark Nodes |
Supervisor |
Inbound |
TCP/60002-60003 |
Elasticsearch to HDFS Archive |
Collector Communication
From |
To |
Inbound or Outbound |
Ports |
Services |
---|---|---|---|---|
FortiSIEM Management User |
Collector |
Inbound |
ICMP |
ICMP |
External Device |
Collector |
Inbound |
TCP/21 |
FTP (for receiving Bluecoat logs via ftp) |
FortiSIEM Management User |
Collector |
Inbound |
TCP/22 |
Admin access via SSH |
Collector |
External Device |
Outbound |
TCP/110 |
POP3 for email monitoring (STM) |
Collector |
External Windows Devices |
Outbound |
TCP/135 |
WMI based monitoring and log collection |
Collector |
External Windows Devices |
Outbound |
TCP/135, UDP/137, TCP/5985-5986 |
OMI based monitoring and log collection |
Collector |
External Device |
Outbound |
TCP/143 |
IMAP for email monitoring (STM) |
Collector |
External Device |
Outbound |
UDP/161 |
SNMP based monitoring |
External Device |
Collector |
Inbound |
UDP/162 |
SNMP Trap |
Collector |
External Devices |
Outbound |
TCP/389 |
LDAP discovery |
Collector |
External Device |
Outbound |
TCP/443 |
HTTPS based log collection |
Collector |
Collector |
Outbound |
TCP/443 |
REST API access via HTTPS |
Collector |
Supervisor |
Outbound |
TCP/443 |
REST API access via HTTPS |
External Device |
Collector |
Inbound |
UDP/514 |
UDP syslog |
External Device |
Collector |
Inbound |
TCP/514 |
TCP syslog |
Collector |
External Device |
Outbound |
TCP/993 |
IMAP/SSL for email monitoring (STM) |
Collector |
External Device |
Outbound |
TCP/995 |
POP/SSL for email monitoring (STM) |
Collector |
External Devices |
Outbound |
TCP/1433 |
JDBC based monitoring and data collection |
External Device |
Supervisor |
Inbound |
TCP/1470 |
TCP syslog |
External Device |
Collector |
Inbound |
UDP/2055 |
NetFlow |
External Device |
Collector |
Inbound |
UDP/6343 |
sFlow |
External Device |
Collector |
Inbound |
TLS (Supporting v1.2 & v1.3)/6514 |
Syslog over TLS |
Collector |
External Devices |
Outbound |
UDP/8686 |
JMX based monitoring and data collection |
Collector |
Checkpoint |
Outbound |
TCP/18184 |
Checkpoint LEA based log collection |
Collector |
Checkpoint |
Outbound |
TCP/18190 |
Checkpoint CPMI based data collection |
Collector |
Supervisor |
Inbound |
TCP/19999 |
Collector to Super Reverse SSH Tunnel (disabled by default) |
Supervisor |
Collector |
Outbound |
TCP/20000-30000 |
Collector to Super Reverse SSH Tunnel (disabled by default) |