Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 7.2.0 External Systems Configuration Guide
    7.2.0
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    FortiSIEM Port Usage

    FortiSIEM Port Usage

    This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

    In release 7.2, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 7.2, then that entry is valid for releases 7.2 and above.

    note icon Since there will be intercommunication between FortiSIEM nodes (Worker to Worker, Worker to Supervisor, Supervisor to Worker), Fortinet suggests not to firewall block any type of communication between internal FortiSIEM nodes.

    FortiSIEM Manager Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    Supervisor

    FortiSIEM Manager

    Inbound

    TCP/443

    Handle FortiSIEM Instance Registration and Incidents, license, and health upload from Instance

    FortiSIEM Manager

    Supervisor

    Outbound

    TCP/443

    Incident drill down and Incident Management from FortiSIEM Manager

    Supervisor Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    FortiSIEM Management User

    Supervisor

    Inbound

    ICMP

    Monitoring via ICMP

    Supervisor

    Mail Gateway

    Outbound

    TCP/SMTP

    Sending email notification

    External Device

    Supervisor

    Inbound

    TCP/21

    FTP (for receiving Bluecoat logs via ftp)

    FortiSIEM Management User

    Supervisor

    Inbound

    TCP/22

    Admin access via SSH

    Supervisor

    Whois Servers

    Outbound

    43

    Whois lookup service

    • whois.geektools.com
    • whois.arin.net
    • whois.networksolutions.com
    • whois.internic.net
    • whois.nic.af
    • whois.ripe.net
    • whois.apnic.net
    • whois.amnic.net
    • whois.nic.gov
    • whois.nic.ad.jp
    • whois.nic.mx
    • whois.nic.us

    Supervisor

    External Device

    Outbound

    TCP/110

    POP3 for email monitoring (STM)

    Supervisor

    NFS Server

    Outbound

    UDP/111, TCP/111

    NFS Portmapper for writing events in NFS based deployments

    Supervisor

    External Windows Devices

    Outbound

    TCP/135

    WMI based monitoring and log collection

    Supervisor External Windows Devices Outbound TCP/135, UDP/137, TCP/5985-5986

    OMI based monitoring and log collection

    Supervisor

    External Device

    Outbound

    TCP/143

    IMAP for email monitoring (STM)

    Supervisor

    External Device

    Outbound

    UDP/161

    SNMP based monitoring

    External Device

    Supervisor

    Inbound

    UDP/162

    SNMP Trap

    Supervisor

    External Devices

    Outbound

    TCP/389

    LDAP discovery

    Supervisor

    Elasticsearch Coordinating Node

    Outbound

    HTTPS/443(configurable) or HTTPS/9300

    Querying events for Elasticsearch based deployments

    Supervisor

    FortiSIEM Manager

    Outbound

    TCP/443

    Register to FortiSIEM Manager and upload Incidents, license and health

    FortiSIEM Manager

    Supervisor

    Inbound

    TCP/443

    Incident drill down and Incident Management from FortiSIEM Manager

    FortiSIEM Management User

    Supervisor

    Inbound

    TCP/443

    GUI access via HTTPS

    Collector, Worker, Windows Agent, Linux Agent

    Supervisor

    Inbound

    TCP/443

    REST API access via HTTPS

    Supervisor

    External Device

    Outbound

    TCP/443

    HTTPS based log collection

    Supervisor

    External Device

    Inbound, Outbound

    TCP/443

    IOC feed and IOC lookups connect to productapi.fortinet.com, validation of Collector & Agent packages, Content Updates, FortiGuard Services (update.fortiguard.net), and OS updates (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com).

    External Device

    Supervisor

    Inbound

    TCP/514

    TCP syslog

    External Device

    Supervisor

    Inbound

    UDP/514

    UDP syslog

    Supervisor

    External Devices

    Outbound

    TCP/636

    LDAPS discovery

    Supervisor

    External Device

    Outbound

    TCP/993

    IMAP/SSL for email monitoring (STM)

    Supervisor

    External Device

    Outbound

    TCP/995

    POP/SSL for email monitoring (STM)

    Supervisor

    External Devices

    Outbound

    TCP/1433

    JDBC based monitoring and data collection

    External Device

    Supervisor

    Inbound

    TCP/1470

    TCP syslog

    External Device

    Supervisor

    Inbound

    UDP/2055

    NetFlow

    Supervisor

    External Devices

    Outbound

    TCP/3268

    LDAP discovery (Global Catalog port, Global Catalog TLS port)

    Supervisor

    External Devices

    Outbound

    TCP/3269

    LDAPS discovery (Global Catalog port)

    Supervisor

    Worker

    Inbound, Outbound

    RAFT/3888

    ClickHouse Keeper Traffic if Supervisor node is part of ClickHouse Keeper Cluster

    Supervisor

    Report Server

    Outbound

    TCP/5432

    PostGreSQL (report loading)

    Worker

    Supervisor

    Inbound

    TCP/5555

    phFortiInsightAI module data collection

    External Device

    Supervisor

    Inbound

    UDP/6343

    sFlow

    External Device

    Supervisor

    Inbound

    TLS (Supporting v1.2 & v1.3)/6514

    Syslog over TLS

    Supervisor

    Worker

    Outbound

    TCP/6666

    Redis communication

    Supervisor

    Spark Master Node

    Outbound

    HTTPS/7077 (configurable)

    Querying events for HDFS based deployments

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)/7900

    phMonitorWorker to phMonitorSuper communication

    Supervisor

    Worker

    Outbound

    TLS (Supporting v1.3)/7900

    phMonitorSuper to phMonitorWorker Communication

    Supervisor (Primary)

    Supervisor (Secondary for DR)

    Inbound, Outbound

    TCP/7900

    Disaster Recovery Setup

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)/7914

    phParser on Worker to phParser on Supervisor for EPS enforcement

    Supervisor

    Worker

    Outbound

    TLS (Supporting v1.3)/7916

    phQueryMaster to phQueryWorker communication

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)

    phQueryWorker to phQueryMaster Communication

    Worker 6.1 Supervisor Outbound TLS (Supporting v1.3)/7920 phQueryMaster to phDataManager for trigger event query

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)

    phRuleWorker to phRuleMaster communication

    Worker

    Supervisor

    Inbound

    TLS (Supporting V1.3)/7928

    phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)

    phReportWorker to phReportMaster Communication

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)/7938

    phIdentityWorker to phIpIdentityMaster

    Supervisor

    Worker

    Outbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Query

    Supervisor

    Worker

    Outbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Insert if Supervisor receives events from Collectors or Workers and it is not chosen as a Data Node

    Worker

    Supervisor

    Inbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Insert if Supervisor is chosen as a Data Node

    Supervisor

    External Devices

    Outbound

    UDP/8686

    JMX based monitoring and data collection

    Supervisor

    HDFS Name Node

    Outbound

    HTTPS/9000 (configurable)

    Archiving events for HDFS based deployments

    Supervisor

    Worker

    Inbound, Outbound

    9000, 9440

    ClickHouse Internal Communication

    Supervisor

    Worker

    Inbound, Outbound

    HTTP/9009, HTTPS/9010

    ClickHouse Database Replication if Supervisor is chosen as a Data Node

    Supervisor

    Elasticsearch Coordinating Node

    Outbound

    HTTPS/9200 (configurable)

    Storing events for Elasticsearch based deployments

    Supervisor

    Checkpoint

    Outbound

    TCP/18184

    Checkpoint LEA based log collection

    Supervisor

    Checkpoint

    Outbound

    TCP/18190

    Checkpoint CPMI based data collection

    Collector

    Supervisor

    Inbound

    TCP/19999

    Collector to Supervisor Reverse SSH Tunnel (disabled by default)

    Supervisor

    Collector

    Outbound

    TCP/20000-30000

    Collector to Super Reverse SSH Tunnel (disabled by default)

    Worker

    Supervisor

    Inbound

    gRPC (TLS v1.2)/27918

    phQueryWorker to phQueryMaster Communication

    Worker

    Supervisor

    Inbound

    gRPC (TLS v1.2)/27918

    phRuleWorker to phRuleMaster Communication

    Worker

    Supervisor

    Inbound

    gRPC (TLS v1.2)/27934

    phReportWorker to phReportMaster Communication

    Spark Nodes

    Supervisor

    Inbound

    TCP/60002-60003

    Elasticsearch to HDFS Archive

    Worker Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    FortiSIEM Management User

    Worker

    Inbound

    ICMP

    ICMP

    External Device

    Worker

    Inbound

    TCP/21

    FTP (for receiving Bluecoat logs via ftp)

    FortiSIEM Management User

    Worker

    Inbound

    TCP/22

    Admin access via SSH

    Worker

    External Device

    Outbound

    TCP/110

    POP3 for email monitoring (STM)

    Worker

    NFS Server

    Outbound

    UDP/111, TCP/111

    NFS Portmapper for writing events in NFS based deployments

    Worker

    External Windows Devices

    Outbound

    TCP/135

    WMI based monitoring and log collection

    Worker

    External Windows Devices

    Outbound

    TCP/135, UDP/137, TCP/5985-5986

    OMI based monitoring and log collection

    Worker

    External Device

    Outbound

    TCP/143

    IMAP for email monitoring (STM)

    Worker

    External Device

    Outbound

    UDP/161

    SNMP based monitoring

    External Device

    Worker

    Inbound

    UDP/162

    SNMP Trap

    Worker

    External Devices

    Outbound

    TCP/389

    LDAP discovery

    Worker

    External Device

    Outbound

    TCP/443

    HTTPS based log collection

    Collector

    Worker

    Inbound

    TCP/443

    REST API access via HTTPS

    External Device

    Worker

    Inbound

    TCP/514

    TCP syslog

    External Device

    Worker

    Inbound

    UDP/514

    UDP syslog

    Worker

    External Device

    Outbound

    TCP/993

    IMAP/SSL for email monitoring (STM)

    Worker

    External Device

    Outbound

    TCP/995

    POP/SSL for email monitoring (STM)

    Worker

    External Devices

    Outbound

    TCP/1433

    JDBC based monitoring and data collection

    External Device

    Supervisor

    Inbound

    TCP/1470

    TCP syslog

    External Device

    Worker

    Inbound

    UDP/2055

    NetFlow

    Worker

    Worker (ClickHouse Keeper)

    Inbound, Outbound

    TCP/2181

    Worker (Data/Query) Node to Keeper node traffic

    Worker

    Worker

    Inbound, Outbound

    RAFT/3888

    ClickHouse Keeper Traffic for Worker nodes that are part of ClickHouse Keeper Cluster

    Worker

    Supervisor

    Outbound

    TCP/5555

    phFortiInsightAI module data collection

    External Device

    Worker

    Inbound

    UDP/6343

    sFlow

    External Device

    Worker

    Inbound

    TLS (Supporting v1.2 & v1.3)/6514

    Syslog over TLS

    Supervisor

    Worker

    Inbound

    TCP/6666

    Redis communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7900

    phMonitorWorker to phMonitorSuper communication

    Supervisor

    Worker

    Inbound

    TLS (Supporting v1.3)/7900

    phMonitorSuper to phMonitorWorker Communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7914

    phParser on Worker to phParser on Supervisor for EPS enforcement

    Supervisor

    Worker

    Inbound

    TLS (Supporting v1.3)/7916

    phQueryMaster to phQueryWorker communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)

    phQueryWorker to phQueryMaster Communication

    Worker 6.1

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7920

    phQueryMaster to phDataManager for trigger event query

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)

    phRuleWorker to phRuleMaster communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting V1.3)/7928

    phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)

    phReportWorker to phReportMaster Communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7938

    phIdentityWorker to phIpIdentityMaster

    Worker

    Worker

    Inbound, Outbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Insert

    Worker

    External Devices

    Outbound

    UDP/8686

    JMX based monitoring and data collection

    Worker

    HDFS Name Node

    Outbound

    HTTPS/9000 (configurable)

    Archiving events for HDFS based deployments

    Worker

    Worker

    Inbound, Outbound

    9000, 9440

    ClickHouse Internal Communication

    Worker

    Worker

    Inbound, Outbound

    HTTP/9009, HTTPS/9010

    ClickHouse Database Replication

    Worker

    Elasticsearch Coordinating Node

    Outbound

    HTTPS/9200 (configurable)

    Storing events for Elasticsearch based deployments

    Worker

    Checkpoint

    Outbound

    TCP/18184

    Checkpoint LEA based log collection

    Worker

    Checkpoint

    Outbound

    TCP/18190

    Checkpoint CPMI based data collection

    Worker

    Supervisor

    Outbound

    gRPC (TLS v1.2)/27918

    phQueryWorker to phQueryMaster Communication

    Worker

    Supervisor

    Outbound

    gRPC (TLS v1.2)/27922

    phRuleWorker to phRuleMaster Communication

    Worker

    Supervisor

    Outbound

    gRPC (TLS v1.2)/27934

    phReportWorker to phReportMaster Communication

    Spark Nodes

    Supervisor

    Inbound

    TCP/60002-60003

    Elasticsearch to HDFS Archive

    Collector Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    FortiSIEM Management User

    Collector

    Inbound

    ICMP

    ICMP

    External Device

    Collector

    Inbound

    TCP/21

    FTP (for receiving Bluecoat logs via ftp)

    FortiSIEM Management User

    Collector

    Inbound

    TCP/22

    Admin access via SSH

    Collector

    External Device

    Outbound

    TCP/110

    POP3 for email monitoring (STM)

    Collector

    External Windows Devices

    Outbound

    TCP/135

    WMI based monitoring and log collection

    Collector

    External Windows Devices

    Outbound

    TCP/135, UDP/137, TCP/5985-5986

    OMI based monitoring and log collection

    Collector

    External Device

    Outbound

    TCP/143

    IMAP for email monitoring (STM)

    Collector

    External Device

    Outbound

    UDP/161

    SNMP based monitoring

    External Device

    Collector

    Inbound

    UDP/162

    SNMP Trap

    Collector

    External Devices

    Outbound

    TCP/389

    LDAP discovery

    Collector

    External Device

    Outbound

    TCP/443

    HTTPS based log collection

    Collector

    Collector

    Outbound

    TCP/443

    REST API access via HTTPS

    Collector

    Supervisor

    Outbound

    TCP/443

    REST API access via HTTPS

    External Device

    Collector

    Inbound

    UDP/514

    UDP syslog

    External Device

    Collector

    Inbound

    TCP/514

    TCP syslog

    Collector

    External Devices

    Outbound

    TCP/636

    LDAPS discovery

    Collector

    External Device

    Outbound

    TCP/993

    IMAP/SSL for email monitoring (STM)

    Collector

    External Device

    Outbound

    TCP/995

    POP/SSL for email monitoring (STM)

    Collector

    External Devices

    Outbound

    TCP/1433

    JDBC based monitoring and data collection

    External Device

    Supervisor

    Inbound

    TCP/1470

    TCP syslog

    External Device

    Collector

    Inbound

    UDP/2055

    NetFlow

    Collector

    External Devices

    Outbound

    TCP/3268

    LDAP discovery (Global Catalog port, Global Catalog TLS port)

    Collector

    External Devices

    Outbound

    TCP/3269

    LDAPS discovery (Global Catalog port)

    External Device

    Collector

    Inbound

    UDP/6343

    sFlow

    External Device

    Collector

    Inbound

    TLS (Supporting v1.2 & v1.3)/6514

    Syslog over TLS

    Collector

    External Devices

    Outbound

    UDP/8686

    JMX based monitoring and data collection

    Collector

    Checkpoint

    Outbound

    TCP/18184

    Checkpoint LEA based log collection

    Collector

    Checkpoint

    Outbound

    TCP/18190

    Checkpoint CPMI based data collection

    Collector

    Supervisor

    Inbound

    TCP/19999

    Collector to Super Reverse SSH Tunnel (disabled by default)

    Supervisor

    Collector

    Outbound

    TCP/20000-30000

    Collector to Super Reverse SSH Tunnel (disabled by default)
    Previous
    Next

    FortiSIEM Port Usage

    FortiSIEM Port Usage

    This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:

    In release 7.2, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 7.2, then that entry is valid for releases 7.2 and above.

    note icon Since there will be intercommunication between FortiSIEM nodes (Worker to Worker, Worker to Supervisor, Supervisor to Worker), Fortinet suggests not to firewall block any type of communication between internal FortiSIEM nodes.

    FortiSIEM Manager Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    Supervisor

    FortiSIEM Manager

    Inbound

    TCP/443

    Handle FortiSIEM Instance Registration and Incidents, license, and health upload from Instance

    FortiSIEM Manager

    Supervisor

    Outbound

    TCP/443

    Incident drill down and Incident Management from FortiSIEM Manager

    Supervisor Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    FortiSIEM Management User

    Supervisor

    Inbound

    ICMP

    Monitoring via ICMP

    Supervisor

    Mail Gateway

    Outbound

    TCP/SMTP

    Sending email notification

    External Device

    Supervisor

    Inbound

    TCP/21

    FTP (for receiving Bluecoat logs via ftp)

    FortiSIEM Management User

    Supervisor

    Inbound

    TCP/22

    Admin access via SSH

    Supervisor

    Whois Servers

    Outbound

    43

    Whois lookup service

    • whois.geektools.com
    • whois.arin.net
    • whois.networksolutions.com
    • whois.internic.net
    • whois.nic.af
    • whois.ripe.net
    • whois.apnic.net
    • whois.amnic.net
    • whois.nic.gov
    • whois.nic.ad.jp
    • whois.nic.mx
    • whois.nic.us

    Supervisor

    External Device

    Outbound

    TCP/110

    POP3 for email monitoring (STM)

    Supervisor

    NFS Server

    Outbound

    UDP/111, TCP/111

    NFS Portmapper for writing events in NFS based deployments

    Supervisor

    External Windows Devices

    Outbound

    TCP/135

    WMI based monitoring and log collection

    Supervisor External Windows Devices Outbound TCP/135, UDP/137, TCP/5985-5986

    OMI based monitoring and log collection

    Supervisor

    External Device

    Outbound

    TCP/143

    IMAP for email monitoring (STM)

    Supervisor

    External Device

    Outbound

    UDP/161

    SNMP based monitoring

    External Device

    Supervisor

    Inbound

    UDP/162

    SNMP Trap

    Supervisor

    External Devices

    Outbound

    TCP/389

    LDAP discovery

    Supervisor

    Elasticsearch Coordinating Node

    Outbound

    HTTPS/443(configurable) or HTTPS/9300

    Querying events for Elasticsearch based deployments

    Supervisor

    FortiSIEM Manager

    Outbound

    TCP/443

    Register to FortiSIEM Manager and upload Incidents, license and health

    FortiSIEM Manager

    Supervisor

    Inbound

    TCP/443

    Incident drill down and Incident Management from FortiSIEM Manager

    FortiSIEM Management User

    Supervisor

    Inbound

    TCP/443

    GUI access via HTTPS

    Collector, Worker, Windows Agent, Linux Agent

    Supervisor

    Inbound

    TCP/443

    REST API access via HTTPS

    Supervisor

    External Device

    Outbound

    TCP/443

    HTTPS based log collection

    Supervisor

    External Device

    Inbound, Outbound

    TCP/443

    IOC feed and IOC lookups connect to productapi.fortinet.com, validation of Collector & Agent packages, Content Updates, FortiGuard Services (update.fortiguard.net), and OS updates (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com).

    External Device

    Supervisor

    Inbound

    TCP/514

    TCP syslog

    External Device

    Supervisor

    Inbound

    UDP/514

    UDP syslog

    Supervisor

    External Devices

    Outbound

    TCP/636

    LDAPS discovery

    Supervisor

    External Device

    Outbound

    TCP/993

    IMAP/SSL for email monitoring (STM)

    Supervisor

    External Device

    Outbound

    TCP/995

    POP/SSL for email monitoring (STM)

    Supervisor

    External Devices

    Outbound

    TCP/1433

    JDBC based monitoring and data collection

    External Device

    Supervisor

    Inbound

    TCP/1470

    TCP syslog

    External Device

    Supervisor

    Inbound

    UDP/2055

    NetFlow

    Supervisor

    External Devices

    Outbound

    TCP/3268

    LDAP discovery (Global Catalog port, Global Catalog TLS port)

    Supervisor

    External Devices

    Outbound

    TCP/3269

    LDAPS discovery (Global Catalog port)

    Supervisor

    Worker

    Inbound, Outbound

    RAFT/3888

    ClickHouse Keeper Traffic if Supervisor node is part of ClickHouse Keeper Cluster

    Supervisor

    Report Server

    Outbound

    TCP/5432

    PostGreSQL (report loading)

    Worker

    Supervisor

    Inbound

    TCP/5555

    phFortiInsightAI module data collection

    External Device

    Supervisor

    Inbound

    UDP/6343

    sFlow

    External Device

    Supervisor

    Inbound

    TLS (Supporting v1.2 & v1.3)/6514

    Syslog over TLS

    Supervisor

    Worker

    Outbound

    TCP/6666

    Redis communication

    Supervisor

    Spark Master Node

    Outbound

    HTTPS/7077 (configurable)

    Querying events for HDFS based deployments

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)/7900

    phMonitorWorker to phMonitorSuper communication

    Supervisor

    Worker

    Outbound

    TLS (Supporting v1.3)/7900

    phMonitorSuper to phMonitorWorker Communication

    Supervisor (Primary)

    Supervisor (Secondary for DR)

    Inbound, Outbound

    TCP/7900

    Disaster Recovery Setup

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)/7914

    phParser on Worker to phParser on Supervisor for EPS enforcement

    Supervisor

    Worker

    Outbound

    TLS (Supporting v1.3)/7916

    phQueryMaster to phQueryWorker communication

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)

    phQueryWorker to phQueryMaster Communication

    Worker 6.1 Supervisor Outbound TLS (Supporting v1.3)/7920 phQueryMaster to phDataManager for trigger event query

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)

    phRuleWorker to phRuleMaster communication

    Worker

    Supervisor

    Inbound

    TLS (Supporting V1.3)/7928

    phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)

    phReportWorker to phReportMaster Communication

    Worker

    Supervisor

    Inbound

    TLS (Supporting v1.3)/7938

    phIdentityWorker to phIpIdentityMaster

    Supervisor

    Worker

    Outbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Query

    Supervisor

    Worker

    Outbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Insert if Supervisor receives events from Collectors or Workers and it is not chosen as a Data Node

    Worker

    Supervisor

    Inbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Insert if Supervisor is chosen as a Data Node

    Supervisor

    External Devices

    Outbound

    UDP/8686

    JMX based monitoring and data collection

    Supervisor

    HDFS Name Node

    Outbound

    HTTPS/9000 (configurable)

    Archiving events for HDFS based deployments

    Supervisor

    Worker

    Inbound, Outbound

    9000, 9440

    ClickHouse Internal Communication

    Supervisor

    Worker

    Inbound, Outbound

    HTTP/9009, HTTPS/9010

    ClickHouse Database Replication if Supervisor is chosen as a Data Node

    Supervisor

    Elasticsearch Coordinating Node

    Outbound

    HTTPS/9200 (configurable)

    Storing events for Elasticsearch based deployments

    Supervisor

    Checkpoint

    Outbound

    TCP/18184

    Checkpoint LEA based log collection

    Supervisor

    Checkpoint

    Outbound

    TCP/18190

    Checkpoint CPMI based data collection

    Collector

    Supervisor

    Inbound

    TCP/19999

    Collector to Supervisor Reverse SSH Tunnel (disabled by default)

    Supervisor

    Collector

    Outbound

    TCP/20000-30000

    Collector to Super Reverse SSH Tunnel (disabled by default)

    Worker

    Supervisor

    Inbound

    gRPC (TLS v1.2)/27918

    phQueryWorker to phQueryMaster Communication

    Worker

    Supervisor

    Inbound

    gRPC (TLS v1.2)/27918

    phRuleWorker to phRuleMaster Communication

    Worker

    Supervisor

    Inbound

    gRPC (TLS v1.2)/27934

    phReportWorker to phReportMaster Communication

    Spark Nodes

    Supervisor

    Inbound

    TCP/60002-60003

    Elasticsearch to HDFS Archive

    Worker Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    FortiSIEM Management User

    Worker

    Inbound

    ICMP

    ICMP

    External Device

    Worker

    Inbound

    TCP/21

    FTP (for receiving Bluecoat logs via ftp)

    FortiSIEM Management User

    Worker

    Inbound

    TCP/22

    Admin access via SSH

    Worker

    External Device

    Outbound

    TCP/110

    POP3 for email monitoring (STM)

    Worker

    NFS Server

    Outbound

    UDP/111, TCP/111

    NFS Portmapper for writing events in NFS based deployments

    Worker

    External Windows Devices

    Outbound

    TCP/135

    WMI based monitoring and log collection

    Worker

    External Windows Devices

    Outbound

    TCP/135, UDP/137, TCP/5985-5986

    OMI based monitoring and log collection

    Worker

    External Device

    Outbound

    TCP/143

    IMAP for email monitoring (STM)

    Worker

    External Device

    Outbound

    UDP/161

    SNMP based monitoring

    External Device

    Worker

    Inbound

    UDP/162

    SNMP Trap

    Worker

    External Devices

    Outbound

    TCP/389

    LDAP discovery

    Worker

    External Device

    Outbound

    TCP/443

    HTTPS based log collection

    Collector

    Worker

    Inbound

    TCP/443

    REST API access via HTTPS

    External Device

    Worker

    Inbound

    TCP/514

    TCP syslog

    External Device

    Worker

    Inbound

    UDP/514

    UDP syslog

    Worker

    External Device

    Outbound

    TCP/993

    IMAP/SSL for email monitoring (STM)

    Worker

    External Device

    Outbound

    TCP/995

    POP/SSL for email monitoring (STM)

    Worker

    External Devices

    Outbound

    TCP/1433

    JDBC based monitoring and data collection

    External Device

    Supervisor

    Inbound

    TCP/1470

    TCP syslog

    External Device

    Worker

    Inbound

    UDP/2055

    NetFlow

    Worker

    Worker (ClickHouse Keeper)

    Inbound, Outbound

    TCP/2181

    Worker (Data/Query) Node to Keeper node traffic

    Worker

    Worker

    Inbound, Outbound

    RAFT/3888

    ClickHouse Keeper Traffic for Worker nodes that are part of ClickHouse Keeper Cluster

    Worker

    Supervisor

    Outbound

    TCP/5555

    phFortiInsightAI module data collection

    External Device

    Worker

    Inbound

    UDP/6343

    sFlow

    External Device

    Worker

    Inbound

    TLS (Supporting v1.2 & v1.3)/6514

    Syslog over TLS

    Supervisor

    Worker

    Inbound

    TCP/6666

    Redis communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7900

    phMonitorWorker to phMonitorSuper communication

    Supervisor

    Worker

    Inbound

    TLS (Supporting v1.3)/7900

    phMonitorSuper to phMonitorWorker Communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7914

    phParser on Worker to phParser on Supervisor for EPS enforcement

    Supervisor

    Worker

    Inbound

    TLS (Supporting v1.3)/7916

    phQueryMaster to phQueryWorker communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)

    phQueryWorker to phQueryMaster Communication

    Worker 6.1

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7920

    phQueryMaster to phDataManager for trigger event query

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)

    phRuleWorker to phRuleMaster communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting V1.3)/7928

    phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)

    phReportWorker to phReportMaster Communication

    Worker

    Supervisor

    Outbound

    TLS (Supporting v1.3)/7938

    phIdentityWorker to phIpIdentityMaster

    Worker

    Worker

    Inbound, Outbound

    HTTP/8123, HTTPS/8443

    ClickHouse Database Insert

    Worker

    External Devices

    Outbound

    UDP/8686

    JMX based monitoring and data collection

    Worker

    HDFS Name Node

    Outbound

    HTTPS/9000 (configurable)

    Archiving events for HDFS based deployments

    Worker

    Worker

    Inbound, Outbound

    9000, 9440

    ClickHouse Internal Communication

    Worker

    Worker

    Inbound, Outbound

    HTTP/9009, HTTPS/9010

    ClickHouse Database Replication

    Worker

    Elasticsearch Coordinating Node

    Outbound

    HTTPS/9200 (configurable)

    Storing events for Elasticsearch based deployments

    Worker

    Checkpoint

    Outbound

    TCP/18184

    Checkpoint LEA based log collection

    Worker

    Checkpoint

    Outbound

    TCP/18190

    Checkpoint CPMI based data collection

    Worker

    Supervisor

    Outbound

    gRPC (TLS v1.2)/27918

    phQueryWorker to phQueryMaster Communication

    Worker

    Supervisor

    Outbound

    gRPC (TLS v1.2)/27922

    phRuleWorker to phRuleMaster Communication

    Worker

    Supervisor

    Outbound

    gRPC (TLS v1.2)/27934

    phReportWorker to phReportMaster Communication

    Spark Nodes

    Supervisor

    Inbound

    TCP/60002-60003

    Elasticsearch to HDFS Archive

    Collector Communication

    From

    To

    Inbound or Outbound

    Ports

    Services

    FortiSIEM Management User

    Collector

    Inbound

    ICMP

    ICMP

    External Device

    Collector

    Inbound

    TCP/21

    FTP (for receiving Bluecoat logs via ftp)

    FortiSIEM Management User

    Collector

    Inbound

    TCP/22

    Admin access via SSH

    Collector

    External Device

    Outbound

    TCP/110

    POP3 for email monitoring (STM)

    Collector

    External Windows Devices

    Outbound

    TCP/135

    WMI based monitoring and log collection

    Collector

    External Windows Devices

    Outbound

    TCP/135, UDP/137, TCP/5985-5986

    OMI based monitoring and log collection

    Collector

    External Device

    Outbound

    TCP/143

    IMAP for email monitoring (STM)

    Collector

    External Device

    Outbound

    UDP/161

    SNMP based monitoring

    External Device

    Collector

    Inbound

    UDP/162

    SNMP Trap

    Collector

    External Devices

    Outbound

    TCP/389

    LDAP discovery

    Collector

    External Device

    Outbound

    TCP/443

    HTTPS based log collection

    Collector

    Collector

    Outbound

    TCP/443

    REST API access via HTTPS

    Collector

    Supervisor

    Outbound

    TCP/443

    REST API access via HTTPS

    External Device

    Collector

    Inbound

    UDP/514

    UDP syslog

    External Device

    Collector

    Inbound

    TCP/514

    TCP syslog

    Collector

    External Devices

    Outbound

    TCP/636

    LDAPS discovery

    Collector

    External Device

    Outbound

    TCP/993

    IMAP/SSL for email monitoring (STM)

    Collector

    External Device

    Outbound

    TCP/995

    POP/SSL for email monitoring (STM)

    Collector

    External Devices

    Outbound

    TCP/1433

    JDBC based monitoring and data collection

    External Device

    Supervisor

    Inbound

    TCP/1470

    TCP syslog

    External Device

    Collector

    Inbound

    UDP/2055

    NetFlow

    Collector

    External Devices

    Outbound

    TCP/3268

    LDAP discovery (Global Catalog port, Global Catalog TLS port)

    Collector

    External Devices

    Outbound

    TCP/3269

    LDAPS discovery (Global Catalog port)

    External Device

    Collector

    Inbound

    UDP/6343

    sFlow

    External Device

    Collector

    Inbound

    TLS (Supporting v1.2 & v1.3)/6514

    Syslog over TLS

    Collector

    External Devices

    Outbound

    UDP/8686

    JMX based monitoring and data collection

    Collector

    Checkpoint

    Outbound

    TCP/18184

    Checkpoint LEA based log collection

    Collector

    Checkpoint

    Outbound

    TCP/18190

    Checkpoint CPMI based data collection

    Collector

    Supervisor

    Inbound

    TCP/19999

    Collector to Super Reverse SSH Tunnel (disabled by default)

    Supervisor

    Collector

    Outbound

    TCP/20000-30000

    Collector to Super Reverse SSH Tunnel (disabled by default)
    Previous
    Next