Fortinet Document Library

Version:


Table of Contents

AWS Cookbook

Resources

Upgrade Path Tool

AWS Cookbook

6.2.0
Download PDF
Copy Link

Opening ports in the security group

By default, when you deploy FortiGate-VM, there is a predefined security group that you can select based on Fortinet's recommendation. The following ports are allowed in the predefined security group assuming immediate and near-future needs.

 

Protocol/ports

Purpose

Incoming

TCP 22

SSH

 

TCP 80

HTTP

 

TCP 443

HTTPS, management GUI access to the FortiGate-VM

 

TCP 541

Management by FortiManager located outside AWS

 

TCP 3000

Not immediately required, but typically used for incoming access to web servers, and so on

 

TCP 8080

Outgoing

Any

 

FortiGate-specific open ports are explained in Fortinet Communication Ports and Protocols.

To configure bare-minimum access that gives the most strict incoming access, allow only TCP 443 to access the FortiGate-VM GUI console as mentioned in Connecting to the FortiGate-VM and close all other ports. You may want to allow ICMP for pinging, and so on, as needed.

Resources

Opening ports in the security group

By default, when you deploy FortiGate-VM, there is a predefined security group that you can select based on Fortinet's recommendation. The following ports are allowed in the predefined security group assuming immediate and near-future needs.

 

Protocol/ports

Purpose

Incoming

TCP 22

SSH

 

TCP 80

HTTP

 

TCP 443

HTTPS, management GUI access to the FortiGate-VM

 

TCP 541

Management by FortiManager located outside AWS

 

TCP 3000

Not immediately required, but typically used for incoming access to web servers, and so on

 

TCP 8080

Outgoing

Any

 

FortiGate-specific open ports are explained in Fortinet Communication Ports and Protocols.

To configure bare-minimum access that gives the most strict incoming access, allow only TCP 443 to access the FortiGate-VM GUI console as mentioned in Connecting to the FortiGate-VM and close all other ports. You may want to allow ICMP for pinging, and so on, as needed.