Fortinet black logo

Incoming ports

7.0.0
Copy Link
Copy Doc ID b078fa22-be50-11eb-92d0-00505692583a:637075
Download PDF

Incoming ports

Product

Purpose

Ports and protocols

Configurable

FortiAP-S

Syslog, Registration, Quarantine, Log & Report

TCP/443

CAPWAP

UDP/5246-5247

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

RADIUS Disconnect

TCP/1700

FortiClient

Remote IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

Remote SSL VPN

TCP/443

Yes

Remote SSL VPN when DTLS enabled

UDP/443

Yes

SSO Mobility Agent, FSSO

TCP/8001

Compliance and Security Fabric

TCP/8013

Yes

FortiExtender

Control channel

UDP/5246

Yes

Data channel

UDP/25246

Yes

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, 0x8893

HA Synchronization

TCP/703

UDP/703

Administrator Access

TCP/22, TCP/80, TCP/443

Yes

ICMP

IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

IPsec VPN Forward Error Correction

UDP/50000

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

Security Fabric

UDP/8014

FortiGuard

IPv4 FGFM tunnel

TCP/541

IPv6 FGFM tunnel

TCP/542

FortiManager

IPv4 FGFM tunnel

TCP/541

IPv6 FGFM tunnel

TCP/542

FortiPortal

API for communication (FortiOS REST API)

TCP/443

FortiToken Mobile

Approve/deny response from FortiToken Mobile

TCP/4433

Yes

FSSO server

FSSO

TCP/8001

Yes

Others

Administrator Access (SSH, HTTPS, HTTP)

TCP/22, TCP/80, TCP/443

Yes

ICMP

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010, TCP/8015, TCP/8020

Yes

Policy Override Keepalive

TCP/1000, TCP/1003

SSL VPN

TCP/443

Yes

ACME service

TCP/80, TCP/443

AeroScout Vendor port

UDP/1144

External captive portal authentication with FortiAP in bridge mode

UDP/2000

RADIUS DAS feature - RFC 5176

UDP/3799

Note

Enabling some services will cause additional standard ports to open as the protocol necessitates. For example, enabling BGP will open TCP port 179. See View open and in use ports for more information.

Incoming ports

Product

Purpose

Ports and protocols

Configurable

FortiAP-S

Syslog, Registration, Quarantine, Log & Report

TCP/443

CAPWAP

UDP/5246-5247

FortiAuthenticator

Policy Authentication through Captive Portal

TCP/1000

RADIUS Disconnect

TCP/1700

FortiClient

Remote IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

Remote SSL VPN

TCP/443

Yes

Remote SSL VPN when DTLS enabled

UDP/443

Yes

SSO Mobility Agent, FSSO

TCP/8001

Compliance and Security Fabric

TCP/8013

Yes

FortiExtender

Control channel

UDP/5246

Yes

Data channel

UDP/25246

Yes

FortiGate

HA Heartbeat

ETH Layer 0x8890, 0x8891, 0x8893

HA Synchronization

TCP/703

UDP/703

Administrator Access

TCP/22, TCP/80, TCP/443

Yes

ICMP

IPsec VPN

UDP/500, UDP/4500

Yes

ESP (IP 50)

IPsec VPN Forward Error Correction

UDP/50000

Unicast Heartbeat for Azure

UDP/730

DNS for Azure

UDP/53

Security Fabric

UDP/8014

FortiGuard

IPv4 FGFM tunnel

TCP/541

IPv6 FGFM tunnel

TCP/542

FortiManager

IPv4 FGFM tunnel

TCP/541

IPv6 FGFM tunnel

TCP/542

FortiPortal

API for communication (FortiOS REST API)

TCP/443

FortiToken Mobile

Approve/deny response from FortiToken Mobile

TCP/4433

Yes

FSSO server

FSSO

TCP/8001

Yes

Others

Administrator Access (SSH, HTTPS, HTTP)

TCP/22, TCP/80, TCP/443

Yes

ICMP

Policy Override Authentication

TCP/443, TCP/8008, TCP/8010, TCP/8015, TCP/8020

Yes

Policy Override Keepalive

TCP/1000, TCP/1003

SSL VPN

TCP/443

Yes

ACME service

TCP/80, TCP/443

AeroScout Vendor port

UDP/1144

External captive portal authentication with FortiAP in bridge mode

UDP/2000

RADIUS DAS feature - RFC 5176

UDP/3799

Note

Enabling some services will cause additional standard ports to open as the protocol necessitates. For example, enabling BGP will open TCP port 179. See View open and in use ports for more information.