FortiGate open ports
Incoming ports |
||
---|---|---|
Purpose |
Protocol/Port |
|
Syslog, OFTP, Registration, Quarantine, Log & Report |
TCP/443 |
|
CAPWAP |
UDP/5246, UDP/5247 |
|
|
Policy Authentication through Captive Portal |
TCP/1000 |
RADIUS disconnect |
TCP/1700 |
|
Remote IPsec VPN access |
UDP/IKE 500, ESP (IP 50), NAT-T 4500 |
|
Remote SSL VPN access |
TCP/443 |
|
SSO Mobility Agent, FSSO |
TCP/8001 |
|
Compliance and Security Fabric |
TCP/8013 (by default; this port can be customized) |
|
FortiGate
|
HA Heartbeat |
ETH Layer 0x8890, 0x8891, and 0x8893 |
HA Synchronization |
TCP/703, UDP/703 |
|
Unicast Heartbeat for Azure |
UDP/730 |
|
DNS for Azure |
UDP/53 |
|
Security Fabric |
UDP/8014 |
|
Management |
TCP/541 |
|
AV/IPS |
UDP/9443 |
|
AV/IPS Push |
UDP/9443 |
|
IPv4 FGFM management |
TCP/541 |
|
IPv6 FGFM management |
TCP/542 |
|
API communications (FortiOS REST API, used for Wireless Analytics) |
TCP/443 |
|
FSSO |
TCP/8001 (by default; this port can be customized) |
|
Others |
Web Admin |
TCP/80, TCP/443 |
Policy Override Authentication |
TCP/443, TCP/8008, TCP/8010 |
|
Policy Override Keepalive |
TCP/1000, TCP/1003 |
|
SSL VPN |
TCP/443 |
|
AeroScout Vendor port |
UDP/1144 |
|
External captive portal authentication with FortiAP in bridge mode |
UDP/2000 |
|
RADIUS DAS feature - RFC 5176 |
UDP/3799 |
Outgoing ports |
||
---|---|---|
Purpose |
Protocol/Port |
|
Syslog, OFTP, Registration, Quarantine, Log & Report |
TCP/514 |
|
LDAP, PKI Authentication |
TCP or UDP/389 |
|
RADIUS |
UDP/1812 |
|
FSSO |
TCP/8000 |
|
RADIUS Accounting |
UDP/1813 |
|
SCEP |
TCP/80, TCP/443 |
|
CRL Download |
TCP/80 |
|
External Captive Portal |
TCP/443 |
|
FortiGate |
HA Heartbeat |
ETH Layer 0x8890, 0x8891, and 0x8893 |
HA Synchronization |
TCP/703, UDP/703 |
|
Unicast Heartbeat for Azure |
UDP/730 |
|
DNS for Azure |
UDP/53 |
|
Registration, Quarantine, Log & Report, Syslog |
TCP/443 |
|
OFTP |
TCP/514 |
|
Management |
TCP/541 |
|
Contract Validation |
TCP/443 |
|
AV/IPS Update |
TCP/443, TCP/8890 |
|
Cloud App DB |
TCP/9582 |
|
FortiGuard Queries |
UDP/53, UDP/8888, TCP/53, TCP/8888, TCP/443 (as part of Anycast servers) |
|
SDNS queries for DNS Filter |
UDP/53, TCP/853 (as part of Anycast servers) |
|
Registration |
TCP/80 |
|
Alert Email, Virus Sample |
TCP/25 |
|
Management, Firmware, SMS, FTM, Licensing, Policy Override |
TCP/443 |
|
Central Management, Analysis |
TCP/541 |
|
IPv4 FGFM management |
TCP/541 |
|
IPv6 FGFM management |
TCP/542 |
|
Log & Report |
TCP or UDP/514 |
|
FortiGuard Queries |
UDP/53, UDP/8888, TCP/80, TCP/8888 |
|
OFTP |
TCP/514 |
|
Others |
FSSO |
TCP/8001 (by default; this port can be customized) |
While a proxy is configured, FortiGate uses the following URLs to access the FortiGuard Distribution Network (FDN):
|
Enabling some services will cause additional standard ports to open as the protocol necessitates. For example, enabling BGP will open TCP port 179. See View open and in use ports for more information. |