Ports used by Fortinet

Ports used by Fortinet

May 9, 2014
01-520-112804-20140509
Copyright 2014 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and
FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance
and other metrics contained herein were attained in internal lab tests under ideal conditions,
and actual performance and other resultsmay vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents
any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or
implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets
General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be
binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the
same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants,
representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves
the right to change, modify, transfer, or otherwise revise this publication without notice, and the
most current version of the publication shall be applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback techdocs@fortinet.com
Table of contents
Network Port Connectivity ......................................................................... 1
TCP/IP Port Basics ......................................................................................... 1
Open Ports and Security ................................................................................ 1
Planning and Troubleshooting ...................................................................... 2
Fortinet Port Numbers Diagram ............................................................. 3
Table of TCP/UDP Ports used by Fortinet Products
and Services .................................................................................................... 4
1
TCP/UDP Ports used by Fortinet Products and
Services
Network Port Connectivity
In network security, an open port typically refers to the TCP or UDP port number that is configured by an
application to listen for specific protocols. Using open ports allows remote clients to access network resources,
but if a port is not open, services behind that port will be unreachable. This is known as a closed port.
TCP/IP Port Basics
In TCP/IP, the network communication session between two devices starts and ends with a TCP, UDP, or
SCTP port. Fortinet devices do not communicate using SCTP, so we will concentrate on the TCP and UDP
ports.
The starting port of a session is usually referred to as the Source Port and the port at the far end is referred to
as the Destination Port. It is also referred to as the Listening Port, because it is configured to listen for any
traffic being directed to that port number. Both TCP and UDP ports can send and receive data, but not
simultaneously.
In order to avoid confusion, some ports are considered 'standard' in that they listen for the traffic of commonly
used protocols. If you wish to use non-standard ports for such commonly used protocols, then you must
perform additional manual configuration. Because standard ports are used to listen to specific types of traffic,
and because those same ports cannot also be used to send traffic, the Source Port is usually assigned a
random port number that is not a standard port used for listening. For example, Port 80 is the standard port
listening for HTTP traffic. Since most networked devices have HTTP traffic going in and out, a randomly
assigned port between 1025 and 65535 is opened and used as the Source Port. Ports 1 through 1024 are set
aside because most of the commonly used ports are identified in this range.
At its simplest, a port has one of three states:
1. A port can be open and listening for traffic.
2. A port can be closed, potentially waiting to be used as a source port (if it is not between 1 and 1024).
3. A port can be active, sending out traffic as a Source Port.
Open Ports and Security
In order for a networked device to be ready to receive traffic from allowed sources it has to open up ports for
that traffic. If all of the ports are left open, the ability to communicate with the device is easy and unobstructed.
This is troubling because others can see those open ports as well. The services on a fully open network are
exposed to external scrutiny, such as port scanning software that listens on those ports for exploits. This is
extremely undesirable.
It is common in network security for all network ports to be closed, except for those required for specific
services, such as FTP or web pages. As an administrator, it is your responsibility to ensure that all of the
necessary ports are open and that all of the unnecessary ports are closed.
1
2
Planning and Troubleshooting
The purpose of this document is primarily to assist in planning and troubleshooting. While every network is
different, this document should help determine which ports need to be open on your network so that
communication and traffic to and from Fortinet devices, especially those which enhance the performance of
your environment, are not impeded. In addition, if you are experiencing connectivity issues, this guide can
assist in troubleshooting the possible areas where traffic is inadvertently blocked. Due to the nature of firewalls,
any ports or services that are not expressly permitted will be blocked. As such, it is useful to have an idea of
which ports and services you may want open, with appropriate restrictions of course.
The guide also contains a one-page diagram of network port connectivity for a quick reference print-out. Refer
to the following table for more information, including explanations of each port, the protocol in question, the
application and its function, and most importantly the devices involved.
2
3
Table of TCP/UDP Ports used by Fortinet
Products and Services
Destination
Port Protocol(s)
Application(s) Function(s)
21 TCP FTP Log and Report uploads from FortiAnalyzer
Anti-defacement backup and restoration (FTP). Listening on
FortiWeb
FTP configuration backup from FortiWeb to other device
22 TCP SSH SSH Command line based management:
From Admin Workstation to Fortinet Device
22 TCP FTP over SSH Log and Report uploads:
To and from FortiCloud
To and from FortiAnalyzer
Anti-defacement backup and restoration (SSH/SCP) from FortiWeb
to other device
SFTP configuration backup from FortiWeb to other device
23 TCP Telnet Telnet Command line based management from Admin Workstation
to Fortinet devices
HA (FGCP) between HA FortiGates
25 TCP SMTP Alert Emails
From FortiAnalyzer to SMTP Mail Server
From FortiGate to SMTP Mail Server
From FortiWeb to SMTP Mail Server
Encrypted Virus Samples auto submitted to FortiGuard
49 TCP TACACS+ TACACS+ from FortiAnalyzer
53 UDP DNS DNS Lookups
To DNS Servers
To FortiGuard
4
4
53 UDP Fortinet Queries FortiGuard Server List requests to FortiGuard
AntiSpam or Web Filtering rating lookup queries to FortiGuard
URL/AS rating lookup queries to FortiGuard
Real-time Black List(RBL) lookup requests to RBL services
67 UDP DHCP DHCP to and from FortiGate
68 UDP DHCP Relay DHCP Relay to and from FortiGate
69 UDP TFTP TFTP for backups, restoration, and firmware updates from FortiWeb
to other device
80 TCP Default unsecure Web-based Management of Fortinet Device
Admin Workstation to FortiAnalyzer
Admin Workstation to FortiAuthenticator
Admin Workstation to FortiGate
Admin Workstation to FortiManager
Admin Workstation to FortiWeb
80 TCP HTTP Proxied HTTP traffic from FortiGate
80 TCP HTTP Fortinet Device Registration to FortiGuard
AV update requests from FortiClient to FortiManager
Server health checks from FortiWeb to other device
Predefined HTTP service. Only occurs if the service is used by a
policy, listening on FortiWeb
80 TCP Simple Certificate Enrollment
Protocol (SCEP)
Issuing and revocation of digital certificates
Listening on FortiAuthenticator
88 TCP Kerboros Account Authentication traffic from FortiAuthenticator to Active
Directory Controllers
123 UDP NTP Time Synchronization from Fortinet Device to NTP Server
135 TCP Client/Server (WMI, SEL) FortiAuthenticator to Active Directory Controllers
137 UDP Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)
Anti-defacement backup and restoration (Windows-style share) from
FortiWeb to other device.
138 UDP Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)
Anti-defacement backup and restoration (Windows-style share) from
FortiWeb to other device.
5
5
139 TCP/UDP NetBIOS Win Share to and from FortiAnalyzer (Not supported in FAZ v5.0/5.2)
Anti-defacement backup and restoration (Windows-style share) from
FortiWeb to other device.
161 UDP Simple Network Management
Protocol (SNMP)
SNMP Poll
FortiManager to FortiGate
Listening on FortiAuthenticator
Listening on FortiWeb
162 UDP Simple Network Management
Protocol (SNMP) Traps
To SysLog server
To FortiAnalyzer
To FortiManager
389 TCP/UDP LDAP LDAP Lookups, Authentication Requests and Report queries
PKI Authentication
To Active Directory Domain Controllers
To FortiAuthenticator
To LDAP Server
443 TCP HTTPS Default Secure Web-based Management of Fortinet Device
Admin Workstation to Fortinet Device
Firmware and Signature Downloads from FortiGuard
FGD SMS to FortiGuard
FC FTM to FortiGuard
FC Licensing to FortiGuard
Policy Override Auth to FortiGuard
AntiVirus/IPS updates to FortiGuard
URL/AS update requests to FortiGuard
Remote Vulnerability Scan updates to FortiGuard
Device Registration requests to FortiGuard
Server health checks from FortiWeb to other devices
Proxied HTTPS traffic from FortiGate to Proxy Server
FSSO Portal and Widget traffic
6
6
443 TCP Representational state transfer
(REST) API / HTTP
Listening on FortiAnalyzer
445 TCP Microsoft-DS Active Directory,
Windows shares
Domain Controller Polling
FortiAuthenticator to Active Directory Domain Controller
Listening on FortiAnalyzer
NTLM authentication queries.
Anti-defacement backup and restoration (Windows-style share)
from FortiWeb to other device.
500 UDP IPsec Secure SNMP over IPsec connection
FortiGate to FortiAnalyzer
514 TCP/UDP Syslog messages OFTP Device Registration
From FortiManager to FortiAnalyzer
From FortiGate to FortiAnalyzer
Quarantined files to FortiAnalyzer
Logs and Reports
To SysLog server
To FortiAnalyzer
To FortiCloud
To FortiManager
OFTP for file submission and statistics exchange
Between FortiGate and FortiSandbox (FortiCloud)
520 UDP Routing Information Protocol (RIP) Listening on FortiGate
541 TCP Device Registration Central Management from FortiManager
SSL Management Tunnel to FortiCloud
636 TCP Lightweight Directory Access
Protocol over TLS/SSL (LDAPS)
Encrypted LDAP authentication traffic from
Fortinet Devices to Active Directory Domain Controllers
Fortinet Devices to LDAP servers (including FortiAuthenticator)
703 TCP FGCP L2 HA Heartbeat between HA FortiGates
1000 TCP Policy Override Keepalive listening on FortiGate
(Closed by default, but can be enabled)
7
7
1003 TCP Policy Override Keepalive listening on FortiGate
(Closed by default, but can be enabled)
1812 TCP RADIUS RADIUS Authentication Requests
To FortiAuthenticator
To RADIUS Server
1813 UDP RADIUS RADIUS Accounting to FortiAuthenticator
2049 TCP NFS Network File System listening on FortiAnalyzer (Not supported in
FAZ v5.0/5.2)
2302 TCP HTTP or HTTPS administrative access to web-based manager's CLI
dashboard widget(v3.0 MR5 only)
Listening on FortiAnalyzer
Listening on FortiGate
2560 TCP Online Certificate Status Protocol
(OCSP)
Obtaining the revocation status of an X.509 digital certificate,
listening on FortiAuthenticator
3000 TCP Log aggregation listening on FortiAnalyzer
(Log aggregation server support requires model FortiAnalyzer
800 or greater)
3306 TCP Remote MySQL database connection listening on FortiAnalyzer
3784 UDP BFD Listening on FortiGate
4500 UDP IPsec Secure SNMP over IPsec connection
FortiGate to FortiAnalyzer
FortiGate to FortiManager
5199 TCP HA Heartbeat or synchronization listening on FortiManager
6055 UDP HA heartbeat. Layer 2 multicast.
From FortiWeb to other device
Listening on FortiWeb
6056 UDP HA configuration synchronization. Layer 2 multicast.
From FortiWeb to other device
Listening on FortiWeb
8
8
8000 TCP FSSO Windows Active Directory Collector Agent for Fortinet Single Sign-On
From Active Directory Collector to FortiGate
From FortiAuthenticator to FortiGate
From FortiGate to FortAuthenticator
8001 TCP SSO Mobiltity Agent This port is used to pass userid and IP address information from
FortiClient to FortiAuthenticator.
(This functionality is not necessary for the completion of phase 1)
8002 TCP/UDP FSSO UDP (for plain traffic), or TCP (for encrypted traffic)
FortiAuthenticator listening for traffic - Hierarchical FSSO Info from
Tier Supplier
8003 TCP FSSO FortiAuthenticator listening for traffic from DS/TS Agents with FSSO
Login information
8008 TCP User authentication for policy override of HTTP traffic listening on
FortiGate
8009 TCP FortiClient Portal listening on FortiGate 1000A, 3600A, and 5005FA2
only
8010 TCP User authentication for policy override of HTTPS traffic from
FortiClient to FortiGate
(This port and IP address must be load balanced between all four
FortiGate 1500Ds)
8333 TCP Configuration replication.
From FortiWeb to other device
Listening on FortiWeb
8888 UDP Application and Signature updates requests, FortiGuard AntiSpam or
Web Filtering rating lookup requests and URL/AS Rating requests
FortiClient to FortiGuard
FortiGate to FortiGuard
FortiClient to FortiManager
FortiGate to FortiManager
FortiGuard Server List
FortiClient to FortiGuard
FortiGate to FortiGuard
9
9
8890 TCP A/V, IPS signature, AntiSpam and Web Filtering update requests
FortiGate to FortiManager
FortiManger to FortiGuard
8890 ETH Layer
2
Between FortiGate and FortiManager for FortiGuard Updates
8900 TCP VPN Settings distribution to authenticated FortiClient installations
FortiClient to FortiGate
9443 UDP AV/IPS Push
FortiGuard to FortiGate
FortiGuard to FortiManager
FortiManager to FortiGate
10443 TCP Connection to SSL-VPN Portals, listening on FortiGate
10151 TCP Contract validation from FortiGate to FortiCloud
10