Network traffic originating from FortiGate units (not passing through FortiGate units) is used for sending log messages to remote log servers, sending SNMP traps, resolving network names using DNS, and so on.
Service | Ports |
Syslog. All FortiOS versions use syslog to send log messages to remote syslog servers. FortiOS v2.80 and v3.0 also use syslog to send log messages to FortiAnalyzer. | UDP 514 |
Alert email and quarantine auto submit (using encrypted SMTP email) | TCP 25 |
SNMP traps | UDP 162 |
DNS lookup | UDP 53 |
NTP synchronization | UDP 123 |
FortiGate units communicate with the FortiGuard Distribution Network (FDN) using the following ports. The ports that FortiClient and FortiManager use to communicate with the FDN are also listed below.
Service | Ports |
FortiOS v3.0 FortiGuard Antivirus updates | TCP 443 |
FortiOS v2.80 FortiGuard Antivirus updates | TCP 443 TCP 8443 |
FortiOS v2.50 FortiGuard Antivirus updates | TCP 8890 |
FortiClient FortiGuard Antivirus updates | TCP 80 |
FortiOS v3.0 FortiGuard Web Filtering and Antispam | UDP 53 (default) or UDP 8888 |
FortiOS v2.80 FortiGuard Web Filtering | UDP 8888 |
FortiOS v2.80 FortiGuard Antispam (FortiShield) | UDP 8889 |
FortiManager v3.0 FortiGuard Web Filtering and Antispam | TCP 443 and TCP 8890 |
When operating with the Factory default configuration, FortiGate units do not accept TCP or UDP connections on any port. The one exception is the default internal interface, which accepts HTTPS connections on TCP port 443.
The following table lists the TCP and UDP ports that FortiGate units listen on when you enable various configuration options.
Service | Ports |
Telnet Administrative Access to the CLI | TCP 21 |
SSH Administrative Access to the CLI | TCP 22 |
HTTP Administrative Access to the Web-based manager | TCP 80 |
HTTPS Administrative Access to the Web-based manager | TCP 443 |
Default port to use for override authentication | TCP 8008 |
FortiGuard Distribution Network (FDN) Antivirus and IPS push updates | TCP 9443 |
SSL VPN connections (SSL VPN enabled) | TCP 10443 |
FortiOS v3.0 VPN Policy Distribution to FortiClient (enabled from CLI using config vpn ipsec forticlient ). | TCP 8900 |