FortiClient connects to EMS and FortiGate over an SSL connection. All protocol exchanges flow through this secure connection. The connection is closed after protocol exchanges between both parties are complete. The SSL connections require a valid certificate.
You can configure Telemetry connections between FortiClient and FortiGate or EMS to require a preshared password or connection key. See Configuring EMS settings.
The default Telemetry port number is 8013. You can change this in EMS and FortiClient. When a port is not provided, FortiClient always attempt to connect to the default port, which is 8013. Changing this in EMS locks out endpoints that are still using the default.
At any time, you can disconnect a rogue endpoint from EMS and prevent it from reconnecting to EMS in the future.
See Required services and ports for a list of TCP/IP ports that EMS uses. You can block all other ports or service requests to the EMS IP address or fully qualified domain name (FQDN).