Fortinet black logo

Administration Guide

Required services and ports

Required services and ports

You must enable required port and services for use by FortiClient and its associated applications on your server. The required ports and services enable FortiClient to communicate with servers running associated applications.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

Endpoint management (on-premise EMS), participation in the Fortinet Security Fabric

TCP

8013

Outgoing

GUI

SYSLOG

Upload logs to syslog server

UDP

514

Outgoing

N/A

FortiSandbox

Send files to FortiSandbox for analysis

TCP

514

Outgoing

N/A

Remote access - SSL VPN

Establish VPN connection to the FortiGate

TCP

443 (default)

Outgoing

GUI

FortiAnalyzer/FortiManager

Upload logs and Windows host events to FortiAnalyzer or FortiManager

TCP

514

Outgoing

N/A

Remote access - IPsec VPN

Establish VPN connection to the FortiGate

UDP

IKE 500 ESP (IP 50) NAT-T 4500

Outgoing

N/A

FortiAuthenticator/FortiGate

Single sign-on mobility agent (SSOMA), FortiClient SSO

TCP

8001 (default)

Outgoing

GUI

FortiManager

Use a FortiManager for FortiClient software and signature updates

TCP

80 (default)

Outgoing

GUI

SMTP/FortiGuard

Virus submission

TCP

25

Outgoing

N/A

FortiGuard

Cloud-based malware detection

TCP

8888

Outgoing

N/A

FortiClient can also connect to FortiClient Cloud instead of on-premise EMS for endpoint management. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud connection

forticlient-emsproxy.forticloud.com

forticlient.forticloud.com

TCP

443 (default)

Outgoing

FortiClient connects to FortiGuard to query for URL ratings for Web Filter and to download antivirus and vulnerability scan engine and signature updates. FortiClient can connect to legacy FortiGuard or FortiGuard Anycast. The EMS administrator configures FortiGuard server options. See Web Filter and System Settings. The following table summarizes required services for FortiClient to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

URL rating

fgd1.fortigate.com

usfgd1.fortigate.com

N/A

TCP

8888 (default)

Outgoing

Change to UDP via XML. See the FortiClient XML Reference Guide.

URL rating with FortiGuard Anycast

fctguard.fortinet.net

fctusguard.fortinet.net

fcteuguard.fortinet.net

TCP

443

Outgoing

Change to UDP via XML. See the FortiClient XML Reference Guide.

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

note icon

For the list of required services and ports for EMS, see the FortiClient EMS Administration Guide.

Required services and ports

Required services and ports

You must enable required port and services for use by FortiClient and its associated applications on your server. The required ports and services enable FortiClient to communicate with servers running associated applications.

Communication

Usage

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Telemetry

Endpoint management (on-premise EMS), participation in the Fortinet Security Fabric

TCP

8013

Outgoing

GUI

SYSLOG

Upload logs to syslog server

UDP

514

Outgoing

N/A

FortiSandbox

Send files to FortiSandbox for analysis

TCP

514

Outgoing

N/A

Remote access - SSL VPN

Establish VPN connection to the FortiGate

TCP

443 (default)

Outgoing

GUI

FortiAnalyzer/FortiManager

Upload logs and Windows host events to FortiAnalyzer or FortiManager

TCP

514

Outgoing

N/A

Remote access - IPsec VPN

Establish VPN connection to the FortiGate

UDP

IKE 500 ESP (IP 50) NAT-T 4500

Outgoing

N/A

FortiAuthenticator/FortiGate

Single sign-on mobility agent (SSOMA), FortiClient SSO

TCP

8001 (default)

Outgoing

GUI

FortiManager

Use a FortiManager for FortiClient software and signature updates

TCP

80 (default)

Outgoing

GUI

SMTP/FortiGuard

Virus submission

TCP

25

Outgoing

N/A

FortiGuard

Cloud-based malware detection

TCP

8888

Outgoing

N/A

FortiClient can also connect to FortiClient Cloud instead of on-premise EMS for endpoint management. The following table summarizes required services for FortiClient to communicate with FortiClient Cloud:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

FortiClient Cloud connection

forticlient-emsproxy.forticloud.com

forticlient.forticloud.com

TCP

443 (default)

Outgoing

FortiClient connects to FortiGuard to query for URL ratings for Web Filter and to download antivirus and vulnerability scan engine and signature updates. FortiClient can connect to legacy FortiGuard or FortiGuard Anycast. The EMS administrator configures FortiGuard server options. See Web Filter and System Settings. The following table summarizes required services for FortiClient to communicate with FortiGuard:

Usage

Server URL

Protocol

Port

Incoming/Outgoing

How to customize

Global

U.S.

Europe

URL rating

fgd1.fortigate.com

usfgd1.fortigate.com

N/A

TCP

8888 (default)

Outgoing

Change to UDP via XML. See the FortiClient XML Reference Guide.

URL rating with FortiGuard Anycast

fctguard.fortinet.net

fctusguard.fortinet.net

fcteuguard.fortinet.net

TCP

443

Outgoing

Change to UDP via XML. See the FortiClient XML Reference Guide.

AV/vulnerability signature update

forticlient.fortinet.net

myforticlient.fortinet.net

usforticlient.fortinet.net

N/A

TCP

80

Outgoing

N/A

AV/vulnerability signature updates with FortiGuard Anycast

fctupdate.fortinet.net

fctusupdate.fortinet.net

fcteuupdate.fortinet.net

TCP

443

Outgoing

N/A

note icon

For the list of required services and ports for EMS, see the FortiClient EMS Administration Guide.