Open ports
FNC-CAX and FNC-MX products: The FortiNAC software runs on top of the FortiNAC-OS operating system. For security purposes, FortiNAC-OS does not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required.
The best practice is to keep the number of open ports to a minimum, and block all other ports. If you need to provide users access to network resources through a static port (e.g., from outside a firewall), the best option is to allow users to connect by VPN.
Related Documents
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
Validate Open Ports
The current listening port configuration can be viewed by running an nmap of the appliance. Another useful command is “netstat” to list all listening and connected ports on the current appliance (e.g. netstat -ln lists just the listening ports).
Use the “netstat” command to verify that a TCP/UDP port is open.
CentOS systems:
netstat -ln | grep <port number>
FortiNAC-OS systems:
execute enter-shell
netstat -ln | grep <port number>
For example, use netstat -ln | grep 4568 to verify that the port used for Agent communications to FortiNAC is open.
tcp 0 0 0.0.0.0:4568 0.0.0.0:* LISTEN
FortiNAC Open Port List
The tables on the following pages list ports that should be open to end users, and ports that need to be open for FortiNAC communications.
Note: For security purposes, systems running on the new FortiNAC-OS operating system do not have any open (listening) TCP/UDP ports configured by default. Access must be configured using the "set allowaccess" command via the appliance CLI. The ports that must be enabled depend upon the features required. Refer to the table below for the applicable option.
Port |
Protocol |
Description |
Direction |
"set allowaccess" option (FortiNAC-OS) |
---|---|---|---|---|
All ports outbound |
All |
Used by Device Profiler to classify devices. Uses NMAP as one of the profiling choices. Also can use SNMP to profile. |
eth0: Outbound eth1: Outbound |
|
|
ICMP |
PING (Optional) |
eth0: Bidirectional eth1: Bidirectional |
ping
Apply to: port 1 |
UDP 21 |
FTP |
Product Updates |
eth0: Outbound to internet |
|
TCP 21 |
FTP |
Product Updates |
eth0: Outbound to internet |
|
TCP 22 |
SSH |
High Availability: MYSQL replication from Primary Server to Secondary Server Control Manager (M) eth0: Manage FortiNAC Servers |
Bi-directional between Primary Server eth0 and Secondary Server eth0
Bi-directional between Managed Servers eth0 and Manager eth0 |
ssh
Apply to: port 1
Note: SSH is enabled on port 1 by default. |
TCP 23 |
Telnet |
Network Device Management |
eth0: Outbound |
|
TCP/UDP 53 |
DNS |
Name Service eth0: Requesting Name Resolution from production DNS server eth1: Serving Name Resolution for Isolation Scopes |
eth0: Outbound eth1: Inbound |
dns
Apply to: port 2 |
UDP 67 |
DHCP |
eth0: DHCP Fingerprinting eth1: Serving IP Addresses for Isolation Scopes |
eth0: Inbound eth1: Inbound |
dhcp
Apply to: port 1 and port 2 |
UDP 68 |
DHCP |
eth0: DHCP Fingerprinting eth1: Serving IP Addresses for Isolation Scopes |
eth0: Inbound eth1: Outbound |
dhcp
Apply to: port 1 and port 2 |
UDP 547 |
DHCPv6 |
DHCP Fingerprinting |
eth0: Inbound |
dhcp
Apply to: port 1 and port 2 |
TCP 80 |
HTTP |
Web Server (Portal) |
eth0: Inbound eth1: Inbound |
http
Apply to: port 2 |
TCP 22 |
SFTP |
Product Updates |
eth0: Outbound to internet |
|
UDP 123 |
NTP |
Time Service |
eth0: Outbound |
|
UDP 161 |
SNMP |
Network Device Management |
eth0: Outbound (Bi-directional if FortiNAC is configured to respond to SNMP queries. See section SNMP of the Administration Guide). |
snmp
Apply to: port 1 |
UDP 162 |
SNMP Traps |
Device Changes Notification (Mostly Host Access Notification) |
eth0: Inbound |
snmp
Apply to: port 1 |
TCP 389 |
Winbind |
Used by RADIUS Local Server for MSCHAPv2 authentication |
Outbound |
|
TCP 443 |
HTTPS |
Product Updates Web Server (Portal) Secure HTTP License Entitlements (fds1.fortinet.com) IoT data collection |
eth0: Outbound to internet eth1: Inbound |
https
Apply to: port 2 |
UDP 514 |
Syslog |
Device Change Notification and RTR (inbound) Logging of events to external server (outbound) |
eth0: Bi-directional |
syslog
Apply to: port 1 |
TCP 514 |
OFTP |
Communication with FortiAnalyzer (Available in FortiNAC version 8.5 and higher) |
eth0: Outbound |
|
TCP 1050 TCP 5555 TCP 30000-64000 |
CORBA |
High Availability
Server Communication (See note on page 5)
|
Bi-directional between Primary and Secondary Server eth0
Bi-directional between Managed Servers and Manager eth0 |
nac-ipc
Apply to: port 1 |
TCP/UDP 1645 |
RADIUS |
Host/User Authentication (Local RADIUS Server default) |
eth0: Bi-directional |
radius-local
Apply to: port 1 |
UDP 1812 |
RADIUS |
Host/User Authentication (Proxy RADIUS mode default) |
eth0: Bi-directional |
radius
Apply to: port 1 |
TCP/UDP 1813 |
RADIUS Accounting |
Host/User Authentication Changes and RTR (Proxy RADIUS Mode default) |
eth0: Inbound |
radius-acct
Apply to: port 1 |
UDP 3799 |
RADIUS COA |
Host/User Authentication Action (Moving/Removing) |
eth0: Outbound |
|
UDP 4567 |
Agent Server |
Persistent Agent Communication (No longer used by agent 5.x and above with NAC 8.2 and above – TCP 4568 only) |
eth0: Bi-directional eth1: Bi-directional |
|
TCP 4568 |
Agent Server |
Used to establish the Persistent Agent Communication (SSL) connection (Used by agent 3.x and above) |
eth0: Bi-directional eth1: Bi-directional |
nac-agent Apply to: port 1 and port 2 |
TCP 5986 (user modifiable) |
WinRM |
WMI profiling method (Available in FortiNAC version 8.5 and higher) |
eth0 and eth1: Outbound |
|
TCP 8000 |
Private Protocol |
Fortinet Security Fabric (FSSO) communications (Available in FortiNAC version 8.5 and higher) |
eth0: Inbound |
fsso
Apply to: port 1 |
TCP 8443 |
HTTPS |
Web Server Secure HTTP (Admin UI)
FortiGuard (globaldevquery.fortinet.net)
(Versions 8.8.9, 9.1.3 and above) Control Manager (M): Manage FortiNAC Servers |
eth0: Inbound
eth0: Outbound to internet
(Versions 8.8.9, 9.1.3 and above) Bi-directional between Managed Servers eth0 and Manager eth0 |
https-adminui
Apply to: port 1 |
TCP 8080 |
HTTP Alternative |
Web Server (Admin UI) |
eth0: Inbound |
http-adminui
Apply to: port 1 |
TCP 8180 |
Analytics Server |
Used to update/download the agent. |
eth0: Inbound |
|
TCP 8543 |
Analytics Server |
Used to transfer data to the Analytics Server and for queries from the web browser. |
eth0: Bi-directional |
|
UDP 2055 |
NetFlow |
Used to gather data from FortiGate devices to populate the "Network Sessions" view in the Administration UI. See Network sessions for details. |
eth0: Inbound |
netflow
Apply to: port 1 |
Note: FortiNAC uses port 1050 for CORBA (Common Object Request Broker Architecture) Management for accessing server objects and for interprocess communication between FortiNAC subsystems and servers. When a requestor connects to this port, the appliance dynamically reassigns it to a port in the 30000-64000 range.