Fortinet black logo

Administration Guide

Port and access control information

Copy Link
Copy Doc ID 195387ee-5c8c-11ed-96f0-fa163e15d75b:150523
Download PDF

Port and access control information

This topic contains information about the default ports by interface as well as the endpoints that need to be reachable by FortiSandbox.

Default Ports

The following section provides information about ports by interface, ports by FortiSandbox model, and ports by configuration.

*For more information, see Air Gapped Mode.

Ports by interface

The following table lists the services and ports for each FortiSandbox interface.

Interface

Services and Ports

Port1 Default for inbound traffic for Administration TCP ports 22 (SSH), 23 (Telnet), 80 and 443 (GUI).
Port3

Reserved for the outgoing traffic initiated by the guest VMs.

For effective detection of 0-day, we strongly suggest to directly connect Port3 to the Internet via a perimeter firewall. Also, make sure that connectivity is isolated from your Intranet (internal network) to prevent lateral movement. If connected directly to a FortiGate device, make sure that the egress WAN interface does not have the Scan Outgoing Connections to Botnet Sites feature enabled, nor any active security profiles as this can affect the detection rate.

All ports except Port3

Inbound:

The following services define the ports for inbound:

  • File, URL and Traffic submission via OFTP (TCP) port 514.
  • MTA and BCC Adapter uses TCP port 25 for inbound submission.
  • ICAP Adapter TCP port 1344. The port number is configurable.
  • Administration TCP ports 80 and 443 if manually configured via CLI command set admin-port.
  • SNMP local query port TCP or UDP 161. The port number is configurable.

Outbound:

The following services define the ports for outbound. The interface of the services is based on the static route configuration:

  • FortiGuard Distribution Servers (FDS) TCP port 8890 for downloading database and engine updates.
  • FortiGuard Web Filtering UDP port 53 or 8888 for URL category check. For secure connection which is configurable under System > FortiGuard > FortiGuard Web Filter Settings, it uses TCP/53 & TCP/8888.
  • FortiSandbox VM Download TCP port 443 for downloading VM images.
  • FortiSandbox Community Cloud query both UDP port 53 or 8888 and TCP port 443 to query submissions by other FortiSandbox.
  • FortiSandbox Community Cloud submission TCP port 25, 465 or 587 to upload detected suspicious Zero-day detection information. It uses only one of the ports in sequence.

    All the ports are encrypted. FortiSandbox will attempt to connect to the ports in sequence with encryption. If the connection fails, FortiSandbox will re-attempt to connect in sequence without encryption.

  • FortiSandbox Windows Cloud VMs TCP port 514 to submit jobs to the Windows cloud VMs. License required.
  • FortiSandbox MAC Cloud VMs TCP port 443 to submit jobs to the MAC cloud VMs. License required.
  • Mail server port TCP 25, DNS server port UDP 53, remote Syslog server port TCP or UDP 514, LDAP server port TCP 389, SNMP managers port TCP or UDP 162, and NTP server port UDP 123. Make sure to check the Static Route configuration for the gateway and outgoing port to use. Also, the port number for the following are configurable: Mail, Remote Syslog, LDAP, SNMP.
Cluster ports (all other ports except Port1 and Port3) In cluster mode, FortiSandbox uses TCP ports 2015 and 2018 for cluster internal communication. If the unit works as a Collector to receive threat information from other units, it uses TCP port 2443.
Note

All ports mentioned above are the same for both IPv4 and IPv6 protocols.

For redundancy and increase throughput, consider setting up Aggregate interface. See, Create an aggregate interface.

For any outgoing traffic, FortiSandbox uses a random port picked by the kernel.

You can dynamically change the system firewall rules using the iptables CLI command. However, the updated rules will be lost after a system reboot.

The following table lists the available ports for each FortiSandbox model.

Interface Type

3000F/3000E/2000E

1000F

500F

RJ45 Port 1-4 Port 1-4 Port 1-4
SFP GbE Port 5-8
SFP+ Port 5-6

Access Control List

The table below provides the default servers and options when configured. For further info on the services, refer to the notes column. We recommend periodically checking these entries for changes.

Services Destination Notes
FortiGuard Distribution Network (FDN)
Database and Engine Download

fds1.fortinet.com:8890/TCP

When configured to override region:

  • Nearest: fds1.fortinet.com:8890/TCP

  • US Region: usfds1.fortinet.com:8890/TCP

  • Global: globalupdate.fortinet.net:443/TCP

Default is Nearest. Configurable.

For more information, seeFortiGuard > FortiGuard Server Location in the FortiSandbox Administration Guide.

Web Filtering Service

securewf.fortiguard.net:53/TCP or 8888/TCP

When configured to override region:

  • Nearest: securewf.fortiguard.net:53/TCP or 8888/TCP

  • US Region: ussecurewf.fortiguard.net:53/TCP or 8888/TCP

  • Global: securewf.fortiguard.net:53/TCP or 8888/TCP

Default is Nearest.

When Secure Connection under FortiGuard Web Filter Settings is disabled, replace the TCP with UDP.

For more information, see FortiGuard > Secure Connection in the FortiSandbox Administration Guide.

FortiSandbox
Community Cloud Query fqsvr.fortinet.net:53/UDP

For more information, see General Settings > Community Cloud Query in the FortiSandbox Administration Guide.

Available only in Global (Canada).

Community Cloud Upload

fortinetvirussubmit.com:25/TCP

or

465/TCP or 587/TCP

For more information, see General Settings > Upload malicious and suspicious file in the FortiSandbox Administration Guide.

Available only in Global (Canada).

Rating Cloud Service (RSE) fqdl.fortinet.net:443/TCP

For more information, see Scan Profile Advanced Tab > Enable Rating Cloud Service in the FortiSandbox Administration Guide.

Available only in Global (Canada).

Windows Cloud VM Service

aptctrl1.fortinet.com:443/TCP

or

514/TCP List of IP Addresses:

  • Europe: 83.231.212.128/25, 154.45.1.0/24, 154.52.11.0/24

  • US Region: 208.184.237.0/24, 209.222.141.128/26

  • Japan: 210.7.96.0/24, 154.52.7.0/24

  • Global: 173.243.139.0/24, 184.94.112.0/24, 154.52.26.0/24

Initially download a list of IP via the APTCTRL1 as configured on WindowsCloudVM Settings.

For more information, see FortiGuard > WindowsCloudVM Settings in the FortiSandbox Administration Guide.

macOS Cloud VM Service mac.fortisandbox.net:443/TCP or mac2.fortisandbox.net:443/TCP Available only in Global (Canada).
VM Images Service fsavm.fortinet.net:443/TCP Uses GeoIP to select between two regions for faster download speed of the VM images. Available in Global (Canada) and Germany.
Tooltip

An alternative option is to use the Internet Service feature on the FortiGate to define a firewall policy that allows connection to that destination. For more information, see Using Internet Service in a policy in the FortiGate/FortiOS Administration Guide. Choose Fortinet-FortiGuard and Fortinet-FortiCloud.

Port and access control information

This topic contains information about the default ports by interface as well as the endpoints that need to be reachable by FortiSandbox.

Default Ports

The following section provides information about ports by interface, ports by FortiSandbox model, and ports by configuration.

*For more information, see Air Gapped Mode.

Ports by interface

The following table lists the services and ports for each FortiSandbox interface.

Interface

Services and Ports

Port1 Default for inbound traffic for Administration TCP ports 22 (SSH), 23 (Telnet), 80 and 443 (GUI).
Port3

Reserved for the outgoing traffic initiated by the guest VMs.

For effective detection of 0-day, we strongly suggest to directly connect Port3 to the Internet via a perimeter firewall. Also, make sure that connectivity is isolated from your Intranet (internal network) to prevent lateral movement. If connected directly to a FortiGate device, make sure that the egress WAN interface does not have the Scan Outgoing Connections to Botnet Sites feature enabled, nor any active security profiles as this can affect the detection rate.

All ports except Port3

Inbound:

The following services define the ports for inbound:

  • File, URL and Traffic submission via OFTP (TCP) port 514.
  • MTA and BCC Adapter uses TCP port 25 for inbound submission.
  • ICAP Adapter TCP port 1344. The port number is configurable.
  • Administration TCP ports 80 and 443 if manually configured via CLI command set admin-port.
  • SNMP local query port TCP or UDP 161. The port number is configurable.

Outbound:

The following services define the ports for outbound. The interface of the services is based on the static route configuration:

  • FortiGuard Distribution Servers (FDS) TCP port 8890 for downloading database and engine updates.
  • FortiGuard Web Filtering UDP port 53 or 8888 for URL category check. For secure connection which is configurable under System > FortiGuard > FortiGuard Web Filter Settings, it uses TCP/53 & TCP/8888.
  • FortiSandbox VM Download TCP port 443 for downloading VM images.
  • FortiSandbox Community Cloud query both UDP port 53 or 8888 and TCP port 443 to query submissions by other FortiSandbox.
  • FortiSandbox Community Cloud submission TCP port 25, 465 or 587 to upload detected suspicious Zero-day detection information. It uses only one of the ports in sequence.

    All the ports are encrypted. FortiSandbox will attempt to connect to the ports in sequence with encryption. If the connection fails, FortiSandbox will re-attempt to connect in sequence without encryption.

  • FortiSandbox Windows Cloud VMs TCP port 514 to submit jobs to the Windows cloud VMs. License required.
  • FortiSandbox MAC Cloud VMs TCP port 443 to submit jobs to the MAC cloud VMs. License required.
  • Mail server port TCP 25, DNS server port UDP 53, remote Syslog server port TCP or UDP 514, LDAP server port TCP 389, SNMP managers port TCP or UDP 162, and NTP server port UDP 123. Make sure to check the Static Route configuration for the gateway and outgoing port to use. Also, the port number for the following are configurable: Mail, Remote Syslog, LDAP, SNMP.
Cluster ports (all other ports except Port1 and Port3) In cluster mode, FortiSandbox uses TCP ports 2015 and 2018 for cluster internal communication. If the unit works as a Collector to receive threat information from other units, it uses TCP port 2443.
Note

All ports mentioned above are the same for both IPv4 and IPv6 protocols.

For redundancy and increase throughput, consider setting up Aggregate interface. See, Create an aggregate interface.

For any outgoing traffic, FortiSandbox uses a random port picked by the kernel.

You can dynamically change the system firewall rules using the iptables CLI command. However, the updated rules will be lost after a system reboot.

The following table lists the available ports for each FortiSandbox model.

Interface Type

3000F/3000E/2000E

1000F

500F

RJ45 Port 1-4 Port 1-4 Port 1-4
SFP GbE Port 5-8
SFP+ Port 5-6

Access Control List

The table below provides the default servers and options when configured. For further info on the services, refer to the notes column. We recommend periodically checking these entries for changes.

Services Destination Notes
FortiGuard Distribution Network (FDN)
Database and Engine Download

fds1.fortinet.com:8890/TCP

When configured to override region:

  • Nearest: fds1.fortinet.com:8890/TCP

  • US Region: usfds1.fortinet.com:8890/TCP

  • Global: globalupdate.fortinet.net:443/TCP

Default is Nearest. Configurable.

For more information, seeFortiGuard > FortiGuard Server Location in the FortiSandbox Administration Guide.

Web Filtering Service

securewf.fortiguard.net:53/TCP or 8888/TCP

When configured to override region:

  • Nearest: securewf.fortiguard.net:53/TCP or 8888/TCP

  • US Region: ussecurewf.fortiguard.net:53/TCP or 8888/TCP

  • Global: securewf.fortiguard.net:53/TCP or 8888/TCP

Default is Nearest.

When Secure Connection under FortiGuard Web Filter Settings is disabled, replace the TCP with UDP.

For more information, see FortiGuard > Secure Connection in the FortiSandbox Administration Guide.

FortiSandbox
Community Cloud Query fqsvr.fortinet.net:53/UDP

For more information, see General Settings > Community Cloud Query in the FortiSandbox Administration Guide.

Available only in Global (Canada).

Community Cloud Upload

fortinetvirussubmit.com:25/TCP

or

465/TCP or 587/TCP

For more information, see General Settings > Upload malicious and suspicious file in the FortiSandbox Administration Guide.

Available only in Global (Canada).

Rating Cloud Service (RSE) fqdl.fortinet.net:443/TCP

For more information, see Scan Profile Advanced Tab > Enable Rating Cloud Service in the FortiSandbox Administration Guide.

Available only in Global (Canada).

Windows Cloud VM Service

aptctrl1.fortinet.com:443/TCP

or

514/TCP List of IP Addresses:

  • Europe: 83.231.212.128/25, 154.45.1.0/24, 154.52.11.0/24

  • US Region: 208.184.237.0/24, 209.222.141.128/26

  • Japan: 210.7.96.0/24, 154.52.7.0/24

  • Global: 173.243.139.0/24, 184.94.112.0/24, 154.52.26.0/24

Initially download a list of IP via the APTCTRL1 as configured on WindowsCloudVM Settings.

For more information, see FortiGuard > WindowsCloudVM Settings in the FortiSandbox Administration Guide.

macOS Cloud VM Service mac.fortisandbox.net:443/TCP or mac2.fortisandbox.net:443/TCP Available only in Global (Canada).
VM Images Service fsavm.fortinet.net:443/TCP Uses GeoIP to select between two regions for faster download speed of the VM images. Available in Global (Canada) and Germany.
Tooltip

An alternative option is to use the Internet Service feature on the FortiGate to define a firewall policy that allows connection to that destination. For more information, see Using Internet Service in a policy in the FortiGate/FortiOS Administration Guide. Choose Fortinet-FortiGuard and Fortinet-FortiCloud.