Opening ports in the security group
By default, when you deploy FortiGate, there is a predefined security group that you can select based on Fortinet's recommendation. The following ports are allowed in the predefined security group assuming immediate and near-future needs.
|
Protocol/ports |
Purpose |
---|---|---|
Incoming |
TCP 22 |
SSH |
|
TCP 80 |
HTTP |
|
TCP 443 |
HTPS, management GUI access to FortiGate |
|
TCP 541 |
Management by FortiManager located outside AWS |
|
TCP 3000 |
Not immediately required, but typically used for incoming access to web servers, and so on |
|
TCP 8080 |
|
Outgoing |
Any |
|
FortiGate-specific open ports are explained in Fortinet Communication Ports and Protocols.
To configure bare-minimum access that gives the most strict incoming access, allow only TCP 443 to access the FortiGate GUI console as mentioned in Connecting to the FortiGate and close all other ports. You may want to allow ICMP for pinging, and so on, as needed.