FortiSIEM Management User
Supervisor
Inbound
ICMP
Monitoring via ICMP
Supervisor
Mail Gateway
Outbound
TCP/SMTP
Sending email notification
External Device
Supervisor
Inbound
TCP/21
FTP (for receiving Bluecoat logs via ftp)
FortiSIEM Management User
Supervisor
Inbound
TCP/22
Admin access via SSH
Supervisor
Whois Servers
Outbound
43
Whois lookup service
- whois.geektools.com
- whois.arin.net
- whois.networksolutions.com
- whois.internic.net
- whois.nic.af
- whois.ripe.net
- whois.apnic.net
- whois.amnic.net
- whois.nic.gov
- whois.nic.ad.jp
- whois.nic.mx
- whois.nic.us
Supervisor
External Device
Outbound
TCP/110
POP3 for email monitoring (STM)
Supervisor
NFS Server
Outbound
UDP/111, TCP/111
NFS Portmapper for writing events in NFS based deployments
Supervisor
External Windows Devices
Outbound
TCP/135
WMI based monitoring and log collection
OMI based monitoring and log collection
Supervisor
External Device
Outbound
TCP/143
IMAP for email monitoring (STM)
Supervisor
External Device
Outbound
UDP/161
SNMP based monitoring
External Device
Supervisor
Inbound
UDP/162
SNMP Trap
Supervisor
External Devices
Outbound
TCP/389
LDAP discovery
Supervisor
Elasticsearch Coordinating Node
Outbound
HTTPS/443(configurable) or HTTPS/9300
Querying events for Elasticsearch based deployments
Supervisor
FortiSIEM Manager
Outbound
TCP/443
Register to FortiSIEM Manager and upload Incidents, license and health
FortiSIEM Manager
Supervisor
Inbound
TCP/443
Incident drill down and Incident Management from FortiSIEM Manager
FortiSIEM Management User
Supervisor
Inbound
TCP/443
GUI access via HTTPS
Collector, Worker, Windows Agent, Linux Agent
Supervisor
Inbound
TCP/443
REST API access via HTTPS
Supervisor
External Device
Outbound
TCP/443
HTTPS based log collection
Supervisor
External Device
Inbound, Outbound
TCP/443
IOC feed and IOC lookups connect to productapi.fortinet.com, validation of Collector & Agent packages, Content Updates, FortiGuard Services (update.fortiguard.net), and OS updates (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com).
External Device
Supervisor
Inbound
TCP/514
TCP syslog
External Device
Supervisor
Inbound
UDP/514
UDP syslog
Supervisor
External Devices
Outbound
TCP/636
LDAPS discovery
Supervisor
External Device
Outbound
TCP/993
IMAP/SSL for email monitoring (STM)
Supervisor
External Device
Outbound
TCP/995
POP/SSL for email monitoring (STM)
Supervisor
External Devices
Outbound
TCP/1433
JDBC based monitoring and data collection
External Device
Supervisor
Inbound
TCP/1470
TCP syslog
External Device
Supervisor
Inbound
UDP/2055
NetFlow
Supervisor
External Devices
Outbound
TCP/3268
LDAP discovery (Global Catalog port, Global Catalog TLS port)
Supervisor
External Devices
Outbound
TCP/3269
LDAPS discovery (Global Catalog port)
Supervisor
Worker
Inbound, Outbound
RAFT/3888
ClickHouse Keeper Traffic if Supervisor node is part of ClickHouse Keeper Cluster
Supervisor
Report Server
Outbound
TCP/5432
PostGreSQL (report loading)
Worker
Supervisor
Inbound
TCP/5555
phFortiInsightAI module data collection
External Device
Supervisor
Inbound
UDP/6343
sFlow
External Device
Supervisor
Inbound
TLS (Supporting v1.2 & v1.3)/6514
Syslog over TLS
Supervisor
Worker
Outbound
TCP/6666
Redis communication
Supervisor
Spark Master Node
Outbound
HTTPS/7077 (configurable)
Querying events for HDFS based deployments
Worker
Supervisor
Inbound
TLS (Supporting v1.3)/7900
phMonitorWorker to phMonitorSuper communication
Supervisor
Worker
Outbound
TLS (Supporting v1.3)/7900
phMonitorSuper to phMonitorWorker Communication
Supervisor (Primary)
Supervisor (Secondary for DR)
Inbound, Outbound
TCP/7900
Disaster Recovery Setup
Worker
Supervisor
Inbound
TLS (Supporting v1.3)/7914
phParser on Worker to phParser on Supervisor for EPS enforcement
Supervisor
Worker
Outbound
TLS (Supporting v1.3)/7916
phQueryMaster to phQueryWorker communication
Worker
Supervisor
Inbound
TLS (Supporting v1.3)
phQueryWorker to phQueryMaster Communication
Worker
Supervisor
Inbound
TLS (Supporting v1.3)
phRuleWorker to phRuleMaster communication
Worker
Supervisor
Inbound
TLS (Supporting V1.3)/7928
phParser on Worker to phDiscover on Supervisor to trigger a device discovery after detecting Cisco IOS BGP or OSPF Adjacency Change change
Worker
Supervisor
Inbound
TLS (Supporting v1.3)
phReportWorker to phReportMaster Communication
Worker
Supervisor
Inbound
TLS (Supporting v1.3)/7938
phIdentityWorker to phIpIdentityMaster
Supervisor
Worker
Outbound
HTTP/8123, HTTPS/8443
ClickHouse Database Query
Supervisor
Worker
Outbound
HTTP/8123, HTTPS/8443
ClickHouse Database Insert if Supervisor receives events from Collectors or Workers and it is not chosen as a Data Node
Worker
Supervisor
Inbound
HTTP/8123, HTTPS/8443
ClickHouse Database Insert if Supervisor is chosen as a Data Node
Supervisor
External Devices
Outbound
UDP/8686
JMX based monitoring and data collection
Supervisor
HDFS Name Node
Outbound
HTTPS/9000 (configurable)
Archiving events for HDFS based deployments
Supervisor
Worker
Inbound, Outbound
9000, 9440
ClickHouse Internal Communication
Supervisor
Worker
Inbound, Outbound
HTTP/9009, HTTPS/9010
ClickHouse Database Replication if Supervisor is chosen as a Data Node
Supervisor
Elasticsearch Coordinating Node
Outbound
HTTPS/9200 (configurable)
Storing events for Elasticsearch based deployments
Supervisor
Checkpoint
Outbound
TCP/18184
Checkpoint LEA based log collection
Supervisor
Checkpoint
Outbound
TCP/18190
Checkpoint CPMI based data collection
Collector
Supervisor
Inbound
TCP/19999
Collector to Supervisor Reverse SSH Tunnel (disabled by default)
Supervisor
Collector
Outbound
TCP/20000-30000
Collector to Super Reverse SSH Tunnel (disabled by default)
Worker
Supervisor
Inbound
gRPC (TLS v1.2)/27918
phQueryWorker to phQueryMaster Communication
Worker
Supervisor
Inbound
gRPC (TLS v1.2)/27918
phRuleWorker to phRuleMaster Communication
Worker
Supervisor
Inbound
gRPC (TLS v1.2)/27934
phReportWorker to phReportMaster Communication
Spark Nodes
Supervisor
Inbound
TCP/60002-60003
Elasticsearch to HDFS Archive
