Open listening ports
The ports in a network are communication channels which information flows through, from one system to another. This section provides the list of ports that must be configured in your environment to access the features and services on the Protegrity appliances.
Ports for accesing ESA
The following are the list of ports that must configured for the system users to access ESA.
Port Number | Protocol | Source | Destination | NIC | Description |
---|---|---|---|---|---|
22 | TCP | System User | ESA | Management NIC (ethMNG) | Access to CLI Manager |
443 | TCP | System User | ESA | Management NIC (ethMNG) | Access to Web UI for Security Officer or ESA administrator |
Ports for accesing Insight
The following are the list of ports that must configured for the system users to access Insight.
Port Number | Protocol | Source | Destination | NIC | Description |
---|---|---|---|---|---|
22 | TCP | System User | Insight | Management NIC (ethMNG) | Access to CLI Manager |
443 | TCP | System User | Insight | Management NIC (ethMNG) | Access to Web UI for Security Officer or Insight administrator |
Ports for accesing Protectors
The following are the list of ports that must be configured between the ESA and the non-appliance based protectors such as, Big Data Protector (BDP), Application Protector (AP), and so on.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
8443 | TCP | Non-appliance-based Protectors such as, Big Data
Protector (BDP), Application Protector (AP), z/OS and so
on. | ESA | Management NIC (ethMNG) |
| |
25400 | TCP | Non-appliance-based Protectors such as, Big Data
Protector (BDP), Application Protector (AP), z/OS and so
on. | Resilient Package Proxy (RPP) in the ESA | Management NIC (ethMNG) |
| The protectors need to access this port. Ensure that the firewall of the customer is not blocking this port. |
6379 | TCP | ESA | BDP Lead Node | Management NIC (ethMNG) | Communication between ESA and BDP lead node. | If HDFSFP is used, this port must be opened. Starting from the Big Data Protector 7.2.0 release, the HDFS File Protector (HDFSFP) is deprecated. The HDFSFP-related sections are retained to ensure coverage for using an older version of Big Data Protector with the ESA 7.2.0. If a port other than 6379 is configured
while installing BDP, ensure that the configured port is open. |
9200 | TCP | Log Forwarder | Audit Store | Management NIC (ethMNG) of ESA | To send audit logs received from the Log Server and forward it to the ESA/Audit Store. |
Ports for ESA on TAC
The following are the list of ports that must be configured for the ESA appliances in a Trusted Appliances Cluster (TAC).
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
22 | TCP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | |
22 | TCP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | |
443 | TCP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | |
443 | TCP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | |
443 | TCPing | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | Used for joining a cluster. |
443 | TCPing | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | Used for joining a cluster. |
10100 | UDP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
10100 | UDP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
8300 | TCP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Used by servers to handle incoming request. | This is used by servers to handle incoming requests from other agents. |
8300 | TCP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Handle incoming requests | This is used by servers to handle incoming requests from other agents. |
8301 | TCP and UDP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8301 | TCP and UDP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8302 | TCP and UDP | Primary ESA | Secondary ESA | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
8302 | TCP and UDP | Secondary ESA | Primary ESA | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
8600 | TCP and UDP | ESA | DSG | Management NIC (ethMNG) | Listens to the DNS server port. | Used to resolve DNS queries. |
8600 | TCP and UDP | DSG | ESA | Management NIC (ethMNG) | Listens to the DNS server port. | Used to resolve DNS queries. |
9000 | TCP and UDP | ESA | DSG | Management NIC (ethMNG) | Checks local certificates. | If your TAC utilizes Consul services, you must enable this port. |
9000 | TCP and UDP | DSG | ESA | Management NIC (ethMNG) | Checks local certificates. | If your TAC utilizes Consul services, you must enable this port. |
Additional Ports
Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
123 | UDP | ESA | Time servers | Management NIC (ethMNG) of ESA | NTP Time Sync Port | This port can be configured based on the enterprise network policies or according to your use case. |
389 | TCP | ESA | Active Directory server | Management NIC (ethMNG) of ESA | Authentication for External AD and synchronization with External Groups. | This port can be configured based on the enterprise network policies or according to your use case. |
389 | TCP | ESA | Active Directory server | Management NIC (ethMNG) of ESA | Synchronization with External AD Groups for policy
users. | This port can be configured based on the enterprise network policies or according to your use case. |
636 | TCP | ESA | Active Directory server | Management NIC (ethMNG) of ESA | Authentication for External AD and synchronization with External Groups. | This port is for LDAPS. It can be configured based on the enterprise network policies or according to your use case. |
636 | TCP | ESA | Active Directory server | Management NIC (ethMNG) of ESA | Synchronization with External AD Groups for policy users. | This port is for LDAPS. It can be configured based on the enterprise network policies or according to your use case. |
1812 | TCP | ESA | RADIUS server | Management NIC (ethMNG) of ESA | Authentication with RADIUS server. | This port can be configured based on the enterprise
network policies or according to your use case. |
514 | UDP | ESA | Syslog servers | Management NIC (ethMNG) of ESA | Storing logs | This port can be configured based on the enterprise network policies or according to your use case. |
FutureX (9111) | TCP | ESA | HSM server | Management NIC (ethMNG) of ESA | HSM communication | This port can be configured based on the enterprise network policies or according to your use case. |
Safenet (1792) | TCP | ESA | HSM server | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
nCipher non-privileged port (8000) | TCP | ESA | HSM sever | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
nCipher privileged port (8001) | TCP | ESA | HSM sever | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
Utimaco (288) | TCP | ESA | HSM sever | Management NIC (ethMNG) of ESA | HSM communication | This port must be opened and configured based on the enterprise network policies or according to your use case. |
Ports for Users
If you are utilizing the DSG appliance, the following ports must be configured in your environment.
Port Number | Protocol | Source | Destination | NIC | Description |
22 | TCP | System User | DSG | Management NIC (ethMNG) | Access to CLI Manager. |
443 | TCP | System User | DSG | Management NIC (ethMNG) | Access to Web UI. |
Ports for Communication with ESA
The following are the list of ports that must be configured for communication between DSG and ESA.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
22 | TCP | ESA | DSG | Management NIC (ethMNG) |
| |
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | |
443 | TCP | DSG | ESA and Virtual IP address of ESA | Management NIC (ethMNG) | Downloading certificates from ESA | |
8443 | TCP | DSG | ESA and Virtual IP address of ESA | Management NIC (ethMNG) |
| |
389 | TCP | DSG | Virtual IP address of ESA | Management NIC (ethMNG) | Authentication and authorization by ESA | |
5671 | TCP | DSG | ESA | Management NIC (ethMNG) | Messages sent from DSG to ESA | This port is required to support backward compatibility, where ESA v7.2.1 communicates with the earlier versions of appliances other than ESA. For example, port 5671 is required for user notifications from a DSG system to appear on the ESA v7.2.1 Dashboard. |
10100 | UDP | DSG | ESA | Management NIC (ethMNG) |
| This port is optional. If the appliance heartbeat services are stopped, this port can be disabled. |
DSG Ports for Communication in TAC
The following are the list of ports that must also be configured when DSG is configured in a TAC.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
22 | TCP | DSG | ESA | Management NIC (ethMNG) | Communication in TAC | |
8585 | TCP | ESA | DSG | Management NIC (ethMNG) | Cloud Gateway cluster | |
443 | TCP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | |
10100 | UDP | ESA | DSG | Management NIC (ethMNG) | Communication in TAC | This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled. |
10100 | UDP | DSG | ESA | Management NIC (ethMNG) |
| This port is optional. If the Appliance Heartbeat services are stopped, this port can be disabled. |
10100 | UDP | DSG | DSG | Management NIC (ethMNG) | Communication in TAC | This port is optional. |
8300 | TCP | ESA | DSG | Management NIC (ethMNG) | Used by servers to handle incoming request. | This is used by servers to handle incoming requests from other agents. |
8300 | TCP | DSG | ESA | Management NIC (ethMNG) | Handle incoming requests | This is used by servers to handle incoming requests from other agents. |
8300 | TCP | DSG | DSG | Management NIC (ethMNG) | Handle incoming requests | This is used by servers to handle incoming requests from other agents. |
8301 | TCP and UDP | ESA | DSG | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8301 | TCP and UDP | DSG | ESA | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8301 | TCP and UDP | DSG | DSG | Management NIC (ethMNG) | Gossip on LAN. | This is used to handle gossip in the LAN. Required by all agents. |
8302 | TCP and UDP | ESA | DSG | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
8302 | TCP and UDP | DSG | ESA | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
8302 | TCP and UDP | DSG | DSG | Management NIC (ethMNG) | Gossip on WAN. | This is used by servers to gossip over the WAN, to other servers. As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces. |
Additional Ports for DSG
In DSG, service NICs are not assigned a specific port number. You can configure a port number as per your requirements.
Based on the firewall rules and network infrastructure of your organization, you must open ports for the services listed in the following table.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
123 | UDP | DSG | Time servers | Management NIC (ethMNG) of ESA | NTP Time Sync Port | This port can be configured based on the enterprise network policies or according to your use case. |
514 | UDP | DSG | Syslog servers | Management NIC (ethMNG) of ESA | Storing logs | This port can be configured based on the enterprise network policies or according to your use case. |
N/A* | N/A* | DSG | Applications/Systems | Service NIC (ethSRV) of DSG | Enabling communication for DSG with different
applications in the organization. | This port can be configured based on the enterprise network policies or according to your use case. |
N/A* | N/A* | Applications/System | DSG | Service NIC (ethSRV) of DSG | Enabling communication for DSG with different
applications in the organization. | This port can be configured based on the enterprise network policies or according to your use case. |
Ports for the Internet
The following ports must be configured on ESA for communication with the Internet.
Port Number | Protocol | Source | Destination | NIC | Description |
80 | TCP | ESA | ClamAV Database | Management NIC (ethMNG) of ESA | Updating the Antivirus database on ESA. |
Recommended Ports for Strengthening Firewall Rules
The following ports are recommended for strengthening the firewall configurations.
Port Number | Protocol | Source | Destination | NIC | Description |
67 | UDP | Appliance/System | DHCP server | Management NIC (ethMNG) | Allows server requests from the DHCP server. |
68 | UDP | Appliance/System | DHCP server | Management NIC (ethMNG) | Allows client requests on the DHCP server. |
161 | UDP | ESA/DSG | SNMP | Management NIC (ethMNG) | Allows SNMP requests. |
10161 | TCP and UDP | ESA/DSG | SNMP | Management NIC (ethMNG) | Allows SNMP requests over DTLS. |
Audit Store Ports
The following ports must be configured for communication between the ESA and the Audit Store.
Port Number | Protocol | Source | Destination | NIC | Description | Notes (If any) |
9200 | TCP | ESA | ESA | Management NIC (ethMNG) of ESA / Audit Store | Audit Store REST communication. | This port can be configured based on the enterprise network policies or according to your use case. |
9300 | TCP | ESA | ESA | Management NIC (ethMNG) of ESA / Audit Store | Internode communication between the Audit Store nodes. | This port can be configured based on the enterprise network policies or according to your use case. |
24224 | UDP | ESA | ESA | Management NIC (ethMNG) of ESA / Audit Store | Communication between td-agent and the
Audit Store. | This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM). |
24284 | TCP | Protector | ESA | Management NIC (ethMNG) of ESA / Audit Store | Communication between protector and td-agent . | This port can be configured according to your use case when forwarding logs to an external Security information and event management (SIEM) over TLS. |