arcsight ports and protocols€¦ · 3179, 3180, 3181 ports used by the information repository :...

ArcSight Ports and Protocols June 6, 2018

2

Contents Contents ..................................................................................................................................................................... 2 Overview .................................................................................................................................................................... 3 ESM (v7.0) .................................................................................................................................................................. 3 ESM & ESM Express (v6.11) ....................................................................................................................................... 4 ESM & Express (v6.X/v4.X) ......................................................................................................................................... 6 Event Broker (v2.20) and Investigate (v2.10) ............................................................................................................. 9 User Behavior Analytics (v5.0) ................................................................................................................................. 10 Logger (v6.X) ............................................................................................................................................................. 11 Management Center (v2.X) ...................................................................................................................................... 15 SmartConnectors...................................................................................................................................................... 17 Model Import Connectors ........................................................................................................................................ 20 SmartConnector Load Balancer ............................................................................................................................... 22 Integrated Lights-Out (iLO) ...................................................................................................................................... 22 Connector Appliance (v6.X) ...................................................................................................................................... 23 DNS Malware Analytics (SaaS/Cloud) ...................................................................................................................... 24 Network Synergy Platform (v5.X) ............................................................................................................................. 25 Micro Focus Trademark Information ....................................................................................................................... 26 Company Details ...................................................................................................................................................... 27

3

Overview This document describes the most commonly used ports and protocols used by ESM, ESM Express, Express, Investigate, User Behavior Analytics, Logger, Event Broker, Management Center, SmartConnectors, Model Import Connectors, SmartConnector Load Balancer, Connector Appliance, DNA Malware Analytics, Network Synergy Platform, and Integrated Lights-Out (iLO).

ESM (v7.0)

Source Device Destination Device Destination Port Notes

1976, 28001, 2812, 3306, 5555, 6005, 6009, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666, 8766, 8808, 8880, 8888, 8889, 9000, 9095, 9090, 9123, 9124, 9999, 45450

Ports used internally for inter-component communication

3179, 3180, 3181 Ports used by the information repository

10000-10100 Default range of ports for your cluster. This range of ports is made available for dynamic assignment to services (aggregator and correlator, message bus data and message bus control, and distributed cache) as they are added to a cluster. The lowest value can be 1024 and the highest value 32767. The difference between the lowest value and the highest value specified must be at least 100.

694/udp

7789/tcp

Ports for external incoming connections for HA

4

8443/tcp Inbound SmartConnectors and Consoles

9000/tcp Peering requires this port

22/tcp Inbound SSH log in

53/udp Inbound/Outbound DNS requests and responses

25/tcp Outbound SMTP to mail server

110/tcp Outbound POP3 to mail server, if applicable

143/tcp Outbound IMAP to mail server, if applicable

1645/udp Inbound/Outbound RADIUS, if applicable

1812/udp Inbound/Outbound RADIUS, if applicable

389/tcp Outbound LDAP to LDAP server, if applicable

636/tcp Outbound LDAP over SSL to LDAP server, if applicable

ESM & ESM Express (v6.11)


ESM Manager TCP 1976, 28001, 2812, 3306, 5555, 6005, 6009, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666, 8766, 8808, 8880, 8888, 8889, 9095, 9090, 9123, 9124, 9999, 45450

TCP ports used internally for inter-component communication and data exchange between the threads comprising the ESM Manager. They do not required external access, won't be used

5

for any cross-device communication, and can be blocked by an external firewall.

ESM Manager TCP 9000 Peering requires this port

ESM Manager 22/TCP Inbound SSH log in (Unix only)

ESM Manager ESM Manager 53/UDP Inbound/Outbound DNS requests and responses

ESM Manager 8443/TCP Inbound SmartConnectors and Consoles

ESM Manager 25/TCP Outbound SMTP to mail server

ESM Manager 110/TCP Outbound POP3 to mail server, if applicable

ESM Manager 143/TCP Outbound IMAP to mail server, if applicable

ESM Manager ESM Manager 1645/UDP Inbound/Outbound RADIUS, if applicable

ESM Manager ESM Manager 1812/UDP Inbound/Outbound RADIUS, if applicable

ESM Manager 389/TCP Outbound LDAP to LDAP server, if applicable

ESM Manager 636/TCP Outbound LDAP over SSL to LDAP server, if applicable

ESM Manager ESM Manager TCP/7789

UDP/694

The HA Module uses ports 694 and 7789 on each IP address in the cluster environment.

ESM Manager

• The primary IP address.

ESM Manager

• The primary IP address

ICMP The HA Module

• A Connected Host is any other

6

• The secondary IP address.

• The secondary IP address

• The Service IP address

• To the Connected Host

machine on the network that you have indicated can be pinged by the HA Module to verify that it is still on the network.

ESM & Express (v6.X/v4.X)


Workstation ESM/ESM Express Manager

TCP 8443 Console to ESM/ESM Express Manager communication.

Workstation Express/ESM Manager TCP 22 SSH access for troubleshooting and diagnostics.

Workstation DNS Server(s) UDP/TCP 53 Console to DNS server communication (nslookup tool). Host resolution of ESM/ESM Express Manager during Console login.

Workstation Whois Server(s) UDP/TCP 43 Console to Whois server communication (whois tool).

Workstation Selected Destination/Target in Console

ICMP Console to target communication (ping tool).

Workstation ArcSight Web TCP 9443 Web browser to ArcSight Web communication.

ESM/ESM Express Manager

NTP Server(s) UDP 123 ESM/ESM Express Manager to NTP server (for time synchronization).

7


DNS Server(s) UDP/TCP 53 ESM/ESM Express Manager to DNS server communication (nslookup tool).


SMTP Server(s) TCP 25 ESM/ESM Express Manager to SMTP server (for notifications).


POP3 Server(s) TCP 110 ESM/ESM Express Manager to POP3 server (for notifications, if applicable).


IMAP Server(s) TCP 143 ESM/ESM Express Manager to IMAP server (for notifications, if applicable).


SNPP Server(s) TCP 444 ESM/ESM Express Manager to SNPP server (for notifications, if applicable).


LDAP Server(s) TCP 389 or 636 ESM/ESM Express Manager to LDAP server (if applicable). TCP 389 without SSL; TCP 636 with SSL.


RADIUS Server(s) UDP 1645 or 1812 ESM/ESM Express Manager to RADIUS server (if applicable).

Connector Appliance SmartConnectors, Logger SmartConnectors, and SmartConnectors


TCP 8443 SmartConnector to ESM/ESM Express Manager secure and encrypted event channel.


Logger TCP 443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).

8



TCP 8443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).


Syslog Server(s) UDP/TCP 514 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).


McAfee ePolicy Orchestrator

TCP 1433 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination (Forwarding Connector).

Web Service Client ESM/ESM Express Manager

TCP 9090 The ESM/ESM Express Service Layer is available and exposes functionalities as Web Services. By consuming the exposed Web Services, you can integrate ESM/ESM Express functionality in your own applications.

Express Manager TCP 9001 Remote Connector Management listening port.

Express Manager TCP 9002 Remote Connector Management listening port.

Express Manager TCP 6443 Connector Management.

9

ESM 6.8c Manager TCP 8443, 9443, 9000 These TCP ports are used for external incoming connections.

ESM 6.8c Manager TCP 1976, 28001, 2812, 3306, 5555, 6005, 6009, 6443, 7777, 7778, 7779, 7780, 8005, 8009, 8080, 8088, 8089, 8666, 8766, 8808, 8880, 8888, 8889, 9000, 9001, 9002, 9003, 9004, 9005, 9006, 9007, 9008, 9095, 9090, 9123, 9124, 9999, 45450

These TCP ports are used internally for inter-component communication by ESM 6.8c.

ESM 6.8c Manager TCP 6060, 9005, 9009, 1099

Risk Insight

ESM 6.8c Manager TCP 8081, 6005, 8444, 6410, 6400

Risk Insight (BusinessObjects)

ESM 6.8c Manager TCP 7789

UDP 694

Each of the High Availability servers uses these ports in addition to those used by ESM.

Event Broker (v2.20) and Investigate (v2.10)


Workstation Event Broker Master Node(s)

5443/tcp Web interface to the ArcSight Installer

Workstation Event Broker Master Node(s)

443/tcp Web interface to ArcSight Investigate

All Event Broker nodes All Event Broker nodes 22/tcp SSH is needed for installation of Event Broker to all Event Broker nodes

All Vertica nodes All Vertica nodes 22/tcp SSH is needed for installation of Vertica to all Vertica nodes

10

All Event Broker consumers and producers

All Event Broker Worker nodes

9092/tcp

9093/tcp

Ports 9092 must be reachable by all Event Broker nodes, consumers, and producers. If you are using TLS, port 9093 must also be reachable.

ArcMC All Event Broker nodes 38080/tcp

5443/tcp ArcMC Management of Event Broker

All Event Broker nodes ArcMC 443/tcp ArcMC Management of Event Broker (when ArcMC is installed as root)

All Event Broker nodes ArcMC 9000/tcp ArcMC Management of Event Broker (when ArcMC is installed as a non-root user)

Investigate node All Vertica nodes 5433/tcp Investigate to Vertica communication

2379, 2380, 3000, 4001, 4194, 5000, 8080, 8088, 8200, 8285, 8443, 10248-10252, 10255

Kubernetes

111, 2049, 20048, 37189 NFS (the NFS ports are used only in clusters that are configured to use an internal NFS server)

2181, 9092, 9093, 38080, 39000, 39093, 32181

Event Broker

39001-39010 CEB (Connectors in Event Broker)

4194 CAdvisor

User Behavior Analytics (v5.0)


11

UBA Server UBA Server TCP 3306 Port for MySQL

Workstation UBA Server TCP 8080 (http)

TCP 8443 (https)

Tomcat Application Server Port

UBA Server TCP 22 SSH

UBA Server TCP 20 & 21 FTP

UBA Server MSFT SMTP Gateway TCP 25 & 465 SMTP notifications (email alerts from the application)

UBA Server TCP/UDP 53 DNS host name lookup – DNS is used for name lookup and event enrichment

UDP 67 DHCP/bootstrap protocol server is not needed when static IP addressing is used

UBA Server UDP 514 asyslog server set up; Alternate ports can be configured, for example if forwarding events from Logger

UBA Server ICMP Type 8 Server monitoring

UBA Server Identity Store TCP 389

TCP 636

Connectivity varies by identity store, for example, for Active Directory

UBA Master/Child UBA Master/Child TCP 3306 & 8443 Master/Child communication uses ports 3306/8443 (HTTPS)

Logger (v6.X)


12

Logger TCP 1976 2812 3306 5555 7777 7778 7779 7780 8005 8009 8080 8088 8089 8666 8808 8880 8888 8889 9123 9124 9999 45450

TCP ports used internally for inter-component communication and data exchange between the threads comprising Logger. They do not required external access, won't be used for any cross-device communication, and can be blocked by an external firewall.

Workstation Logger TCP 443 or 9000 Web browser to Logger communication.

For root installs, allow access to port 443/tcp as well as the ports for any protocol that the Logger receivers need, such as port 514/udp for the UDP receiver and port 515/tcp for the TCP receiver.

For non-root installs, allow access to port 9000/tcp as well as the ports for any protocol that the Logger receivers need, such as port 8514/udp for the UDP receiver and port 8515/tcp for the TCP receiver.

Workstation Logger TCP 22 SSH access for troubleshooting and diagnostics.

Logger NTP Server(s) UDP 123 Logger to NTP server (for time synchronization).

Logger DNS Server(s) UDP/TCP 53 Logger to DNS server communication.

13

Logger SMTP Server(s) TCP 25 Logger to SMTP server (for notifications).

Logger Syslog Server(s) UDP/TCP 514 Logger to syslog server (for notifications).

Logger SNMP Server(s) UDP 162 Logger to SNMP server (for notifications).

Logger RADIUS Server(s) UDP 1645 or 1812 Logger to RADIUS server (when Logger is configured to use RADIUS password authentication).

Logger NFS Server(s) TCP 111 UDP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219

Allows Logger to connect to servers via NFS for event archiving and search export.

Logger CIFS Server(s) TCP 445 Allows Logger to connect to servers via CIFS for event archiving and search export.

Logger NFS Server(s) TCP 111 UDP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219

Allows Logger File Receivers to read log files from NFS servers.

Allows Logger SmartConnectors (L3500) to read logs from NFS servers.

Logger CIFS Server(s) TCP 445 Allows Logger File Receivers to read log files from CIFS servers.

Allows Logger SmartConnectors (L3500) to read logs from CIFS servers.

Logger SCP, SFTP, FTP Server(s) TCP 22 (SCP, SFTP)

TCP 20 & 21 (FTP)

Allows Logger File Transfer Receiver to read remote log files

14

using SCP, SFTP or FTP protocols.

Syslog Event Sources Logger UDP 514 or 8514 The UDP receiver is on port 514/udp for Logger Appliances. If you are installing Software Logger as root, the UDP receiver is on port 514/udp. For non-root installs, it is on port 8514/udp. If this port is already occupied, the initialization process selects the next higher unoccupied port.

Syslog Event Sources Logger TCP 515 or 8515 The TCP receiver is on port 515/tcp for Logger Appliances. If you are installing Software Logger as root, the TCP receiver is on port 515/tcp. For non-root installs, it is on port 8515/tcp. If this port is already occupied, the initialization process selects the next higher unoccupied port.

SmartConnectors Logger TCP 443 or 9000 The SmartMessage receiver listens on the same port as the User Interface, 443/tcp on Logger appliances, and typically 443/tcp on Software Logger installed as root, and 9000/tcp on Software Logger installed as non-root. The Software Logger ports may vary.

Logger ESM/ESM Express Manager

TCP 8443 Used to forward audit events from Logger to the ESM/ESM Express Manager.

15

Logger ESM/ESM Express Manager and/or Syslog Server(s)

TCP 8443 (ESM/ESM Express Manager), UDP/TCP 514

Used to send all events, or events which match a particular filter, on to a particular host.

Logger SCP Server TCP 22 (SCP) Allows backup of Logger configuration to remote host.

ArcMC Agent Logger TCP 7913 ArcMC Agent

Management Center (v2.X)


ArcMC Appliance TCP 21

TCP 22

TCP 443

TCP 7913

TCP 9001

TCP 9002

TCP 9003

TCP 9004

TCP 9005

TCP 9006

TCP 9007

TCP 9008

UDP 123

The ArcSight Management Center Appliance (v2.5+) includes a script that you can use to configure the firewall. This script looks at your current ArcSight Management Center configuration and decides what ports to keep open. Alternatively, you can configure the firewall on your appliance as you would on any server, by editing iptables-config and white-listing the appropriate ports.

Workstation ArcMC TCP 443 (when installed as root)

TCP 9000 when installed as non-root user)

Web browser to ArcMC communication.

Workstation ArcMC TCP 22 SSH access for troubleshooting and diagnostics.

ArcMC ArcMC/Logger/Connector Appliance

TCP 443 (when installed as root)

Managing ArcMC/Logger/Connector Appliance

16

TCP 9000 (when installed as non-root user)

ArcMC NTP Server(s) UDP 123 ArcMC to NTP server (for time synchronization).

ArcMC DNS Server(s) UDP/TCP 53 ArcMC to DNS server communication (for IP/hostname resolution)

ArcMC SMTP Server(s) TCP 25 ArcMC to SMTP server (for notifications).

ArcMC RADIUS Server(s) UDP 1645 or 1812 ArcMC to RADIUS server (for external authentication).

ArcMC LDAP Server(s) TCP 389 or 636 ArcMC to LDAP server (for external authentication). TCP 389 without SSL; TCP 636 with SSL.

ArcMC SCP Server TCP 22 Allows backup of ArcMC configuration to a remote host.

ArcMC ArcMC local syslog SmartConnector

UDP/TCP 514 Used for audit forwarding from ArcMC to the ArcMC local syslog SmartConnector.

ArcMC SmartConnectors ESM/ESM Express Manager

TCP 8443 ArcMC SmartConnectors to ESM/ESM Express Manager secure and encrypted event channel.

ArcMC SmartConnectors Logger TCP 443 ArcMC SmartConnectors to Logger SmartMessage secure and encrypted event channel.

ArcMC local syslog SmartConnector


TCP 8443 Used for audit forwarding from the ArcMC local syslog SmartConnector to ESM/ESM Express Manager secure and encrypted event channel.

17

ArcMC local syslog SmartConnector

Logger TCP 443 Used for audit forwarding from ArcMC local syslog SmartConnector to Logger SmartMessage secure and encrypted event channel.

ArcMC SmartConnectors TCP 9001-9008 Allows ArcMC to manage remote SmartConnectors (appliance and/or software).

ArcMC NFS Server(s) UDP/TCP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219

Allows SmartConnectors to read logs from NFS servers.

ArcMC CIFS Server(s) TCP 445 Allows SmartConnectors to read logs from CIFS servers.

ArcMC marketplace.saas.hpe.com TCP 443 Connection to the ArcSight Marketplace for retrieving parser upgrade versions.

SmartConnectors


SmartConnector DNS Server(s) UDP/TCP 53 SmartConnector to DNS server communication.

Connector Appliance SmartConnectors or SmartConnectors




Logger TCP 443 SmartConnector to Logger SmartMessage secure and encrypted event channel.

Connector Appliance SmartConnectors TCP 9001 Allows Connector Appliance to manage remote SmartConnectors (appliance and/or software).

18

Forwarding Connector ESM/ESM Express Manager

TCP 8443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.

Forwarding Connector Logger TCP 443 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.

Forwarding Connector Syslog Server(s) UDP/TCP 514 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.

Forwarding Connector McAfee ePolicy Orchestrator

TCP 1433 Allows you to receive events from a source ESM/ESM Express Manager installation and send them to a secondary destination.

Syslog Event Sources SmartConnector UDP/TCP 514 All products that send events via syslog.

SNMP Event Sources SmartConnector UDP 162 All products that send events via SNMP.

Microsoft Windows Event Log – Unified

Windows Servers and Workstations

TCP 445 This SmartConnector can connect to local or remote machines, inside a single domain or from multiple domains, to retrieve events from all types of event logs.

Windows Domain (Legacy)

Windows Servers TCP 135, 139, 445

UDP 137,138

The Windows Domain SmartConnector will use RPC and Remote Registry to connect to the server and poll the Windows Event Log. This SmartConnector requires domain privileges and domain membership.

19

Check Point Check Point Provider-1 (configure for each CMA)

TCP 18184 The Check Point SmartConnector will connect to Provider-1 using Log Export API (LEA) using SSLCA and OPSEC will need to be configured per CMA.

Check Point Check Point Provider-1 or Smart Center

TCP 18210 Allows SmartConnector to pull OPSEC SSL certificate.

Oracle Oracle Server TCP 1521 The SmartConnector establishes connectivity to the database.

Microsoft SQL Server Microsoft SQL Server TCP 1433

TCP 139, 445

UDP 135, 139, 445

The SmartConnector establishes connectivity to the database and reads audit trace logs simultaneously. Trace files are not a requirement with some products reporting to Microsoft SQL Server.

MySQL MySQL Server TCP 3306 The SmartConnector establishes connectivity to the database.

Blue Coat Server hosting Blue Coat SmartConnector and FTP server

TCP 20

TCP 21 Allows Blue Coat to send logs to server hosting Blue Coat SmartConnector over FTP and FTP-Data.

Sourcefire Sourcefire Defense Center Server

TCP 8302 SSL connection for the Defense Center eStreamer protocol.

WinC host / winc-agent.exe

WinC host / Java.exe TCP/61616 SmartConnector for Microsoft Windows Event Log – Native

Port 61616 is used for Message Queue service to communicate between the standard connector code of WinC and its agent code in C#, winc-agent. The port can be configured if needed, for example when more than

20

one WinC is installed on the same server, the port number should be modified by addingmq.server.listener.port to agent.properties. By default, this is set to 61616 in agent.default.properties. Copy the value to agent.properties and change the port number.


Server to collect events from

TCP/135 SmartConnector for Microsoft Windows Event Log – Native

Server to collect events from


Vary. Default TCP/49153

SmartConnector for Microsoft Windows Event Log – Native

WinC and the server to collect events from negotiate the port to use: Ephemeral TCP port range

• 49152-65535

1025-5000

The third-party SmartConnector types listed above are some of the most common SmartConnectors deployed. For any third-party SmartConnector not listed, please refer to the “SmartConnector Configuration Guide” for information on the ports and protocols used.

Model Import Connectors


Model Import Connector for Reputation Security Monitor Plus 1.6

ns.glbs.zvelo.com TCP 443 A component of Reputation Security Monitor Plus which retrieves reputation data from the threat intelligence service processes this data, and forwards it to ESM/ESM Express.

21

Model Import Connector for Reputation Security Monitor 1.5

tmc.tippingpoint.com

d.tippingpoint.com

*.akamai.net

*.akamai.com

TCP 443 A component of Reputation Security Monitor which retrieves reputation data from the threat intelligence service (powered by DVLabs), processes this data, and forwards it to ESM/ESM Express.

tmc.tippingpoint.com is the application server that provides the Web Service. The Web Service provides a URL to d.tippingpoint.com to the client from which the actual data is downloaded as files. Since d.tippingpoint.com is a cloud service (Akamai based), the underlying IP addresses are subject to change all the time and therefore only domain based filtering can be used between the Model Import Connector and the Internet and not IP based filtering.

Model Import Connector for IdentityView

Active Directory TCP 389 or 636 The Model Import Connector for Microsoft Active Directory extracts the user identity information (or Actor data) from the Active Directory LDAP, and then uses that data to populate ESM/ESM Express Manager with resources.

Model Import Connector ESM/ESM Express Manager

TCP 8443 Model Import Connector to ESM/ESM Express Manager secure and encrypted channel.

22

SmartConnector Load Balancer


Primary Node Secondary Node TCP 9090 'vipPingPort' is internally used to check if VIP address is still bound to one of the member hosts for continuous event collection.

Primary Node Secondary Node TCP 6702 Port is internally used to communicate with another Load Balancer to detect the health for HA support.

Primary/Secondary Node

SmartConnector TCP 9001 remote.management.listener.port from agent.properties

TCP 8443 Web Service Listener.

Syslog Devices Primary/Secondary Node Virtual IP Address

UDP 514 'vipAddress' is the virtual IP addres that will be shared between two member hosts to handle seamless failover of member host.

Syslog Devices Primary/Secondary Node Virtual IP Address

TCP 514 'vipAddress' is the virtual IP addres that will be shared between two member hosts to handle seamless failover of member host.

Integrated Lights-Out (iLO)


Integrated Lights-Out (iLO)

TCP 22, 80, 443, 623, 17990, 17988

iLO Management technologies are embedded management technologies that supports the complete lifecycle of all ProLiant servers, from initial deployment to ongoing

23

management and service alerting.

Connector Appliance (v6.X)


Workstation Connector Appliance TCP 443 Web browser to Connector Appliance communication.

Workstation Connector Appliance TCP 22 SSH access for troubleshooting and diagnostics.

Connector Appliance NTP Server(s) UDP 123 Connector Appliance to NTP server (for time synchronization).

Connector Appliance DNS Server(s) UDP/TCP 53 Connector Appliance to DNS server communication.

Connector Appliance SMTP Server(s) TCP 25 Connector Appliance to SMTP server (for notifications).

Connector Appliance RADIUS Server(s) UDP 1645 or 1812 Connector Appliance to RADIUS server (when Connector Appliance is configured to use RADIUS password authentication).





Logger TCP 443 SmartConnector to Logger SmartMessage secure and encrypted event channel.

24

Connector Appliance NFS Server(s) TCP 111 UDP 111 TCP 2049 UDP 2049 TCP 2219 UDP 2219

Allows SmartConnectors to read logs from NFS servers.

Connector Appliance CIFS Server(s) TCP 445 Allows SmartConnectors to read logs from CIFS servers.

Connector Appliance Connector Appliance SmartConnectors and SmartConnectors

TCP 9001 (SmartConnector)

TCP 9001-9004 (C3500)

TCP 9001-9008 (C5500)

Allows Connector Appliance to manage remote SmartConnectors (appliance and/or software).

Connector Appliance Syslog Server(s) UDP/TCP 514 Used to forward audit events from Connector Appliance to syslog server(s).

Connector Appliance SCP Server TCP 22 (SCP) Allows backup of Connector Appliance configuration to remote host.

DNS Malware Analytics (SaaS/Cloud)


DNS capture module SAAS analytic engine – portal.dnsmalwareanalytics.com

Web Sockets – RFC 6455

Encryption WSS – TLS 1.2 minimum

WAMP – Web Application Messaging Protocol 2.0

DNS Malware Analytics is a scalable, cloud-based threat detector that monitors DNS traffic and rapidly identifies an infected system, enabling immediate remediation in real time.

Workstation portal.dnsmalwareanalytics.com TCP 443 Web browser to SAAS analytic engine interface

25

Network Synergy Platform (v5.X)


Workstation NSP TCP 443 Web browser to NSP communication.

NSP Managed devices TCP 20 & 21 (FTP) Configuration file transfer.

NSP Managed devices TCP 22 (SSH, SCP, SFTP) Securely copy or transfer files.

NSP Managed devices TCP 23 (telnet) Managed device access through the appliance only as needed.

NSP Managed devices UDP 69 (TFTP) Configuration file transfer.

NSP Managed devices ICMP Device discovery.

NSP Managed devices Multiple ports Device discovery, if OS fingerprinting is selected.

Managed devices NSP TCP 20 & 21 (FTP) Configuration file transfer.

Managed devices NSP TCP 22 (SSH, SCP) Securely copy or transfer files (SSH proxy; SCP on demand only).

Managed devices NSP UDP 69 (TFTP) Configuration file transfer (TFTP on demand only).

NSP SMTP Server(s) TCP 25 (SMTP) E-mail notifications (if enabled on your appliance).

NSP SNMP Server(s) UDP 161 & 162 (SNMP) SNMP notifications (if your appliance is configured to send them).

26

NSP Syslog Server(s) UDP 514 (syslog) Syslog messages (if your appliance is configured to send them).

NSP WINS Server(s) UDP/TCP 1512 NSP to WINS server communication to resolve Windows NETBIOS names.

NSP NTP Server(s) UDP 123 NSP to NTP server (for time synchronization).

NSP DNS Server(s) UDP/TCP 53 NSP to DNS server communication.

NSP ESM/ESM Express Manager

TCP 8443 TRM Connector configured to integrate NSP with ESM/ESM Express and take TRM actions on managed devices through the NSP appliance.

NSP Syslog SmartConnector (running on Connector Appliance or as a SmartConnector)

UDP 514 (syslog) The NSP appliance forwards the notification messages it generates to an Common Event Format (CEF) Syslog SmartConnector that sends the events on to the ESM/ESM Express Manager.

The information that resides on your NSP appliance is well protected. Any port, except 443, is opened only for the length of time it takes to perform the action related to that port. After the action has been performed, the port is closed. The appliance opens no unnecessary ports or third-party software vulnerabilities that might compromise the security of the information.

Micro Focus Trademark Information MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.

27

Company Details Company name: Micro Focus International plc Place of registration: England and Wales Registered number: 5134647 Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q

arcsight ports and protocols€¦ · 3179, 3180, 3181 ports used by the information repository :...

Documents