Understanding Firewall Ports for the ArcSight Platform

This section lists the ports that must be open for the elements that make up the ArcSight Platform:

Firewall Ports for CDF Infrastructure Components

The following tables list the ports that must be open for the CDF infrastructure components:

In most cases, the firewalls for these components are host-based. These components are not likely to have network-based firewalls between them.

In most cases, you do not need to take action to configure the firewalls for these ports.

CDF Vault

Ports (TCP) Node Description
8200 Master

Used by the itom-vault service, which provides a secured configuration store

All cluster nodes should be able to access this port for the client connection.
8201 Master

Used by the itom-vault service, which provides a secured configuration store

Web clients must be able to access this port for peer member connections.

CDF Management Portal

Ports (TCP) Node Description
3000 Master

Used only for accessing the CDF Management Portal during CDF installation from a web browser

Web clients must be able to access this port during the installation of CDF. After installation, web clients use port 5443 to access the CDF Management Portal.
5443 Master

Used for accessing the CDF Management Portal post CDF deployment from a web browser

Web clients must be able to access this port for administration and management of CDF.
5444 Master

Used for accessing the CDF Management Portal post CDF deployment from a web browser, when using two-way (mutual) SSL authentication

Web clients must be able to access this port for administration and management of CDF, when using two-way (mutual) SSL authentication.

Kubernetes

Ports (TCP) Node Description
2380 Master

Used by the etcd component, which provides a distributed configuration database

All the master nodes should be able to access this port for the etcd cluster communication.
4001 Master

Used by the etcd component, which provides a distributed configuration database

All cluster nodes should be able to access this port for the client connection.
5000 Master

Used by the kube-registry component, which handles the management of container image delivery

All cluster nodes should be able to access this port to communicate with the local container registry.
7443 Master

(Conditional) Used by the Kubernetes API server when you perform one of the following methods of installation:

  • Use the provided scripts

  • Install manually and on the same node as ESM

All cluster nodes should be able to access this port for internal communication.
8443 Master

(Conditional) Used by the Kubernetes API server when you manually install and the installation is not on the same node as ESM

All cluster nodes should be able to access this port for internal communication.
8472 All nodes

Uses UDP protocol

Used by the Flannel service component, which manages the internal cluster networking

All cluster nodes should be able to access this port for internal communication.
10250 All nodes

Used by the Kubelet service, which functions as a local node agent that watches pod specifications through the Kubernetes API server

All cluster nodes should be able to access this port for internal communications and worker node Kubelet API for exec and logs.
10251 All nodes

Used by the Kube-scheduler component that watches for any new pod with no assigned node and assigns a node to the pod

All cluster nodes should be able to access this port for internal communication.
10252 All nodes

Used by the kube-controller-manager component that runs controller processes which regulate the state of the cluster

All cluster nodes should be able to access this port for internal communication.
10256 All nodes

Used by the Kube-proxy component, which is a network proxy that runs on each node, for exposing the services on each node

All cluster nodes should be able to access this port for internal communication.

Network File System (NFS)

Ports (TCP) Node Description
111 NFS server

Used by the portmapper service

All cluster nodes should be able to access this port.
2049 NFS server

Used by the nfsd daemon

All cluster nodes should be able to access this port.

Note: This port must be open even during a single-node deployment.
20048 NFS server

Used by the mountd daemon

All cluster nodes should be able to access this port.

Firewall Ports for Deployed Capabilities

The following tables list the ports that must be available when you deploy the associated capability into the CDF infrastructure:

In most cases, you do not need to take action to configure the firewalls for these ports.

ArcMC

Ports Direction Description
32080, 9000 Inbound Used for Transformation Hub and ArcMC communication

Intelligence

Ports Node Direction Description
TCP 30820 Worker (HDFS Namenode) Inbound Used for the database to connect to HDFS during Analytics processing
TCP 30070 Worker (HDFS Namenode) Inbound Used for the Hadoop Monitoring Dashboard (optional)
TCP 30010 Worker (HDFS Datanodes) Inbound Used for communication between the HDFS Namenode and the HDFS Datanodes
TCP 30210 Worker (HDFS Datanodes) Inbound Used by the database to establish secure communication with HDFS during Analytics processing
TCP 30110 Worker (HDFS Datanodes and Namenode) Inbound Used for communication between the ArcSight Database and HDFS worker nodes
TCP 30071 Worker (HDFS Namenode) Inbound Used for Secure Data Transfer with the HDFS cluster

SOAR

The SOAR cluster listens on the following ports on all Kubernetes master and worker nodes, but Micro Focus recommends that you only use the ports on the master virtual IP.

Port Description
32200 Data from ESM
32201 Data from QRadar
32202 Data from McAfee

Transformation Hub

Ports (TCP) Direction Description
2181 Inbound Used by ZooKeeper as an inbound port
9092 Inbound Used by Kafka during non-SSL communication
9093 Inbound Used by Kafka when TLS is enabled
32080 Outbound Used by Transformation Hub to send data to ArcMC
32081 Outbound Used by Schema Registry to send data to Avro consumers.
443 Inbound Used by ArcMC
9000 Inbound Used by ArcMC
9999, 10000 Inbound Used by the Transformation Hub Kafka Manager to monitor Kafka
39001, 39050 Outbound Used by ArcMC to communicate with Connectors in Transformation Hub

Firewall Ports for Supporting Components

The following tables list the ports that must be available for supporting components:

Database

The database requires several ports to be open on the local network. Micro Focus does not recommend placing a firewall between nodes (all nodes should be behind a firewall), but if you must use a firewall between nodes, ensure that the following ports are available:

Ports Description
TCP 22 Required for the Administration Tools and Management Console Cluster installation wizard
TCP 5433 Used by database clients, such as vsql, ODBC, JDBC, and so on
TCP 5434 Used for Intra-cluster and inter-cluster communication
UDP 5433 Used for database spread monitoring
TCP 5438 Used as Management Console-to-node and node-to-node (agent) communication port
TCP 5450 Used to connect to Management Console from a web browser and allows communication from nodes to the Management Console application/web server
TCP 4803 Used for client connections
UDP 4803 Used for daemon to daemon connections
UDP 4804 Used for daemon to daemon connections
UDP 6543 Used to monitor daemon connections

SmartConnectors

If you have SmartConnectors that are deployed logically far away in the network with firewalls in between, those intermediate firewalls will need to permit traffic on port 9092 (for non-SSL traffic) and 9093 (for SSL traffic).

Port Direction Description
  • 1515 (Raw TCP)
  • 1999 (TLS)
 Inbound Used by SmartConnector to receive events
  • 9092 (Non-SSL)
  • 9093 (SSL)
 Outbound Used by SmartConnector to send data to Transformation Hub