The Sentinel server uses the following ports for internal and external communication.
Sentinel uses the following ports for internal communication with database and other internal processes:
Ports |
Description |
---|---|
TCP 27017 |
Used for the Security Intelligence configuration database. |
TCP 28017 |
Used for the web console for Security Intelligence database. |
TCP 32000 |
Used for internal communication between the wrapper process and the server process. |
TCP 9200 |
Used for communication with alert indexing service using REST. |
TCP 9300 |
Used for communication with alert indexing service using its native protocol. |
For Sentinel to work correctly, ensure that the following ports are open on the firewall:
Ports |
Direction |
Required/Optional |
Description |
---|---|---|---|
TCP 5432 |
Inbound |
Optional. By default, this port listens only on loopback interface. |
Used for the PostgreSQL database. You do not need to open this port by default. However, you must open this port when you develop reports by using the Sentinel SDK. For more information, see the Sentinel Plug-in SDK. |
TCP 1099 and 2000 |
Inbound |
Required |
Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX). |
TCP 1289 |
Inbound |
Optional |
Used for Audit connections. |
UDP 1514 |
Inbound |
Optional |
Used for syslog messages. |
TCP 8443 |
Inbound |
Required |
Used for HTTPS communication. |
TCP 1443 |
Inbound |
Optional |
Used for SSL encrypted syslog messages. |
TCP 61616 |
Inbound |
Optional |
Used for incoming connections from Collector Managers and Correlation Engines. |
TCP 10013 |
Inbound |
Required |
Used by the Sentinel Control Center and Solution Designer. |
TCP 1468 |
Inbound |
Optional |
Used for syslog messages. |
TCP 10014 |
Inbound |
Optional |
Used by the remote Collector Managers to connect to the server through the SSL proxy. However, this is uncommon. By default, remote Collector Managers use the SSL port 61616 to connect to the server. |
TCP 8443 |
Outbound |
Optional |
If data federation is used, the port initiates a connection to other Sentinel systems to perform distributed search. |
TCP 389 or 636 |
Outbound |
Optional |
If LDAP authentication is used, the port initiates a connection to the LDAP server. |
TCP/UDP 111 and TCP/UDP 2049 |
Outbound |
Optional |
If secondary storage is configured to use NFS. |
TCP 137, 138, 139, 445 |
Outbound |
Optional |
If secondary storage is configured to use CIFS. |
TCP JDBC (database dependent) |
Outbound |
Optional |
If data synchronization is used, the port initiates a connection to the target database using JDBC. The port that is used is dependent on the target database. |
TCP 25 |
Outbound |
Optional |
Initiates a connection to the email server. |
TCP 1290 |
Outbound |
Optional |
When Sentinel forwards events to another Sentinel system, this port initiates a Sentinel Link connection to that system. |
UDP 162 |
Outbound |
Optional |
When Sentinel forwards events to the system receiving SNMP traps, the port sends a packet to the receiver. |
UDP 514 or TCP 1468 |
Outbound |
Optional |
This port is used when Sentinel forwards events to the system receiving Syslog messages. If the port is UDP, it sends a packet to the receiver. If the port is TCP, it initiates a connection to the receiver. |
TCP 7443 |
Inbound |
Optional |
This port allows a Sentinel system to receive events from other SIEM software such as Change Guardian and Secure Configuration Manager. |
In addition to the above ports, the following ports are open for appliance.
Ports |
Direction |
Required/Optional |
Description |
---|---|---|---|
TCP 22 |
Inbound |
Required |
Used for secure shell access to the Sentinel appliance. |
TCP 4984 |
Inbound |
Required |
Also used by the Sentinel appliance for the update service. |
TCP 289 |
Inbound |
Optional |
Forwarded to 1289 for Audit connections. |
TCP 443 |
Inbound |
Optional |
Forwarded to 8443 for HTTPS communication. |
UDP 514 |
Inbound |
Optional |
Forwarded to 1514 for syslog messages. |
TCP 1290 |
Inbound |
Optional |
Sentinel Link port that is allowed to connect through the SuSE Firewall. |
UDP and TCP 40000 - 41000 |
Inbound |
Optional |
Ports that can be used when configuring data collection servers, such as syslog. Sentinel does not listen on these ports by default. |
TCP 443 or 80 |
Outbound |
Required |
Initiates a connect to the appliance software update repository on the Internet or a Subscription Management Tool service in your network. |
TCP 80 |
Outbound |
Optional |
Initiates a connection to the Subscription Management Tool. |
TCP 7630 |
Inbound |
Required |
Used by the High Availability Web Konsole (Hawk). |
TCP 9443 |
Inbound |
Required |
Used by the Sentinel Appliance Management Console. |
TCP 1098 and 2000 |
Inbound |
Required |
Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX). |
TCP 7443 |
Inbound |
Required |
Used by the HTTP Server Connector. |