8.1 Sentinel Server Ports

The Sentinel server uses the following ports for internal and external communication.

8.1.1 Local Ports

Sentinel uses the following ports for internal communication with database and other internal processes:

Ports

Description

TCP 27017

Used for the Security Intelligence configuration database.

TCP 28017

Used for the web console for Security Intelligence database.

TCP 32000

Used for internal communication between the wrapper process and the server process.

TCP 9200

Used for communication with alert indexing service using REST.

TCP 9300

Used for communication with alert indexing service using its native protocol.

8.1.2 Network Ports

For Sentinel to work correctly, ensure that the following ports are open on the firewall:

Ports

Direction

Required/Optional

Description

TCP 5432

Inbound

Optional. By default, this port listens only on loopback interface.

Used for the PostgreSQL database. You do not need to open this port by default. However, you must open this port when you develop reports by using the Sentinel SDK. For more information, see the Sentinel Plug-in SDK.

TCP 1099 and 2000

Inbound

Required

Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX).

TCP 1289

Inbound

Optional

Used for Audit connections.

UDP 1514

Inbound

Optional

Used for syslog messages.

TCP 8443

Inbound

Required

Used for HTTPS communication.

TCP 1443

Inbound

Optional

Used for SSL encrypted syslog messages.

TCP 61616

Inbound

Optional

Used for incoming connections from Collector Managers and Correlation Engines.

TCP 10013

Inbound

Required

Used by the Sentinel Control Center and Solution Designer.

TCP 1468

Inbound

Optional

Used for syslog messages.

TCP 10014

Inbound

Optional

Used by the remote Collector Managers to connect to the server through the SSL proxy. However, this is uncommon. By default, remote Collector Managers use the SSL port 61616 to connect to the server.

TCP 8443

Outbound

Optional

If data federation is used, the port initiates a connection to other Sentinel systems to perform distributed search.

TCP 389 or 636

Outbound

Optional

If LDAP authentication is used, the port initiates a connection to the LDAP server.

TCP/UDP 111 and TCP/UDP 2049

Outbound

Optional

If secondary storage is configured to use NFS.

TCP 137, 138, 139, 445

Outbound

Optional

If secondary storage is configured to use CIFS.

TCP JDBC (database dependent)

Outbound

Optional

If data synchronization is used, the port initiates a connection to the target database using JDBC. The port that is used is dependent on the target database.

TCP 25

Outbound

Optional

Initiates a connection to the email server.

TCP 1290

Outbound

Optional

When Sentinel forwards events to another Sentinel system, this port initiates a Sentinel Link connection to that system.

UDP 162

Outbound

Optional

When Sentinel forwards events to the system receiving SNMP traps, the port sends a packet to the receiver.

UDP 514 or TCP 1468

Outbound

Optional

This port is used when Sentinel forwards events to the system receiving Syslog messages. If the port is UDP, it sends a packet to the receiver. If the port is TCP, it initiates a connection to the receiver.

TCP 7443

Inbound

Optional

This port allows a Sentinel system to receive events from other SIEM software such as Change Guardian and Secure Configuration Manager.

8.1.3 Sentinel Server Appliance Specific Ports

In addition to the above ports, the following ports are open for appliance.

Ports

Direction

Required/Optional

Description

TCP 22

Inbound

Required

Used for secure shell access to the Sentinel appliance.

TCP 4984

Inbound

Required

Also used by the Sentinel appliance for the update service.

TCP 289

Inbound

Optional

Forwarded to 1289 for Audit connections.

TCP 443

Inbound

Optional

Forwarded to 8443 for HTTPS communication.

UDP 514

Inbound

Optional

Forwarded to 1514 for syslog messages.

TCP 1290

Inbound

Optional

Sentinel Link port that is allowed to connect through the SuSE Firewall.

UDP and TCP 40000 - 41000

Inbound

Optional

Ports that can be used when configuring data collection servers, such as syslog. Sentinel does not listen on these ports by default.

TCP 443 or 80

Outbound

Required

Initiates a connect to the appliance software update repository on the Internet or a Subscription Management Tool service in your network.

TCP 80

Outbound

Optional

Initiates a connection to the Subscription Management Tool.

TCP 7630

Inbound

Required

Used by the High Availability Web Konsole (Hawk).

TCP 9443

Inbound

Required

Used by the Sentinel Appliance Management Console.

TCP 1098 and 2000

Inbound

Required

Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX).

TCP 7443

Inbound

Required

Used by the HTTP Server Connector.