Firewall Requirements

Several components in the Stellar Cyber product require certain ports and domains be accessible through your firewall. Use the legend and tables below to understand which are appropriate for your environment.

Also see: Log Parser Ports.

Legend

  • CM: Configuration Manager*

  • DA: Data Analyzer*

  • DL: Data Lake*

  • DP: Data Processor

  • LAS: Linux Server (Agent) Sensor

  • MS: Modular Sensor

  • NS: Network Sensor

  • SS: Security Sensor

  • WAS: Windows Server (Agent) Sensor

*Although these are part of the DP, they have unique IP addresses so are listed independently in the table below.

Ports for Associated Stellar Cyber VMs

When configuring the DP with separate VMs for the DL and DA (or in a cluster with additional worker nodes), all nodes must be in the same VPC and all ports between the nodes must be open in your firewall.

Open All TCP Ports Between Internal Addresses of Associated Stellar Cyber VMs

All TCP ports must be open between the internal network addresses of associated Stellar Cyber VMs, either in a cluster or a standard deployment with separate DL-m and DA-m VMs. For example, in a standard deployment with the DL-m on 172.31.7.0/24 and the DA-m on 172.31.10.0/24, the following rules must exist:

  • The DL-m must have a rule that allows all inbound TCP traffic from the 172.31.10.0/24 subnet.

  • The DA-m must have a rule that allows all inbound TCP traffic from the 172.31.7.0/24 subnet.

Stellar Cyber recommends that you add a firewall rule to allow all for clustered VMs (or just the DA and DL VMs in a standard deployment) and set the priority of that rule higher than the standard rule for the VPC.

General Purpose Ports

Source

Destination

Port

Protocol

Required?

Purpose

SSH client

DL, DA, LAS, NS, SS, MS

22

TCP

Optional

Management access

DL

Mail Server

25, 465. 587

TCP

Optional

Sending system notifications and configured email alerts for ATH rules

DA

whois

43

TCP

Required for certain alert types

Performing address lookups to a local in-country registrar (actual address varies per geography)

DL, DA, Sensors

DNS Server

Environment specific

53

UDP

Required

Name service for:

  • Downloading third-party libraries

  • Support of customer configured Active Directory

  • CM communication (if CM is by name vs IP)

DL

OKTA Server

Environment specific

80, 443

TCP

Optional

(Optional) For customer configured OKTA SSO SAML Authentication

DL, DA, All sensors

NTP Server

123

UDP

Required

Performing time synchronization

Client web browser

DL

443

TCP

Required

Displaying user interface

NS, LAS

SS

4789, 8472

Environment specific

UDP

Required

VXLAN packet forwarding

NS

SS

5123

TCP

Required

Local file assembly over HTTPS

WAS, LAS, NS, SS, MS

DL

6640-6648

TCP with TLS 1.2

Required

Communicating with the CM.

WAS, LAS, NS, SS, MS

DL

8443

TCP (HTTPS with TLS 1.2)

Required

Downloading software and files from the DP, including custom log parsers.

WAS, LAS, NS, SS, MS

DA

8888, 8889

TCP (HTTPS with TLS 1.2)

Required

Receiver ports for communicating with the DA

WAS, LAS, NS, SS, MS

MS with Aggregator Enabled 6640-6648, 8443, 8888, 8889 TCP Proxy Required Must be open for communications between sensor and aggregator.

Domains

All of the following domains are required.

Source

Destination

Port

Protocol

Purpose

DL, DA

privateregistry.stellarcyber.ai

(previously 50.220.129.169)

443

TCP

Private docker registry server for software updates

Note: Because there are numerous stellarcyber.ai subdomains, you may find it simpler to open *.stellarcyber.ai.

DL, DA

acps.stellarcyber.ai

443

TCP

Downloading software installers/metarepo, IOC feed, IDS signature update and license validation

NS, SS, MS

archive.ubuntu.com

security.ubuntu.com

esm.ubuntu.com

ppa.launchpad.net

443

80 (Sensors running 4.3.6 and earlier)

TCP

Software updates.

Sensors running 4.3.7 and later no longer require Port 80 for Ubuntu updates; only 443 is required.

LAS

For centos/redhat servers:
  • domains included in the repository configuration files (/etc/yum.repo.d/.repo)

  • dl.fedoraproject.org

  • mirrors.fedoraproject.org

Environment specific

TCP

Customer configured port for accessing the OS provider's server (repository) for application updates

LAS

For SUSE servers:
  • domains in the repository configuration files /etc/zypp/repos.d/*.repo

Environment specific

TCP

Customer configured port for accessing the OS provider's server (repository) for application updates

LAS

For Ubuntu servers:
  • hosts in the ubuntu /etc/apt/source.list

Environment specific

TCP

Customer configured port for accessing the OS provider's server (repository) for application updates

LAS launchpadlibrarian.net 80 TCP Software updates
LAS http://download.webmin.com 80 TCP Software updates

NS, SS, MS

dl.stellarcyber.ai

443, 80

TCP

Downloading files during upgrade

Client System

doc-server.stellarcyber.ai

443

TCP

Accessing online help from Stellar Cyber documentation server

DL, DA

docker.com, *.docker.com, docker.io, *.docker.io
quay.io, *.quay.io

443

TCP

Software updates . As indicated, also include all subdomains of docker.com and docker.io.

If the private registry is enabled, then this domain is optional

WAS

live.sysinternals.com/sysmon.exe

443

TCP

Optional. Domain is required if the customer wants to install feature

LAS, NS, SS, MS

pypi.python.org pypi.org

443

TCP

For installation and update of required packages

LAS, NS, SS, MS

pythonhosted.org

443

TCP

For installation and update of required packages

DL, NS, SS, MS

sandbox.stellarcyber.ai

443

TCP

(Optional) Domain is required if the customer wants Malware Sandbox capability

MS

Environment specific

Environment specific

TCP

(Optional) Customer configured host and port for Tenable vulnerability scanning support

Data Sinks & Backups

The indicated ports are required to use the associated feature.

Source

Destination

Port

Protocol

Purpose

STORAGE

DL

Customer configured host and folder

22

TCP

SCP backups

DL

AWS S3 bucket

443

TCP

AWS S3 storage

DL

Customer configured host and port

usually 2049 or 111

TCP or UDP

NFS storage

DL

Customer configured Azure destination container (endpoint)

443

TCP

Azure Blob

DL

Customer configured region and namespace

443

TCP

Oracle (OCI)

DATA SINKS

DL, DA

Customer configured region and bucket

443

TCP

AWS S3

DL, DA

Customer configured address

8088

TCP

Splunk

DL, DA

Customer configured address

9092

TCP

Kafka

DL, DA

Customer configured address

9300

TCP

Elasticsearch

DL, DA

Customer configured Azure destination container (endpoint)

443

TCP

Azure Blob

DL, DA

Customer configured host and port

usually 2049 or 111

TCP or UDP

NFS

DL, DA

cloud.google.com storage bucket configured by customer

443

TCP

Google (GCP) cloud storage bucket

Connector/Parser-specific

In addition to the general requirements above, review the following for your specific connector and parser choices:

  • For any connector, you must also allow access between the sensor (or DP if applicable) and the API hosts/URLs you specify during configuration.

  • In most cases, connector communication is over port TCP 443. Connectors with unique requirements are shown below.

  • For connectors running on the DP, configure the firewall with the DA IP address for Collect functions and the DL IP address for the Respond functions.

  • For the ports to open for sensors receiving logs from devices on your network see Log Parser Ports Also, refer to Using the Port Relay Feature to Minimize Open Ports for information on relaying traffic sent to the generic syslog port to its appropriate vendor-specific parser.

Source

Destination

Port

Protocol

Connector

NS, SS, MS

AD Server and domain specified in connector configuration

AD: 443

LDAP/S 389 or 636

TCP

Active Directory

SS, NS, MS

Customer configured address

443, 8834

TCP

Tenable Nessus Security Center

SS, NS, MS

Customer configured address

3780

(Configurable)

TCP

Rapid7

DP

api.barracudanetworks.com

443

TCP

Barracuda Email server