Firewall Requirements
Several components in the Stellar Cyber product require certain ports and domains be accessible through your firewall. Use the legend and tables below to understand which are appropriate for your environment.
Also see: Log Parser Ports.
Legend
-
CM: Configuration Manager*
-
DA: Data Analyzer*
-
DL: Data Lake*
-
DP: Data Processor
-
LAS: Linux Server (Agent) Sensor
-
MS: Modular Sensor
-
WAS: Windows Server (Agent) Sensor
*Although these are part of the DP, they have unique IP addresses so are listed independently in the table below.
General Purpose Ports
Source |
Destination |
Port |
Protocol |
Required? |
Purpose |
---|---|---|---|---|---|
SSH client |
LAS, MS |
22 |
TCP |
Optional |
Management access |
Sensors |
DNS Server Environment specific |
53 |
UDP |
Required |
Name service for:
|
All sensors |
NTP Server |
123 |
UDP |
Required |
Performing time synchronization |
Client web browser |
DL |
443 |
TCP |
Required |
Displaying user interface |
WAS, LAS, MS |
<org>.stellarcyber.cloud dn-<org>.stellarcyber.cloud |
443 |
HTTPS with TLS 1.2 |
Required |
Communicating with the CM. The dn-<org>.stellarcyber.cloud port is used when fast path communications between sensors and the CM are enabled. This happens automatically when either a Sensor CLI session is initiated from the user interface or a response is configured on the sensor. |
WAS, LAS, MS |
receiver-<org>.stellarcyber.cloud |
8889 |
TCP (HTTPS with TLS 1.2) |
Required |
Downloading software and files from the DP, including custom log parsers. |
WAS, LAS, MS |
receiver-<org>.stellarcyber.cloud |
8889 |
TCP (HTTPS with TLS 1.2) |
Required |
Receiver ports for communicating with the DA |
WAS, LAS, MS |
MS with Aggregator Enabled | 8080 | HTTP Proxy | Required | Must be open for communications between sensor and aggregator. |
Domains
All of the following domains are required.
Source |
Destination |
Port |
Protocol |
Purpose |
---|---|---|---|---|
MS |
archive.ubuntu.com security.ubuntu.com esm.ubuntu.com ppa.launchpad.net |
443 80 |
TCP |
Software updates. |
LAS |
For centos/redhat
servers:
|
Environment specific |
TCP |
Customer configured port for accessing the OS provider's server (repository) for application updates |
LAS |
For SUSE servers:
|
Environment specific |
TCP |
Customer configured port for accessing the OS provider's server (repository) for application updates |
LAS |
For Ubuntu servers:
|
Environment specific |
TCP |
Customer configured port for accessing the OS provider's server (repository) for application updates |
LAS | launchpadlibrarian.net | 80 | TCP | Software updates |
LAS | http://download.webmin.com | 80 | TCP | Software updates |
MS |
dl.stellarcyber.ai |
443, 80 |
TCP |
Downloading files during upgrade |
Client System |
doc-server.stellarcyber.ai |
443 |
TCP |
Accessing online help from Stellar Cyber documentation server |
WAS |
live.sysinternals.com/sysmon.exe |
443 |
TCP |
Optional. Domain is required if the customer wants to install feature |
LAS,MS |
pypi.python.org pypi.org |
443 |
TCP |
For installation and update of required packages |
LAS, MS |
pythonhosted.org |
443 |
TCP |
For installation and update of required packages |
MS |
sandbox.stellarcyber.ai |
443 |
TCP |
(Optional) Domain is required if the customer wants Malware Sandbox capability |
MS |
Environment specific |
Environment specific |
TCP |
(Optional) Customer configured host and port for Tenable vulnerability scanning support |
Machine with User's Browser | *.oraclecloud.com | 443 | TCP | For download of upgrade packages from Oracle Cloud Infrastructure. |
Connector/Parser-specific
In addition to the general requirements above, review the following for your specific connector and parser choices:
-
For any connector, you must also allow access between the sensor (or DP if applicable) and the API hosts/URLs you specify during configuration.
-
In most cases, connector communication is over port TCP 443. Connectors with unique requirements are shown below.
-
For connectors running on the DP, configure the firewall with the DA IP address for Collect functions and the DL IP address for the Respond functions.
-
For the ports to open for sensors receiving logs from devices on your network see Log Parser Ports Also, refer to Using the Port Relay Feature to Minimize Open Ports for information on relaying traffic sent to the generic syslog port to its appropriate vendor-specific parser.
Source |
Destination |
Port |
Protocol |
Connector |
---|---|---|---|---|
MS |
AD: 443 LDAP/S 389 or 636 |
TCP |
||
DP |
api.barracudanetworks.com |
443 |
TCP |