Firewall Requirements

Several components in the Stellar Cyber product require certain ports and domains be accessible through your firewall. Use the legend and tables below to understand which are appropriate for your environment.

Also see: Log Parser Ports .

Legend

  • CM: Configuration Manager*

  • DA: Data Analyzer*

  • DL: Data Lake*

  • DP: Data Processor

  • LAS: Linux Server (Agent) Sensor

  • MS: Modular Sensor

  • WAS: Windows Server (Agent) Sensor

*Although these are part of the DP, they have unique IP addresses so are listed independently in the table below.

General Purpose Ports

Source

Destination

Port

Protocol

Required?

Purpose

SSH client

LAS, MS

22

TCP

Optional

Management access

Sensors

DNS Server

Environment specific

53

UDP

Required

Name service for:

  • Downloading third-party libraries

  • Support of customer configured Active Directory

  • CM communication (if CM is by name vs IP)

All sensors

NTP Server

123

UDP

Required

Performing time synchronization

Client web browser

DL

443

TCP

Required

Displaying user interface

WAS, LAS, MS

<org>.stellarcyber.cloud

dn-<org>.stellarcyber.cloud

443

HTTPS with TLS 1.2

Required

Communicating with the CM.

The dn-<org>.stellarcyber.cloud port is used when fast path communications between sensors and the CM are enabled. This happens automatically when either a Sensor CLI session is initiated from the user interface or a response is configured on the sensor.

WAS, LAS, MS

 receiver-<org>.stellarcyber.cloud

8889

TCP (HTTPS with TLS 1.2)

Required

Downloading software and files from the DP, including custom log parsers.

WAS, LAS, MS

 receiver-<org>.stellarcyber.cloud

8889

TCP (HTTPS with TLS 1.2)

Required

Receiver ports for communicating with the DA

WAS, LAS, MS

MS with Aggregator Enabled 6640-6648, 8443, 8888, 8889 TCP Proxy Required Must be open for communications between sensor and aggregator.

Domains

All of the following domains are required.

Source

Destination

Port

Protocol

Purpose

MS

archive.ubuntu.com

security.ubuntu.com

esm.ubuntu.com

ppa.launchpad.net

443

80 (Sensors running 4.3.6 and earlier)

TCP

Software updates.

Sensors running 4.3.7 and later no longer require Port 80 for Ubuntu updates; only 443 is required.

LAS

For centos/redhat servers:
  • domains included in the repository configuration files (/etc/yum.repo.d/.repo)

  • dl.fedoraproject.org

  • mirrors.fedoraproject.org

Environment specific

TCP

Customer configured port for accessing the OS provider's server (repository) for application updates

LAS

For SUSE servers:
  • domains in the repository configuration files /etc/zypp/repos.d/*.repo

Environment specific

TCP

Customer configured port for accessing the OS provider's server (repository) for application updates

LAS

For Ubuntu servers:
  • hosts in the ubuntu /etc/apt/source.list

Environment specific

TCP

Customer configured port for accessing the OS provider's server (repository) for application updates

LAS launchpadlibrarian.net 80 TCP Software updates
LAS http://download.webmin.com 80 TCP Software updates

MS

dl.stellarcyber.ai

443, 80

TCP

Downloading files during upgrade

Client System

doc-server.stellarcyber.ai

443

TCP

Accessing online help from Stellar Cyber documentation server

WAS

live.sysinternals.com/sysmon.exe

443

TCP

Optional. Domain is required if the customer wants to install feature

LAS,MS

pypi.python.org pypi.org

443

TCP

For installation and update of required packages

LAS, MS

pythonhosted.org

443

TCP

For installation and update of required packages

MS

sandbox.stellarcyber.ai

443

TCP

(Optional) Domain is required if the customer wants Malware Sandbox capability

MS

Environment specific

Environment specific

TCP

(Optional) Customer configured host and port for Tenable vulnerability scanning support

Machine with User's Browser *.oraclecloud.com 443 TCP For download of upgrade packages from Oracle Cloud Infrastructure.

Connector/Parser-specific

In addition to the general requirements above, review the following for your specific connector and parser choices:

  • For any connector, you must also allow access between the sensor (or DP if applicable) and the API hosts/URLs you specify during configuration.

  • In most cases, connector communication is over port TCP 443. Connectors with unique requirements are shown below.

  • For connectors running on the DP, configure the firewall with the DA IP address for Collect functions and the DL IP address for the Respond functions.

  • For the ports to open for sensors receiving logs from devices on your network see Log Parser Ports Also, refer to Using the Port Relay Feature to Minimize Open Ports for information on relaying traffic sent to the generic syslog port to its appropriate vendor-specific parser.

Source

Destination

Port

Protocol

Connector

MS

AD Server and domain specified in connector configuration

AD: 443

LDAP/S 389 or 636

TCP

Active Directory

DP

api.barracudanetworks.com

443

TCP

Barracuda Email server