Firewall Requirements
Several components in the Stellar Cyber product require certain ports and domains be accessible through your firewall. Use the legend and tables below to understand which are appropriate for your environment.
Also see: Log Parser Ports.
Legend
-
CM: Configuration Manager*
-
DA: Data Analyzer*
-
DL: Data Lake*
-
DP: Data Processor
-
LAS: Linux Server (Agent) Sensor
-
MS: Modular Sensor
-
NS: Network Sensor
-
SS: Security Sensor
-
WAS: Windows Server (Agent) Sensor
*Although these are part of the DP, they have unique IP addresses so are listed independently in the table below.
Ports for Associated Stellar Cyber VMs
When configuring the DP with separate VMs for the DL and DA (or in a cluster with additional worker nodes), all nodes must be in the same VPC and all ports between the nodes must be open in your firewall.
Open All TCP Ports Between Internal Addresses of Associated Stellar Cyber VMs
All TCP ports must be open between the internal network addresses of associated Stellar Cyber VMs, either in a cluster or a standard deployment with separate DL-m and DA-m VMs. For example, in a standard deployment with the DL-m on 172.31.7.0/24 and the DA-m on 172.31.10.0/24, the following rules must exist:
-
The DL-m must have a rule that allows all inbound TCP traffic from the 172.31.10.0/24 subnet.
-
The DA-m must have a rule that allows all inbound TCP traffic from the 172.31.7.0/24 subnet.
General Purpose Ports
Source |
Destination |
Port |
Protocol |
Required? |
Purpose |
---|---|---|---|---|---|
SSH client |
|
22 |
TCP |
Optional |
Management access |
DL |
Mail Server |
25, 465. 587 |
TCP |
Optional |
Sending system notifications and configured email alerts for ATH rules |
DA |
whois |
43 |
TCP |
Required for certain alert types |
Performing address lookups to a local in-country registrar (actual address varies per geography) |
|
DNS Server Environment specific |
53 |
UDP |
Required |
Name service for:
|
DL |
OKTA Server Environment specific |
80, 443 |
TCP |
Optional |
(Optional) For customer configured OKTA SSO SAML Authentication |
|
NTP Server |
123 |
UDP |
Required |
Performing time synchronization |
Client web browser |
DL |
443 |
TCP |
Required |
Displaying user interface |
NS, LAS |
SS |
4789, 8472 Environment specific |
UDP |
Required |
VXLAN packet forwarding |
NS |
SS |
5123 |
TCP |
Required |
Local file assembly over HTTPS |
WAS, LAS, |
DL |
6640-6648 |
TCP with TLS 1.2 |
Required |
Communicating with the CM. |
WAS, LAS, |
DL |
|
TCP (HTTPS with TLS 1.2) |
Required |
Downloading software and files from the DP, including custom log parsers. |
WAS, LAS, |
DA |
|
TCP (HTTPS with TLS 1.2) |
Required |
Receiver ports for communicating with the DA |
WAS, LAS, |
MS with Aggregator Enabled | 6640-6648, 8443, 8888, 8889 | TCP Proxy | Required | Must be open for communications between sensor and aggregator. |
Domains
All of the following domains are required.
Source |
Destination |
Port |
Protocol |
Purpose |
---|---|---|---|---|
DL, DA |
privateregistry.stellarcyber.ai (previously 50.220.129.169) |
443 |
TCP |
Private docker registry server for software updates Note: Because there are numerous stellarcyber.ai subdomains, you may find it simpler to open *.stellarcyber.ai. |
DL, DA |
acps.stellarcyber.ai |
443 |
TCP |
Downloading software installers/metarepo, IOC feed, IDS signature update and license validation |
|
archive.ubuntu.com security.ubuntu.com esm.ubuntu.com ppa.launchpad.net |
443 80 |
TCP |
Software updates. |
LAS |
For centos/redhat
servers:
|
Environment specific |
TCP |
Customer configured port for accessing the OS provider's server (repository) for application updates |
LAS |
For SUSE servers:
|
Environment specific |
TCP |
Customer configured port for accessing the OS provider's server (repository) for application updates |
LAS |
For Ubuntu servers:
|
Environment specific |
TCP |
Customer configured port for accessing the OS provider's server (repository) for application updates |
LAS | launchpadlibrarian.net | 80 | TCP | Software updates |
LAS | http://download.webmin.com | 80 | TCP | Software updates |
|
dl.stellarcyber.ai |
443, 80 |
TCP |
Downloading files during upgrade |
Client System |
doc-server.stellarcyber.ai |
443 |
TCP |
Accessing online help from Stellar Cyber documentation server |
Client System | amazonaws.com | 443 | TCP | Accessing the Product Roadmap portal from Stellar Cyber user interface. |
DL, DA |
docker.com, *.docker.com, docker.io, *.docker.io |
443 |
TCP |
Software updates . As indicated, also include all subdomains of docker.com and docker.io. If the private registry is enabled, then this domain is optional |
DL, DA |
k8s.gcr.io, registry.k8s.io prod-registry-k8s-io-eu-central-1.s3.dualstack.eu-central-1.amazonaws.com |
443 |
TCP |
Downloading updated container images from the Kubernetes registry. The k8s.gcr.io domain is the legacy registry and is migrating to registry.k8s.io in Kubernetes 1.25. The *amazonaws.com domain is an AWS S3 bucket used to optimize the delivery of container images in the EU based on geographic proximity. |
WAS |
live.sysinternals.com/sysmon.exe |
443 |
TCP |
Optional. Domain is required if the customer wants to install feature |
LAS, |
pypi.python.org pypi.org |
443 |
TCP |
For installation and update of required packages |
LAS, |
pythonhosted.org |
443 |
TCP |
For installation and update of required packages |
|
sandbox.stellarcyber.ai |
443 |
TCP |
(Optional) Domain is required if the customer wants Malware Sandbox capability |
MS |
Environment specific |
Environment specific |
TCP |
(Optional) Customer configured host and port for Tenable vulnerability scanning support |
Data Sinks & Backups
The indicated ports are required to use the associated feature.
Source |
Destination |
Port |
Protocol |
Purpose |
---|---|---|---|---|
STORAGE |
||||
DL |
22 |
TCP |
SCP backups |
|
DL |
443 |
TCP |
AWS S3 storage |
|
DL |
usually 2049 or 111 |
TCP or UDP |
NFS storage |
|
DL |
443 |
TCP |
Azure Blob |
|
DL |
443 |
TCP |
Oracle (OCI) |
|
DATA SINKS |
||||
DL, DA |
443 |
TCP |
AWS S3 |
|
DL, DA |
8088 |
TCP |
Splunk |
|
DL, DA |
9092 |
TCP |
Kafka |
|
DL, DA |
9300 |
TCP |
Elasticsearch |
|
DL, DA |
443 |
TCP |
Azure Blob |
|
DL, DA |
usually 2049 or 111 |
TCP or UDP |
NFS |
|
DL, DA |
443 |
TCP |
Google (GCP) cloud storage bucket |
Connector/Parser-specific
In addition to the general requirements above, review the following for your specific connector and parser choices:
-
For any connector, you must also allow access between the sensor (or DP if applicable) and the API hosts/URLs you specify during configuration.
-
In most cases, connector communication is over port TCP 443. Connectors with unique requirements are shown below.
-
For connectors running on the DP, configure the firewall with the DA IP address for Collect functions and the DL IP address for the Respond functions.
-
For the ports to open for sensors receiving logs from devices on your network see Log Parser Ports Also, refer to Using the Port Relay Feature to Minimize Open Ports for information on relaying traffic sent to the generic syslog port to its appropriate vendor-specific parser.
Source |
Destination |
Port |
Protocol |
Connector |
---|---|---|---|---|
|
AD: 443 LDAP/S 389 or 636 |
TCP |
||
SS, NS, MS |
443, 8834 |
TCP |
||
SS, NS, MS |
3780 (Configurable) |
TCP |
||
DP |
api.barracudanetworks.com |
443 |
TCP |