Device-related Ports

These ports need to be opened either on the Central Cluster or the Remote Collector cluster, depending on where the devices are being monitored. For more information, see TOS Aurora Architecture.

For Monitored Devices

Source

Destination

Service / Port

Description

All except CheckPoint, Amazon AWS, Microsoft Azure, OpenStack

Monitored device

  • Syslog VIP

  • External load balancer VIP (cloud deployment)

Syslog <UDP 514> (default) or alternative port as configured

Required if you configure these devices to send syslogs for 'real-time' accountability and usage data

BlueCoat, Cisco IOS-based, Cisco FTD (for dynamic topology only), JuniperOS-based, F5 , ASA, IOS L3 Switch,Nexus, Cisco routers (IOS or IOS XE)

Any node (physical IP)

Monitored device

SSH <TCP 22>

Required when you monitor these devices.

Used to retrieve configuration and usage information from the device

Check Point

Any node (physical IP)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs, Smart-1 Cloud, and MDSs)

FW1_ica_pull <TCP 18210>

 

Required when you monitor these devices.

Used to establish trust with the TOS Aurora machine

Check Point

Any node (physical IP)

  • FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs, Smart-1 Cloud, and MDSs)
  • CLM (Check Point log server)

FW1_lea <TCP 18184>

Required if you configure real-time notifications from these devices for policy changes, audit log forwarding or operating system log forwarding

Check Point

Any node (physical IP)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs, Smart-1 Cloud, and MDSs)

CPMI <TCP 18190>

Required if you monitor these devices.

Retrieve configuration

Check Point

Any node (physical IP)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs, Smart-1 Cloud, and MDSs)

TCP encrypted <TCP 6514>

Required if you monitor these devices.

Retrieve configuration

Check Point

(multi-node implementation)

Any node (physical IP)

FireWall-1/VPN-1® gateway

SNMP <UDP 161> (default) or alternative port as configured

Required if you monitor these devices.

Used to retrieve operating system-level data from monitored Firewall gateways

Note that this is only relevant for deployments made originally on TOS Classic that have been upgraded up to the current release.

Check Point R80.x

Any node (physical IP)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs, Smart-1 Cloud, and MDSs)

Management traffic:

HTTPS <TCP 443>

 

Required if you monitor these devices.

Required for Check Point API

Stonesoft

Any node (physical IP)

Stonesoft

StoneSoft <TCP 8082>

Required to retrieve StoneSoft configuration

Juniper NSM

Any node (physical IP)

Juniper NSM

Juniper NSM <TCP 8443>

Required to retrieve Juniper NSM configuration

Fortinet FortiManager

Any node (physical IP)

Fortinet FortiManager

HTTPS <TCP 443>

Required for FortiManager API

Panorama/ Palo Alto

Any node (physical IP)

Monitored Device

HTTPS <TCP 443>

Required to retrieve configuration and usage information from a panorama or Palo Alto device

Amazon AWS, Google GCP, Microsoft Azure

Any node (physical IP)

Public Management API

HTTPS <TCP 443>

Required by Amazon SWF and beanstalk, and by Microsoft Azure

OpenStack

Any node (physical IP)

OpenStack Identity service (keystone)

HTTP, HTTPS <TCP 5000>

Required by OpenStack Keystone for the identity service public endpoint (Note: port is user-configurable in Keystone).

From R23-1, Openstack is EOL and you cannot add new devices. existing devices can still be used.

OpenStack

Any node (physical IP)

OpenStack Networking service (neutron)

HTTP, HTTPS <TCP 9696>

Required by OpenStack Neutron networking.

From R23-1, Openstack is EOL and you cannot add new devices. existing devices can still be used.

OpenStack

Any node (physical IP)

OpenStack Compute service (nova)

HTTP, HTTPS <TCP 8774>

Required by OpenStack Nova for the compute endpoints.

From R23-1, Openstack is EOL and you cannot add new devices. existing devices can still be used.

NSX

Any node (physical IP)

NSX Manager

HTTPS <TCP 443>

Required for NSX REST API

NSX

Any node (physical IP)

vCenter

SSL <TCP 443>

Required for NSX vCenter API

OPM devices

Monitored device

  • Cluster Primary VIP

  • External Load Balancer VIP (cloud deployments)

HTTPS <TCP 9099>

Required if OPM devices are monitored.

Allows cluster to receive data from OPM devices