SecureChange Ports and Services

Make sure that these ports and services are open in your organization's firewalls:

Source

Destination

Service / Port

Description

User access (GUI)
  • SecureChange (active)
  • SecureChange (standby - for HA)

HTTPS <TCP 443>

User access to webUI

Administrator PC
  • SecureChange (active)
  • SecureChange (standby - for HA)

SSH <TCP 22>

Admin access for maintenance
  • SecureChange (active)
  • SecureChange (standby - for HA)

LDAP server

LDAP <TCP 636>

LDAP over SSL
<TCP 3269>

Authenticating users via an LDAP server
  • SecureChange (active)
  • SecureChange (standby - for HA)

SMTP Server

SMTP <TCP 25>

Real-time email alerts and email reports
  • SecureChange (active)
  • SecureChange (standby - for HA)

DNS Server

DNS <UDP 53>

Domain Lookups
  • SecureChange (active)
  • SecureChange (standby - for HA)

NTP Server

NTP <UDP123>

Network time synchronization
  • SecureChange (active)
  • SecureChange (standby - for HA)

SysLog Server

Syslog <UDP 514>

Real-time notifications on policy changes, audit log forwarding and Operating system log forwarding

SNMP Admin
  • SecureChange (active)
  • SecureChange (standby - for HA)

SNMP <UDP 161>

SNMP
<UDP 10161>

SNMP monitoring for TufinOS (161) and Tufin Admin suite (10161)

Note: You can configure port 161 for both applications and make port 10161 redundant.
  • SecureChange (active)
  • SecureChange (standby - for HA)
  • SNMP Server

SNMP-Trap
<UDP 162>

Real-time SNMP trap notifications on policy changes
  • SecureTrack Virtual IP
  • All Distribution Servers

SecureChange Virtual IP

HTTPS
<TCP 443>

SecureChange - Ticket authorization, access request designer

SecureApp - Connection status

SecureChange

SecureTrack

If Distributed Architecture: Central Management server only

HTTPS
<TCP 443>

Object retrieval, change validation
SecureChange (active and standby) SecureCloud

https://<SecureCloude_account_name>.securecloud.tufin.io
https://securecloud.tufin.io

IP: 34.96.79.176

 The URL is used to connect the SecureChange server to SecureCloud, in an environment where this integration is enabled

SecureChange (active and standby)

External repository

The URLs configured in:
Settings > External Field in:
Get security token URL
Get network resources URL

The URL is used to connect SecureChange to an external resources repository web server, in an environment where this integration is enabled

Internal Communication Ports and Services

The following ports are opened on the server for internal communications:

Server

Service / Port

Description
  • SecureChange (active)
  • SecureChange (standby - for HA)

tomcat <TCP 9888>

Tomcat JMX server connection
  • SecureChange (active)
  • SecureChange (standby - for HA)

tomcat <TCP 10002>

Tomcat JMX server connection
  • SecureChange (active)
  • SecureChange (standby - for HA)

tomcat <TCP 40757>

Random TCP port opened by Java when JMX connection is configured.

Note: port changes each service restart
  • SecureChange (active)
  • SecureChange (standby - for HA)

jms <TCP 8072>

jms management web console.

(HA only)

SecureChange (Active)

SSH <TCP 22>

HA heartbeat <5405-5407>

HTTPS <TCP 443>

MongoDB <TCP 27017, 28017>

PostgreSQL <TCP 5432>

Database, configuration replication and device backup

(HA only)

SecureChange (standby)

SSH <TCP 22>

HA heartbeat <5405-5407>

HTTPS <TCP 443>

MongoDB <TCP 27017, 28017>

PostgreSQL <TCP 5432>

Database, configuration replication and device backup

Note: The port range for services can be viewed by displaying the file:
/proc/sys/net/ipv4/ip_local_port_range.
The specific port used by the service will change each time the service is restarted.