On This Page
SecureTrack Ports and Services
SecureTrack needs your organization's firewalls to allow access to the following ports and services:
General Ports and Services
Source |
Destination |
Service / Port |
Description |
---|---|---|---|
User access (GUI) |
|
HTTPS <TCP 443> |
User access to webUI |
Administrator PC |
|
SSH <TCP 22> |
Admin access for maintenance |
|
SMTP Server |
SMTP <TCP 25> |
Real-time email alerts and email reports Note: Port 25 is the default for SMTP. |
|
DNS Server |
DNS <UDP 53> |
Domain Lookups |
|
NTP Server |
NTP <UDP123> |
Network time synchronization |
|
SysLog Server |
Syslog <UDP 514> |
Real-time notifications on policy changes, audit log forwarding and Operating system log forwarding |
|
LDAP server |
LDAP <TCP 389> LDAP over SSL <TCP 636> LDAP global catalog <TCP 3268> LDAP global catalog over SSL <TCP 3269> |
Authenticating users via an LDAP server |
|
TACACS Server |
TACACS |
Authenticating users via a TACACS server |
|
RADIUS server |
RADIUS |
Authenticating users via a RADIUS server |
SNMP Management |
|
SNMP <UDP 161> SNMP <UDP 10161> |
SNMP monitoring for TufinOS (161) and Tufin Admin suite (10161) Note: You can configure port 161 for both applications and make port 10161 redundant. |
|
SNMP Management |
SNMP-Trap <UDP 162> |
Real-time SNMP trap notifications on policy changes |
Admin PC (For RMM) |
RMM network card address of Tufin appliance |
Web GUI <TCP 80> or <TCP 443> (SSL certificate upload available) Unencrypted: KVM <TCP 7578> CDROM <TCP 5120> USB <TCP 5123> Encrypted (AES/RC4/Stunnel): KVM <TCP 7582> CDROM <TCP 5124> USB <TCP 5127> |
Admin access for maintenance |
Device Ports and Services
For Monitored Devices |
Source |
Destination |
Service / Port |
Description |
---|---|---|---|---|
All (except Check Point, Amazon AWS, Microsoft Azure, OpenStack) |
Monitored device |
|
Syslog <UDP 514> |
For real-time full accountability; Usage data |
All (except Check Point, Amazon AWS, Microsoft Azure, OpenStack) |
|
Monitored device |
SSH <TCP 22> Telnet <TCP 23> |
Used to retrieve configuration and usage information from the device |
Check Point |
|
FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs) |
FW1_ica_pull <TCP 18210>
|
Used to establish trust with the TOS Classic machine |
Check Point |
|
|
FW1_lea <TCP 18184> |
Real-time notifications on policy changes, audit log forwarding and operating system log forwarding |
Check Point |
|
FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs) |
CPMI <TCP 18190> |
Retrieve configuration |
Check Point |
|
FireWall-1/VPN-1® gateway |
SNMP <UDP 161> |
Used to retrieve operating system-level data from monitored Firewall gateways |
Check Point R80.x |
|
FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs) |
Management traffic:
|
Required for Check Point API |
Check Point R77.x |
Management (SmartCenters, Provider-1 CMAs and MDSs) |
|
Encrypted syslog:
|
Required when working with Check Point encrypted syslogs.
Note: Port 6514 is the default. This Port ID can be modified. |
Stonesoft |
|
Stonesoft |
StoneSoft <TCP 8082> |
Retrieve StoneSoft configuration |
Juniper NSM |
|
Juniper NSM |
Juniper NSM <TCP 8443> |
Retrieve Juniper NSM configuration |
Fortinet FortiManager |
|
Fortinet FortiManager |
HTTPS <TCP 443> |
Required for FortiManager API |
Panorama/ Palo Alto |
Distribution Servers Remote Collectors Central Server (active) Central Server (standby - for HA) |
Monitored Device |
HTTPS <TCP 443> |
Used to retrieve configuration and usage information from a panorama or Palo Alto device |
Amazon AWS, Microsoft Azure |
|
Public Management API |
HTTPS <TCP 443> |
Required by Amazon SWF and beanstalk, and by Microsoft Azure |
OpenStack |
|
OpenStack Identity service (keystone) |
HTTP, HTTPS <TCP 5000> |
Required by OpenStack Keystone for the identity service public endpoint (Note: port is user-configurable in Keystone) |
OpenStack |
|
OpenStack Networking service (neutron) |
HTTP, HTTPS <TCP 9696> |
Required by OpenStack Neutron networking |
OpenStack |
|
OpenStack Compute service (nova) |
HTTP, HTTPS <TCP 8774> |
Required by OpenStack Nova for the compute endpoints |
NSX |
|
NSX Manager |
HTTPS <TCP 443> |
Required for NSX REST API |
NSX-V |
|
vCenter |
SSL <TCP 443> |
Required for NSX vCenter API |
ACI |
|
APIC |
HTTPS <TCP 443> |
Required for ACI REST API |
Distributed Architecture Ports and Services
For a Distributed Architecture configuration, in addition to the ports listed in the general ports and services section, the following additional ports and services must be open:
For Monitored Devices |
Source |
Destination |
Service / Port |
Description |
---|---|---|---|---|
All |
|
TOS Classic Central server Virtual IP |
HTTPS <TCP 443> |
Validation of Central server certificate |
All |
|
|
HTTPS <TCP 443> |
Required for both initial setup and to forward user requests for information |
All |
|
TOS Classic Central server Virtual IP |
JMS <TCP 61617> |
JMS connection |
All |
Distribution Servers |
TOS Classic Central server Virtual IP |
Stunnel <TCP 10443> |
Stunnel database connection |
High Availability Ports and Services
For a High Availability (HA) configuration, in addition to the ports listed in the general ports and services section, the following additional ports and services must be open for bidirectional communication between the two HA servers:
For Monitored Devices |
Source |
Destination |
Service / Port |
Description |
---|---|---|---|---|
All |
Automatic Failover: TOS Classic (Active) |
TOS Classic (standby) |
Management traffic:
Database replication traffic:
HA heartbeat traffic: <5405-5407> |
Database, configuration replication and device backup |
All |
Automatic Failover: TOS Classic (standby) |
TOS Classic (active) |
Management traffic:
Database replication traffic:
HA heartbeat traffic: <5405-5407> |
Database, configuration replication and device backup |
All |
Manual Failover: TOS Classic (Active) |
TOS Classic (standby) |
Management traffic:
Database replication traffic:
|
Database, configuration replication and device backup |
All |
Manual Failover: TOS Classic (standby) |
TOS Classic (active) |
Management traffic:
Database replication traffic:
|
Database, configuration replication and device backup |
All |
TOS Classic (Active) |
TOS Classic (standby) |
Pacemaker node management:
|
Pacemaker node management interconnect. |
Internal Communication Ports and Services
The following ports are opened on the server for internal communications:
Server |
Service / Port |
Description |
---|---|---|
TOS Classic |
tufin-jobs <TCP 8084> |
Tufin-jobs Remote Collector management |
TOS Classic |
tufin-jobs <TCP 8085> |
Tufin-jobs HTTP connection |
TOS Classic |
tufin-jobs <TCP 9889> |
Tufin-jobs JMX server connection |
TOS Classic |
tufin-jobs <TCP 10003> |
Tufin-jobs JMX server connection |
TOS Classic |
tufin-jobs <TCP port changes each service restart> |
Random TCP port opened by Java when JMX connection is configured. Note: port changes each service restart |
TOS Classic |
tufin-jobs <UDP port changes each service restart> |
Random UDP port used to send syslogs to a syslog server Note: port changes each service restart |
TOS Classic |
jms <TCP port changes each service restart> |
Random TCP port opened by Java when JMX connection is configured. Note: port changes each service restart |
TOS Classic |
tomcat <TCP 8080> |
Tomcat HTTP connection |
TOS Classic |
tomcat <TCP 9888> |
Tomcat JMX server connection |
TOS Classic |
tomcat <TCP 10002> |
Tomcat JMX server connection |
TOS Classic |
tomcat <TCP port changes each service restart > |
Random TCP port opened by Java when JMX connection is configured. Note: port changes each service restart |
TOS Classic |
tomcat <UDP 56374> |
Random UDP port used to send syslogs to a syslog server Note: port changes each service restart |
|
Device Communication Service <TCP 8091> |
Device Communication Service API running on the local server |
|
FQDN Cache Service <TCP 8094> |
FQDN Cache Service API running on the local server |
Central Server (for HA, primary server) |
LDAP Cache Service <TCP 8092> |
LDAP Cache Service API running on the local server |
Central Server (for HA, primary server) |
Commit Manager Service <TCP 8093> |
Commit Manager Service API running on the local server |
TOS Classic |
keycloak<TCP 9009> |
Keycloak AJP connection |
TOS Classic |
keycloak<TCP 9080> |
Keycloak HTTP connection |
TOS Classic |
keycloak<TCP 9990> |
Keycloak HTTP connection |
TOS Classic |
NGINX <TCP 10514> |
listening on localhost for unencrypted syslogs |
/proc/sys/net/ipv4/ip_local_port_range
. The specific port used by the service will change each time the service is restarted.