SecureTrack Ports and Services

SecureTrack needs your organization's firewalls to allow access to the following ports and services:

General Ports and Services

Source

Destination

Service / Port

Description

User access (GUI)

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • SecureTrack VIP

HTTPS <TCP 443>

User access to webUI

Administrator PC

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

SSH <TCP 22>

Admin access for maintenance

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Central Server
  • Distribution Servers

SMTP Server

SMTP <TCP 25>

Real-time email alerts and email reports

Note: Port 25 is the default for SMTP.

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

DNS Server

DNS <UDP 53>

Domain Lookups

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

NTP Server

NTP <UDP123>

Network time synchronization

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

SysLog Server

Syslog <UDP 514>

Real-time notifications on policy changes, audit log forwarding and Operating system log forwarding

  • TOS Classic (active)
  • TOS Classic (standby - for HA)

LDAP server

LDAP <TCP 389>

LDAP over SSL <TCP 636>

LDAP global catalog <TCP 3268>

LDAP global catalog over SSL <TCP 3269>

Authenticating users via an LDAP server

  • TOS Classic (active)
  • TOS Classic (standby - for HA)

TACACS Server

TACACS
<TCP 49>

Authenticating users via a TACACS server

  • TOS Classic (active)
  • TOS Classic (standby - for HA)

RADIUS server

RADIUS
<UDP 1812>

Authenticating users via a RADIUS server

SNMP Management

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

SNMP <UDP 161>

SNMP <UDP 10161>

SNMP monitoring for TufinOS (161) and Tufin Admin suite (10161)

Note: You can configure port 161 for both applications and make port 10161 redundant.

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

SNMP Management

SNMP-Trap <UDP 162>

Real-time SNMP trap notifications on policy changes

Admin PC (For RMM)

RMM network card address of Tufin appliance

Web GUI <TCP 80> or <TCP 443> (SSL certificate upload available)

Unencrypted: KVM <TCP 7578>

CDROM <TCP 5120>

USB <TCP 5123>

Encrypted (AES/RC4/Stunnel):

KVM <TCP 7582>

CDROM <TCP 5124>

USB <TCP 5127>

Admin access for maintenance

Device Ports and Services

For Monitored Devices

Source

Destination

Service / Port

Description

All (except Check Point, Amazon AWS, Microsoft Azure, OpenStack)

Monitored device

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP

Syslog <UDP 514>

For real-time full accountability; Usage data

All (except Check Point, Amazon AWS, Microsoft Azure, OpenStack)

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

Monitored device

SSH <TCP 22>

Telnet <TCP 23>

Used to retrieve configuration and usage information from the device

Check Point

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP
  • Central Server (active)
  • Central Server (standby - for HA)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs)

FW1_ica_pull <TCP 18210>

 

Used to establish trust with the TOS Classic machine

Check Point

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP
  • Central Server (active)
  • Central Server (standby - for HA)
  • FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs)
  • CLM (Check Point log server)

FW1_lea <TCP 18184>

Real-time notifications on policy changes, audit log forwarding and operating system log forwarding

Check Point

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP
  • Central Server (active)
  • Central Server (standby - for HA)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs)

CPMI <TCP 18190>

Retrieve configuration

Check Point

  • Distribution Servers
  • Remote Collectors

FireWall-1/VPN-1® gateway

SNMP <UDP 161>

Used to retrieve operating system-level data from monitored Firewall gateways

Check Point R80.x

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP
  • Central Server (active)
  • Central Server (standby - for HA)

FireWall-1/VPN-1® Management (SmartCenters, Provider-1 CMAs and MDSs)

Management traffic:

  • HTTPS <TCP 443>

 

Required for Check Point API

Check Point R77.x

Management (SmartCenters, Provider-1 CMAs and MDSs)

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP

Encrypted syslog:

  • <TCP 6514>

Required when working with Check Point encrypted syslogs.

 

Note: Port 6514 is the default. This Port ID can be modified.

Stonesoft

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP

Stonesoft

StoneSoft <TCP 8082>

Retrieve StoneSoft configuration

Juniper NSM

  • Distribution Servers
  • Remote Collectors
  • Central Server Virtual IP

Juniper NSM

Juniper NSM <TCP 8443>

Retrieve Juniper NSM configuration

Fortinet FortiManager

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

Fortinet FortiManager

HTTPS <TCP 443>

Required for FortiManager API

Panorama/ Palo Alto

Distribution Servers

Remote Collectors

Central Server (active)

Central Server (standby - for HA)

Monitored Device

HTTPS <TCP 443>

Used to retrieve configuration and usage information from a panorama or Palo Alto device

Amazon AWS, Microsoft Azure

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

Public Management API

HTTPS <TCP 443>

Required by Amazon SWF and beanstalk, and by Microsoft Azure

OpenStack

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

OpenStack Identity service (keystone)

HTTP, HTTPS <TCP 5000>

Required by OpenStack Keystone for the identity service public endpoint (Note: port is user-configurable in Keystone)

OpenStack

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

OpenStack Networking service (neutron)

HTTP, HTTPS <TCP 9696>

Required by OpenStack Neutron networking

OpenStack

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

OpenStack Compute service (nova)

HTTP, HTTPS <TCP 8774>

Required by OpenStack Nova for the compute endpoints

NSX

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

NSX Manager

HTTPS <TCP 443>

Required for NSX REST API

NSX-V

  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)

vCenter

SSL <TCP 443>

Required for NSX vCenter API

ACI
  • Distribution Servers
  • Remote Collectors
  • Central Server (active)
  • Central Server (standby - for HA)
APIC

HTTPS <TCP 443>

Required for ACI REST API

 

Distributed Architecture Ports and Services

For a Distributed Architecture configuration, in addition to the ports listed in the general ports and services section, the following additional ports and services must be open:

For Monitored Devices

Source

Destination

Service / Port

Description

All

  • Distribution Servers
  • Remote Collectors

TOS Classic Central server Virtual IP

HTTPS <TCP 443>

Validation of Central server certificate

All

  • TOS Classic (active)
  • TOS Classic (standby - for HA)
  • Distribution Servers
  • Remote Collectors

HTTPS <TCP 443>

Required for both initial setup and to forward user requests for information

All

  • Distribution Servers
  • Remote Collectors

TOS Classic Central server Virtual IP

JMS <TCP 61617>

JMS connection

All

Distribution Servers

TOS Classic Central server Virtual IP

Stunnel <TCP 10443>

Stunnel database connection

High Availability Ports and Services

For a High Availability (HA) configuration, in addition to the ports listed in the general ports and services section, the following additional ports and services must be open for bidirectional communication between the two HA servers:

For Monitored Devices

Source

Destination

Service / Port

Description

All

Automatic Failover:

TOS Classic (Active)

TOS Classic (standby)

Management traffic:

  • SSH <TCP 22>
  • HTTPS <TCP 443>

Database replication traffic:

  • PostgreSQL
    <TCP 5432>
  • MongoDB
    <TCP 27017-27019>

HA heartbeat traffic: <5405-5407>

Database, configuration replication and device backup

All

Automatic Failover:

TOS Classic (standby)

TOS Classic (active)

Management traffic:

  • SSH <TCP 22>
  • HTTPS <TCP 443>

Database replication traffic:

  • PostgreSQL
    <TCP 5432>
  • MongoDB
    <TCP 27017-27019>

HA heartbeat traffic: <5405-5407>

Database, configuration replication and device backup

All

Manual Failover:

TOS Classic (Active)

TOS Classic (standby)

Management traffic:

  • SSH <TCP 22>
  • HTTPS <TCP 443>

Database replication traffic:

  • PostgreSQL
    <TCP 5432>
  • MongoDB <TCP 27017-27019>

Database, configuration replication and device backup

All

Manual Failover:

TOS Classic (standby)

TOS Classic (active)

Management traffic:

  • SSH <TCP 22>
  • HTTPS <TCP 443>

Database replication traffic:

  • PostgreSQL
    <TCP 5432>
  • MongoDB
    <TCP 27017-27019>

Database, configuration replication and device backup

All

TOS Classic (Active)

TOS Classic (standby)

Pacemaker node management:

  • 2224/TCP

Pacemaker node management interconnect.

Internal Communication Ports and Services

The following ports are opened on the server for internal communications:

Server

Service / Port

Description

TOS Classic

tufin-jobs <TCP 8084>

Tufin-jobs Remote Collector management

TOS Classic

tufin-jobs <TCP 8085>

Tufin-jobs HTTP connection

TOS Classic

tufin-jobs <TCP 9889>

Tufin-jobs JMX server connection

TOS Classic

tufin-jobs <TCP 10003>

Tufin-jobs JMX server connection

TOS Classic

tufin-jobs <TCP port changes each service restart>

Random TCP port opened by Java when JMX connection is configured.

Note: port changes each service restart

TOS Classic

tufin-jobs <UDP port changes each service restart>

Random UDP port used to send syslogs to a syslog server

Note: port changes each service restart

TOS Classic

jms <TCP port changes each service restart>

Random TCP port opened by Java when JMX connection is configured.

Note: port changes each service restart

TOS Classic

tomcat <TCP 8080>

Tomcat HTTP connection

TOS Classic

tomcat <TCP 9888>

Tomcat JMX server connection

TOS Classic

tomcat <TCP 10002>

Tomcat JMX server connection

TOS Classic

tomcat <TCP port changes each service restart >

Random TCP port opened by Java when JMX connection is configured.

Note: port changes each service restart

TOS Classic

tomcat <UDP 56374>

Random UDP port used to send syslogs to a syslog server

Note: port changes each service restart

  • Central Server (for HA, primary server)
  • Remote Collectors
  • Distribution Servers

Device Communication Service <TCP 8091>

Device Communication Service API running on the local server

  • Standalone
  • Central Server (for HA, primary server)
  • Remote Collectors
  • Distribution Servers

FQDN Cache Service <TCP 8094>

FQDN Cache Service API running on the local server

Central Server (for HA, primary server)

LDAP Cache Service <TCP 8092>

LDAP Cache Service API running on the local server

Central Server (for HA, primary server)

Commit Manager Service <TCP 8093>

Commit Manager Service API running on the local server

TOS Classic

keycloak<TCP 9009>

Keycloak AJP connection

TOS Classic

keycloak<TCP 9080>

Keycloak HTTP connection

TOS Classic

keycloak<TCP 9990>

Keycloak HTTP connection

TOS Classic

NGINX <TCP 10514>

listening on localhost for unencrypted syslogs

The port range for services can be viewed by displaying the file /proc/sys/net/ipv4/ip_local_port_range. The specific port used by the service will change each time the service is restarted.