Understanding Firewall Ports

This section lists the ArcSight Platform capabilities firewall ports. These ports need to be available when you deploy the associated capability.

ArcMC
CDF Vault
CDF Management Portal
Database
Intelligence
Kubernetes
NFS
SmartConnector
SOAR
Transformation Hub

ArcMC

Ports	Direction	Description
32080, 9000	Inbound	Used for Transformation Hub and ArcMC communication

CDF Vault

Ports (TCP) Node Description

8200

Master

Ports (TCP)	Node	Description
8200	Master	Used by the `itom-vault` service which provides a secured configuration store All cluster nodes should be able to access this port for the client connection.
8201	Master	Used by the `itom-vault` service which provides a secured configuration store Web clients must be able to access this port for peer member connections.

Used by the itom-vault service which provides a secured configuration store

All cluster nodes should be able to access this port for the client connection.

8201

Master

Used by the itom-vault service which provides a secured configuration store

Web clients must be able to access this port for peer member connections.

CDF Management Portal

Ports (TCP)	Node	Description
3000	Master	Used only for accessing the CDF Management portal during CDF installation from a web browser Web clients must be able to access this port during the installation of CDF. After installation, web clients use port 5443 to access the CDF Management portal.
5443	Master	Used for accessing the CDF Management portal post CDF deployment from a web browser Web clients must be able to access this port for administration and management of CDF.
5444	Master	Used for accessing the CDF Management portal post CDF deployment from a web browser, when using two-way (mutual) SSL authentication Web clients must be able to access this port for administration and management of CDF, when using two-way (mutual) SSL authentication.

Ports (TCP)

Node

Description

3000

Master

Used only for accessing the CDF Management portal during CDF installation from a web browser

Web clients must be able to access this port during the installation of CDF. After installation, web clients use port 5443 to access the CDF Management portal.

5443

Master

Used for accessing the CDF Management portal post CDF deployment from a web browser

Web clients must be able to access this port for administration and management of CDF.

5444

Master

Used for accessing the CDF Management portal post CDF deployment from a web browser, when using two-way (mutual) SSL authentication

Web clients must be able to access this port for administration and management of CDF, when using two-way (mutual) SSL authentication.

Database

The database requires several ports to be open on the local network. It is not recommended to place a firewall between nodes (all nodes should be behind a firewall), but if you must use a firewall between nodes, ensure the following ports are available:

Ports	Description
TCP 22	Required for the Administration Tools and Management Console Cluster installation wizard
TCP 5433	Used by database clients, such as vsql, ODBC, JDBC, and so on
TCP 5434	Used for Intra-cluster and inter-cluster communication
UDP 5433	Used for database spread monitoring
TCP 5438	Used as Management Console-to-node and node-to-node (agent) communication port
TCP 5450	Used to connect to Management Console from a web browser and allows communication from nodes to the Management Console application/web server
TCP 4803	Used for client connections
UDP 4803	Used for daemon to daemon connections
UDP 4804	Used for daemon to daemon connections
UDP 6543	Used to monitor daemon connections

Intelligence

In addition to the ports used by CDF, Transformation Hub, and the database, Intelligence uses the following ports when firewall is enabled. Ensure that the following ports are available:

Ports	Node	Direction	Description
TCP 30820	Worker (HDFS Namenode)	Inbound	Used for the database to connect to HDFS during Analytics processing
TCP 30070	Worker (HDFS Namenode)	Inbound	Used for Hadoop Monitoring Dashboard (Optional)
TCP 30010	Worker (HDFS Datanodes)	Inbound	Used for communication between the HDFS NameNode and the HDFS DataNodes
TCP 30210	Worker (HDFS Datanodes)	Inbound	Used by the database to establish secure communication with HDFS during Analytics processing

Kubernetes

Ports (TCP)	Node	Description
2380	Master	Used by the `etcd` component which provides a distributed configuration database All the master nodes should be able to access this port for the `etcd` cluster communication.
4001	Master	Used by the `etcd` component which provides a distributed configuration database All cluster nodes should be able to access this port for the client connection.
5000	Master	Used by `kube-registry` component which handles the management of container image delivery All cluster nodes should be able to access this port to communicate with the local container registry.
7443	Master	(Conditional) Used by the Kubernetes API server when you perform one of the following methods of installation: Use the provided scripts Install manually and on the same node as ESM All cluster nodes should be able to access this port for internal communication.
8443	Master	(Conditional) Used by the Kubernetes API server when you manually install and the installation is not on the same node as ESM. All cluster nodes should be able to access this port for internal communication.
8472	All nodes	Uses UDP protocol Used by the Flannel service component which manages the internal cluster networking All cluster nodes should be able to access this port for internal communication.
10250	All nodes	Used by the Kubelet service which functions as a local node agent that watches pod specifications through the Kubernetes API server All cluster nodes should be able to access this port for internal communications and worker node Kubelet API for exec and logs.
10251	All nodes	Used by `Kube-scheduler` component that watches for any new pod with no assigned node and assigns a node to the pod All cluster nodes should be able to access this port for internal communication.
10252	All nodes	Used by `kube-controller-manager` component that runs controller processes which regulate the state of the cluster All the cluster nodes should be able to access this port for internal communication.
10256	All nodes	Used by the `Kube-proxy` component, which is a network proxy that runs on each node, for exposing the services on each node All the cluster nodes should be able to access this port for internal communication.

NFS

Ports (TCP) Node Description

111

NFS server

Ports (TCP)	Node	Description
111	NFS server	Used by `portmapper` service All the cluster nodes should be able to access this port.
2049	NFS server	Used by `nfsd` daemon All the cluster nodes should be able to access this port. This port must be open even during a single-node deployment.
20048	NFS server	Used by `mountd` daemon All the cluster nodes should be able to access this port.

Used by portmapper service

All the cluster nodes should be able to access this port.

2049

NFS server

Used by nfsd daemon

All the cluster nodes should be able to access this port.

This port must be open even during a single-node deployment.

20048

NFS server

Used by mountd daemon

All the cluster nodes should be able to access this port.

SmartConnector

Port	Direction	Description
1515 (Raw TCP) 1999 (TLS)	Inbound	Used by SmartConnector to receive events
9092 (Non-SSL) 9093 (SSL)	Outbound	Used by SmartConnector to send data to Transformation Hub

SOAR

The SOAR cluster listens on the following NodePorts on all Kubernetes Master and Worker Nodes, but Micro Focus suggests you only use the ports on the master virtual IP.

Port	Description
32200	Data from ESM
32201	Data from QRadar
32202	Data from McAfee

Transformation Hub

Ports (TCP)	Direction	Description
2181	Inbound	Used by ZooKeeper as an inbound port
9092	Inbound	Used by Kafka during non-SSL communication
9093	Inbound	Used by Kafka when TLS is enabled
32080	Outbound	Used by Transformation Hub to send data to ArcMC
32181	Outbound	Used by ZooKeeper as an outbound port
443	Inbound	Used by ArcMC
9000	Inbound	Used by ArcMC
9999, 10000	Inbound	Used by the Transformation Hub Kafka Manager to monitor Kafka
39001, 39050	Outbound	Used by ArcMC to communicate with Connectors in Transformation Hub