RequiredPorts,Protocols,andServicesforSymantec … · 2020-05-29 ·...

Required Ports, Protocols, and Services for SymantecEnterprise Security ProductsThe information in this document might not contain the latest updates. Refer to the Latest Information links ineach section to access themost current information.

Important NoticeAs of Saturday, April 11, 2020, The following Symantec Corp. licensing services IP address changes takeeffect.

Service Host Symantec IP Address(Old)

Broadcom IP Address(New)

validation.es.bluecoat.com 155.64.49.136 192.19.237.101

bto-services.es.bluecoat.com 155.64.49.131 192.19.237.99

device-services.es.bluecoat.com 155.64.49.132 192.19.237.100

download.bluecoat.com 155.64.49.133 192.19.237.102

services.bluecoat.com 155.64.49.135 192.19.237.103

abrca.bluecoat.com 155.64.49.137 192.19.237.69

n "Content Analysis" on page 8

n "Management Center" on page 28

n "PacketShaper S-Series" on page 43

n "PacketShaper (Legacy)" on page 49

n "PolicyCenter S-Series " on page 49

n "ProxySG" on page 50

n "Reporter" on page 57

n "Security Analytics" on page 63

n "SSL Visibility" on page 75

http://validation.es.bluecoat.com/

http://bto-services.es.bluecoat.com/

http://device-services.es.bluecoat.com/

http://download.bluecoat.com/

http://services.bluecoat.com/

http://abrca.bluecoat.com/

n "Web Isolation" on page 83

n "Web Security Service" on page 90

Content Analysis 2.4 Inbound Connections

Service Port Protocol Configurable? Source Description

ICAP 1344 TCP yes ProxySG Accept unencrypted Internet Content Adaptation Protocol(ICAP) traffic.

SecureICAP

11344 TCP yes ProxySG Accept secured ICAP traffic.

HTTP 8081 TCP yes user'sclient

Manage and configure Content Analysis with a webbrowser. Disabled by default.

HTTPS 8082 TCP yes user'sclient

Secure Content Analysis management and integrationwith other services

SSH 22 TCP no user'sclient

Securely manage and configure Content Analysis with acommand line interface.

SNMP 161 UDP no SNMPanalysistools

Listen for queries from remote SNMP analysis tools (ifSNMP is enabled).

RDP 3389 TCP no user'sclient

Remote desktop connection during IVM customization.The user may open these ports while IVMs are incustomization mode using ma-settings ivm customize.

SMB 139445

TCP no user'sclient

Windows file sharing during IVM customization. The usermay open these ports while IVMs are in customizationmode using ma-settings ivm customize.

VNC 5900 TCP no user'sclient

Virtual Network Computing (VNC) access during IVMcustomization. The user may open this port while IVMs arein customization mode by enabling VNC with ma-settingsivm customize services vnc enable.

Latest content

Back to top

https://origin-symwisedownload.symantec.com//resources/webguides/contentanalysis/23/Content/Topics/Tasks/ca_security.htm

Content Analysis 2.4 Outbound Connections

Service Port Protocol Configurable? Destination Function

CounterTackSentinel EndpointSecurity

9090 TCP no CounterTackSentinelserver

Track scanning activity to beused for incident response, todetermine if any clients in thenetwork have been infected bymalware.

SymantecReporter

2122

TCP yes FTP serverFTPS server

Upload sandboxing logs to aSymantec Reporter server.

DNS 53 TCP/UDP no DNS server Perform domain name resolutionfor URLs in data sent to ContentAnalysis for scanning, and toresolve Internet addresses theappliance connects to.

HTTPS 443 TCP no Depends onthe service

Provides access to variousHTTPS services. See full list inthe "Required URLs" sectionbelow.

LDAP 38932683269

TCPTCP/UDPTCP/UDP

yes LDAP server Communicate with LDAP serversto authenticate Content Analysisadministrators.

LDAPS 636 TCP yes LDAP server Communicate with LDAPSsevers to securely authenticateContent Analysis administrators.

RADIUS 18121813

TCP/UDP yes RADIUSserver

Communicate with RADIUSservers to authenticate ContentAnalysis administrators

Sandboxing –SymantecMalwareAnalysis

443 (forstandaloneMA)

8082 (defaultport forexternal CA w/on-boxsandboxing)

HTTPS yes ExternalMalwareAnalysissandbox

Transmit data for sandboxanalysis to either a standaloneSymantecMalware Analysisappliance or another ContentAnalysis appliance dedicated toon-box sandboxing.

Sandboxing –FireEye NX

None -physicalaccess to aninterface onthe appliance.

N/A N/A N/A Transmit data to a FireEyesandbox appliance for dataanalysis.



Sandboxing –FireEye AX

22 SSH no FireEye AXappliance

Transmit data to a FireEyesandbox appliance for dataanalysis.

SMTP 25 TCP yes mailgateway

Send alerts via email.

SNMP 162 UDP no Trapreceiver

Send SNMP traps.

SymantecEndpointProtectionManager

8446 TCP no SEPMserver

Add malicious files to theSymantec Endpoint ProtectionManager blacklist.

Splunk Phantom 443 TCP no SplunkPhantomserver

Send data for orchestration to aSplunk Phantom server.

syslog 5146514

UDP yes syslogserver

Report appliance health andstatistical data to a syslog serveron the internal network.Symantec recommends usingsecure syslog connections onport 6514 wherever possible.

Latest content

Back to top

Content Analysis 2.4 Required URLs

Service URL Protocol Port Function

Blue CoatCertificateAuthority

abrca.bluecoat.com/ HTTP 80 A Symantec/Blue Coatservice that responds toCSR requests byreturning a signedcertificate in response.This is used whenrenewing or initiallyrequesting a certificate.




Blue CoatDiagnosticsServer

remote-support.bluecoat.com HTTPS 8888 A backend Symantec/BlueCoat service used for"remote debugging". Thisallows Symantecpersonnel to log in tocustomer appliances anddebug an issue byopening a shell on thebox.

Blue CoatHeartbeat Server

subscription.es.bluecoat.com/heartbeat/post HTTPS 443 Content Analysis emits amessage, called aheartbeat, to theSymantec/Blue Coatheartbeat server on thefollowing occasions:appliance bootup, daily,and after a system failure.Using the informationcontained in the heartbeatmessages, Symantec isable to provide better,faster support to its users.

SymantecAVHeartbeat

shasta-clt-symantec.com HTTPS 443 A heartbeat to check thestatus of antivirusengines.

Symantec CloudSandboxing

api.us.dmas.symantec.com HTTPS 443 Sends files to Symantec'scloud-based service formalware scanning.

Symantec FileInsight

stnd-ipsg.crsi.symantec.com HTTPS 443 Symantec Insight is thefile-reputation componentof Symantec EndpointProtection.

Symantec LiveUpdates

liveupdate.symantec.com HTTP 80 AV pattern updates

Symantec AdvancedMachine Learning (AML)



SymantecNetworkProtection (BlueCoat) Licensing

subscription.es.bluecoat.com HTTPS 443 Manage the subscription-based services (antivirus,file reputation,sandboxing) associatedwith your ContentAnalysis serial number.


device-services.es.bluecoat.comservices.es.bluecoat.com

HTTPS 443 URLs used by theappliance to manage theappliance license(applicable to licenseswithout birth certificates)


bto-services.es.bluecoat.com HTTPS 443 URL for managing thevirtual appliance license,and to perform softwareimage update checks forall versions of ContentAnalysis (applicable tolicenses with birthcertificates).

SymantecMalwareAnalysis

maa-updates.es.bluecoat.com HTTPS 443 Malware Analysistelemetry

Symantec "PhoneHome" Server

validation.es.bluecoat.com/ HTTPS 443 A backend Symantecservice that validates VMinstallations by ensuringthat the same serialnumber is not used onmultiple machines.

Symantec Support upload.bluecoat.comMFT.symantec.com

HTTPS 443 A web form for submittingfiles to Symantec Support.

SymantecTelemetry

shasta-rrs.symantec.com HTTPS 443 System Telemetry —Anonymous Usage Data

Symantec GlobalIntelligenceNetwork (GIN)

frs.es.bluecoat.com HTTPS 443 This URL is used toperform file reputation(whitelisting) hashlookups, and whenmalware is discovered,report the source and filehash to Symantec GIN,provided the option isenabled in Settings> GIN.



Symantec GIN sp.cwfservice.net HTTPS 443 This URL is used toperform websitereputation services.

Symantec GIN (forMA)

contentanalysis-ma.es.bluecoat.com HTTPS 443 When malware isdiscovered by a MalwareAnalysis appliance,[[[Undefined variable BC_Variables.CAS]]] contactsthis URL to report it.

MicrosoftWindowsactivation

wpa.one.microsoft.com HTTPS 443 Activate Windows in anIVM.

NTP ntp.bluecoat.com, ntp2.bluecoat.com,([[[Undefined variable BC_Variables.CAS]]]can also accept configuration of otherNTP servers)

UDP 123 Synchronize theappliance clock with averified time referenceserver.

On-boxSandboxing

cas-base-images.osl.bluecoat.com*.cloudfront.net

HTTPS 443 IVM base imagedownload. The firstaddress resolves toseveral servers in the*.cloudfront.net domain.

Sandboxing -Lastline

lastline.mycompany.com (replacemycompany.com for your specific Lastlinecloud-based sandboxing URL).

HTTPS 443 Used to transmit data to acloud-based Lastlinesandbox service for dataanalysis.

Trust PackageUpdates

appliance.bluecoat.com HTTP 80 Download trust packages(CA certificate updatepackages) fromSymantec.

VirusTotal lookups virustotal.com/vtapi/v2/file/report HTTPS 443 Sends files and URLs tothe VirusTotal service formalware scanning. Onlyrequired when aVirusTotal API key isconfigured.

Latest content

Back to top


Content Analysis




SecureICAP












SMB 139445

TCP no user'sclient




Latest content

Back to top









SymantecReporter

2122






LDAP 38932683269

TCPTCP/UDPTCP/UDP



RADIUS 18121813



















Send SNMP traps.




syslog 5146514



Latest content

Back to top


















SymantecTelemetry













On-boxSandboxing









Latest content

Back to top




SecureICAP















SMB 139445

TCP no user'sclient




Latest content

Back to top






SymantecReporter

2122









LDAP 38932683269

TCPTCP/UDPTCP/UDP



RADIUS 18121813

















Send SNMP traps.






syslog 5146514



Latest content

Back to top


















SymantecTelemetry













On-boxSandboxing









Latest content

Back to top




SecureICAP















SMB 139445

TCP no user'sclient




Latest content

Back to top





Track scanning activity to be usedfor incident response, todetermine if any clients in thenetwork have been infected bymalware.

SymantecReporter

2122







LDAP 38932683269

TCPTCP/UDPTCP/UDP


LDAPS 636 TCP yes LDAP server Communicate with LDAPS seversto securely authenticate ContentAnalysis administrators.

RADIUS 18121813




443 HTTPS yes ExternalMalwareAnalysissandbox

Transmit data to aSymantecMalware Analysissandbox appliance for dataanalysis.










Send SNMP traps.




syslog 5146514


Report appliance health andstatistical data to a syslog serveron the internal network. Symantecrecommends using secure syslogconnections on port 6514wherever possible.

Latest content

Back to top










Symantec ImageDownload Server

bluecoat.flexnetoperations.com HTTPS 443 Image download serverwhere Content Analysisdownloads officialSymantec images from.











On-boxSandboxing








Latest content

Back to top



ICAP 1344 TCP yes ProxySG Accept unencrypted Internet Content AdaptationProtocol (ICAP) traffic.

SecureICAP








Secure Content Analysis management andintegration with other services


Securely manage and configure Content Analysiswith a command line interface.


Listen for queries from remote SNMP analysis tools(if SNMP is enabled).

Latest content

Back to top



syslog 5146514

UDP yes syslog server Report appliance healthand statistical data to asyslog server on theinternal network. Symantecrecommends using securesyslog connections on port6514 wherever possible.


9090 TCP no CounterTack Sentinelserver

Track scanning activity tobe used for incidentresponse, to determine ifany clients in the networkhave been infected bymalware.

DNS 53 TCP/UDP no Perform domain nameresolution for URLs indata sent to ContentAnalysis for scanning,and to resolve Internetaddresses theappliance connects to.

Unique to yourdeployment, theDNS server (s) youconfigure may be on theinternal network, or on theInternet.




LDAP 38932683269

TCPTCP/UDPTCP/UDP

yes LDAP server Communicate withLDAP servers toauthenticate ContentAnalysis administrators.

LDAPS 636 TCP yes LDAP server Communicate with LDAPSsevers to securelyauthenticate ContentAnalysis administrators.

RADIUS 18121813

TCP/UDP yes RADIUS server Communicate withRADIUS servers toauthenticate ContentAnalysis administrators


443 HTTPS yes External MalwareAnalysis sandbox

Transmit data to aSymantecMalwareAnalysis sandboxappliance for dataanalysis.


None -physicalaccess toaninterfaceon theappliance.

N/A N/A N/A Transmit data to a FireEyesandbox appliance fordata analysis.

Sandboxing -FireEye AX

Internaladdress onyourcorporatenetwork

22 (SSH) no Used to transmit datato a FireEye sandboxappliance for dataanalysis.

SMTP 25 TCP yes mail gateway Send alerts via email.

SNMP 162 UDP no Trap receiver Send SNMP traps.

Latest content

Back to top




NTP ntp.bluecoat.com,ntp2.bluecoat.com, ([[[Undefinedvariable BC_Variables.CAS]]]can also accept configuration ofother NTP servers)

UDP 123 Synchronize the appliance clock witha verified time reference server.


subscription.es.bluecoat.com HTTPS 443 Manage the subscription-basedservices (antivirus, file reputation,sandboxing) associated with yourContent Analysis serial number.

SymantecWebPulse

contentanalysis.es.bluecoat.com HTTPS 443 This URL is used to perform FileReputation (whitelisting) hashlookups, and when malware isdiscovered, report the source and filehash to Symantec WebPulse,provided the option is enabled inServices > WebPulse.


contentanalysis-ma.es.bluecoat.com

HTTPS 443 When malware is discovered by aMalware Analysis appliance,[[[Undefined variable BC_Variables.CAS]]] contacts this URL toreport it.



HTTPS 443 URLs used by the appliance tomanage the appliance license(applicable to licenses without birthcertificates)

SymantecLicensing

bto-services.es.bluecoat.com HTTPS 443 A URL for managing the virtualappliance license, and to performsoftware image update checks for allversions of [[[Undefined variable BC_Variables.CAS]]].

SymantecApplianceRegistration

hb.bluecoat.com HTTPS 443 Symantec heartbeat server.


appliance.bluecoat.com HTTP 80 Download trust packages (CAcertificate update packages) fromSymantec.




abrca.bluecoat.com/ HTTP 80 A Symantec/Blue Coat service thatresponds to CSR requests byreturning a signed certificate inresponse. This is used whenrenewing or initially requesting acertificate.


remote-support.bluecoat.com HTTPS 8888 A backend Symantec/Blue Coatservice used for "remote debugging".This allows Symantec personnel tolog in to customer appliances anddebug an issue by opening a shell onthe box.

Symantec ImageDownload Server

bluecoat.flexnetoperations.com HTTPS 443 Image download server whereContent Analysis downloads officialSymantec images from.

SymantecSupport

upload.bluecoat.comMFT.symantec.com

HTTPS 443 A web form for submitting files toSymantec Support.

Latest content

Back to top

Management Center

Management Center 2.4 Inbound Connections



Web UI 80808082

TCP No User's client Management Center web console.*

CLI 22 TCP No User's client Management Center CLI shell access

Web API 8082 TCP No User's client Management Center API via HTTPS

StatisticsCollector

9009 TCP No Blue Coat ProxySGappliance/AdvancedSecureGateway/SSL Visibility

Performance Statistics data sent bymonitoring assets via HTTP.*




StatisticsCollector

9010 TCP No ProxySGappliance/AdvancedSecureGateway/SSL Visibility

Performance Statistics data sent bymonitoring assets via HTTPS.*

ManagementCenterFailover

2025 TCP No AlternateManagement Centerappliance in a failovercluster.

Used to transmit state and otherpertinent information between primaryand secondary Management Centerappliances in a failover pair.

Back to top

Management Center 2.4 Outbound Connections

Service Port Protocol Configurable? Destination Description

LDAPLDAPS

10389389636

TCP Yes LDAP server Authentication

ActiveDirectory

10389389636

TCP Yes Active Directoryserver

Authentication

RADIUS 1812 UDP/TCP Yes RADIUS server Authentication

RADIUS 1813 UDP/TCP Yes RADIUS server Accounting

SMTP 25 TCP Yes SMTP server SMTP alerts

SNMP Trap 162 UDP Yes Trap receiver SNMP traps

HTTP Proxy 8080 TCP Yes HTTP Proxy Updates

NTP 123 UDP/TCP No NTP server list Time sync to customer-configuredNTP time server

HTTP 80 TCP No Symantec https://support.symantec.comLicense activation, the latestrelease information anddocumentation

https://support.symantec.com/



HTTPS 443 TCP No Symantec https://support.symantec.comLicense activation,Web Application Firewall (WAF)subscription, the latest releaseinformation and documentation

DNS 53 UDP/TCP No DNS server FQDN lookups

ProxySG/ASG 22 TCP No ProxySGappliance/AdvancedSecure Gateway

ProxySG appliance monitoringand management


System image upload

SSH accessto manageddevices

22 TCP No All manageddevices

Device scripts support forappliances with SSH access,CLI shell.

SCP accessto externalservers

22 TCP No All manageddevices and otherhosts ManagementCenter exports datato

Importing and exporting data—Management Center and devicebackups, diagnostics, PCAPtransfer

MA 443 TCP No Malware Analysis Health monitoring and backup

PacketShaper 80/443 TCP No PacketShaper Health Monitoring(unencrypted/encrypted)

Reporter 8080/8082 TCP No Reporter Reporter API(unencrypted/encrypted)

ManagementCenter

2025 TCP No AlternateManagement Centerappliance in afailover cluster.

Used to transmit state and otherpertinent information betweenprimary and secondaryManagement Center appliancesin a failover pair.

CA 8080/8082 TCP No Content Analysis Health Monitoring(unencrypted/encrypted)

SSL Visibility 443 TCP No SSL Visibility Health monitoring andconfiguration synch

Back to top


Management Center 2.4 Required URLs

URL Protocol Port Description

199.19.250.195199.116.168.195

HTTPSTCP

443 Web Security Service policy updates.

validation.es.bluecoat.com HTTPSTCP

443 Validates the license every 5 minutes. After successfulvalidation, validation occurs every hour.

bto-services.es.bluecoat.com HTTPSTCP

443 Validates the license.

device-services.es.bluecoat.com

HTTPSTCP

443 License related.

services.es.bluecoat.com HTTPSTCP


abrca.bluecoat.com HTTPSTCP

443 Symantec CA.

appliance.bluecoat.com HTTPSTCP

443 Trust package downloads.

subscription.es.bluecoat.com HTTPSTCP

443 Subscription services.

upload.bluecoat.com HTTPSTCP

443 Upload diagnostic reports to Symantec support.

sgapi.es.bluecoat.com HTTPSTCP

443 Universal VPM policy.

Back to top



Web UI 80808082


CLI 22 TCP No User's client Management Center CLI shell access

Web API 8082 TCP No User's client Management Center API via HTTPS

SSL 8082 TCP No User's client Management Center API



StatisticsCollector


ProxySG appliance PerformanceStatistics data sent by monitoringassets via HTTP.*

StatisticsCollector


Performance Statistics data sent bymonitoring assets via HTTPS.*


2025 TCP No AlternateManagement Centerappliance in a failovercluster.


Latest content

Back to top



LDAPLDAPS

10389389636


ActiveDirectory

10389389636


Authentication







HTTP 80 TCP No Symantec https://support.symantec.comLicense activation, the latestrelease information anddocumentation

https://symwisedownload.symantec.com/resources/webguides/managementcenter/2.3.1.1/Content/ConfigurationManagementGuide/2_Initial/ports_protocols.htm




HTTPS 443 TCP No Symantec https://support.symantec.comLicense activation,Web Application Protection(WAP) subscription, the latestrelease information anddocumentation



ProxySG appliance monitoringand management


System image upload

SSH accessto manageddevices

22 TCP No All manageddevices

Device scripts support forappliances with SSH access,CLI shell.

SCP accessto externalservers

22 TCP No All manageddevices and otherhosts ManagementCenter exports datato

Importing and exporting data—Management Center and devicebackups, diagnostics, PCAPtransfer

MA 443 TCP No Malware Analysis Health monitoring and backup


Reporter 8080/8082 TCP No Reporter Reporter API(unencrypted/encrypted)

ManagementCenter

2025 TCP No AlternateManagement Centerappliance in afailover cluster.

Used to transmit state and otherpertinent information betweenprimary and secondaryManagement Center appliancesin a failover pair.

CA 8080/8082 TCP No Content Analysis Health Monitoring(unencrypted/encrypted)

SSL Visibility 443 TCP No SSL Visibility Health monitoring andconfiguration synch

Latest content



Back to top



199.19.250.195199.116.168.195

HTTPSTCP







HTTPSTCP





443 Symantec CA.









Latest content

Back to top



SSL 80808082


SSH 22 TCP No User's client Management Center CLI


ProxySG 9009 TCP No ProxySGappliance

ProxySG appliance Performance Statistics.*





Monitored assets that support statisticsexport—ProxySG and SSL Visibilityappliances.*


2025 TCP No AlternateManagementCenterappliance ina failovercluster.

Used to transmit state and other pertinentinformation between primary and secondaryManagement Center appliances in a failoverpair.

Latest content

Back to top



LDAPLDAPS

10389389636


ActiveDirectory

10389389636


Authentication







HTTP 80 TCP No Symantec https://support.symantec.comLicense activation, the latest releaseinformation and documentation

https://origin-symwisedownload.symantec.com//resources/webguides/managementcenter/2.2.1.1/Content/ConfigurationManagementGuide/2_Initial/ports_protocols.htm




HTTPS 443 TCP No Symantec https://support.symantec.comLicense activation, Web ApplicationProtection (WAP) subscription, thelatest release information anddocumentation


MA 443 TCP No MalwareAnalysis

Health monitoring and backup


Reporter 8080/8082 TCP No Reporter Reporter API (unencrypted/encrypted)


ProxySG appliance monitoring andmanagement

ManagementCenter

2025 TCP No AlternateManagementCenterappliance in afailover cluster.


VPM 8082 TCP No ProxySGappliance

Visual Policy Manager

CA 8080/8082 TCP No ContentAnalysis

Health Monitoring(unencrypted/encrypted)

SSL Visibility 443 TCP No SSL Visibility Health monitoring and configurationsynch

Latest content

Back to top



199.19.250.195199.116.168.195

HTTPSTCP











HTTPSTCP





443 Symantec CA.









Latest content

Back to top



SSL 80808082














Latest content

Back to top



LDAPLDAPS

10389389636


ActiveDirectory

10389389636


Authentication





















ManagementCenter








Latest content

Back to top



199.19.250.195199.116.168.195

HTTPSTCP







HTTPSTCP








443 Symantec CA.









Latest content

Back to top



SSL 80808082











Latest content

Back to top


https://origin-symwisedownload.symantec.com//resources/webguides/managementcenter/2.0.1.1/ManagementCenter.htm#ConfigurationManagementGuide/2_Initial/ports_protocols.htm



LDAPLDAPS

10389389636


ActiveDirectory

10389389636


Authentication
















ManagementCenter












Latest content

Back to top


URL Protocol Port Function

199.19.250.195199.116.168.195

HTTPSTCP







HTTPSTCP





443 Symantec CA.









Latest content

Back to top



PacketShaper S-Series

PacketShaper S-series 11.10 Inbound Connections


HTTP 80 TCP no user'sclient

Web service for PacketShaper Sky and AdvancedUI

HTTPS 443 TCP no user'sclient

Secure web service for PacketShaper Sky andAdvanced UI

NTP 123 UDP yes timeserver

Synchronize with time servers

Secure Shell(SSH)

22 TCP no user'sclient

Securely manage and configure PacketShaperwith a command line interface.


Listen for queries from remote SNMP analysistools (if SNMP is enabled).

Standby 2014 TCP no standbypartner

Standby partner communication

Latest content

Back to top

PacketShaper S-series 11.10 Outbound Connections


BCAAA 16101 TCP yes BCAAAserver onActiveDirectory

Look up user names and groups onSymantec Authentication andAuthorization Agent server.

DNS 53 TCP/UDP no DNS server Perform domain name resolution for URLsin data sent to PacketShaper for scanning,and to resolve Internet addresses theappliance connects to.

FDR 9800 UDP yes FDR collector Send flow detail records to FDR collector

Web Proxy userdefined

yes Web proxyserver

All PacketShaper features that accessexternal servers on the Internet will gothrough the proxy server. This serverhandles WebPulse requests, categorymap downloads, heartbeat emissions,support status updates, and imageupdates.

https://origin-symwisedownload.symantec.com//resources/webguides/packetguide/11.10/Content/Topics/info/port-usage.htm



PolicyCenter userdefined

TCP yes PolicyCenterappliance

Share configuration with PolicyCenterappliance.

RADIUSAuthentication

1812 TCP/UDP yes RADIUSauthenticationserver

Communicate with RADIUS servers toauthenticate PacketShaper administrators

RADIUSAccounting

1813 TCP/UDP yes RADIUSaccountingserver

Communicate with RADIUS accountingservers to have an audit trail for userlogins.

SMTP 25 TCP yes Mail server Send email notifications.

SNMP 162 UDP yes(SNMPv3)

Trap receiver Send SNMP traps.

Syslog 514 UDP yes Syslog server Report appliance health and statisticaldata to a syslog server.

TACACS 49 TCP/UDP yes TACACS+server

Communicate with TACACS+ servers toauthenticate PacketShaper administratorsand/or produce an audit trail for userlogins.

Latest content

Back to top

PacketShaper S-series 11.10 Required URLs


bto.bluecoat.com https/TCP 443 Support links to software, support cases anddocumentations

subscription.es.bluecoat.com https/TCP 443 Symantec licensing

sp.cwfservice.net https/TCP 443 WebPulse update server

sitereview.bluecoat.com https/TCP 443 WebPulse map update server

hb.bluecoat.com https/TCP 443 Symantec heartbeat server

cda.bluecoat.com https/TCP 443 Traffic information reporting server

updates.bluecoat.com https/TCP 443 Support update server

time.nist.gov* UDP 123 NTP server (primary)

time-a.nist.gov* UDP 123 NTP server (secondary)




Latest content

Back to top









Secure Shell(SSH)







Latest content

Back to top




Look up user names and groups onSymantec Authentication andAuthorization Agent server.

DNS 53 TCP/UDP no DNS server Perform domain name resolution for URLsin data sent to PacketShaper for scanning,and to resolve Internet addresses theappliance connects to.

FDR 9800 UDP yes FDR collector Send flow detail records to FDR collector





Web Proxy userdefined

yes Web proxyserver

All PacketShaper features that accessexternal servers on the Internet will gothrough the proxy server. This serverhandles WebPulse requests, categorymap downloads, heartbeat emissions,support status updates, and imageupdates.




RADIUSAuthentication

1812 TCP/UDP yes RADIUSauthenticationserver

Communicate with RADIUS servers toauthenticate PacketShaper administrators

RADIUSAccounting

1813 TCP/UDP yes RADIUSaccountingserver

Communicate with RADIUS accountingservers to have an audit trail for userlogins.



Trap receiver Send SNMP traps.

Syslog 514 UDP yes Syslog server Report appliance health and statisticaldata to a syslog server.

TACACS 49 TCP/UDP yes TACACS+server

Communicate with TACACS+ servers toauthenticate PacketShaper administratorsand/or produce an audit trail for userlogins.

Latest content

Back to top















Latest content

Back to top



Secure Shell(SSH)













Latest content

Back to top









Trapreceiver

Send SNMP traps.

FDR 9800 UDP yes FDRcollector

Send flow detail records to FDR collector


Look up user names and groups onSymantec Authentication and AuthorizationAgent server.

DNS 53 TCP/UDP no DNS server Perform domain name resolution for URLs indata sent to PacketShaper for scanning, andto resolve Internet addresses the applianceconnects to.




Latest content

Back to top












Latest content

Back to top



PacketShaper (Legacy)

PacketShaper 9.2 Port Usage


LDAP 389 TCP - LDAPserver

Authentication

LDAPS 636 TCP - LDAPserver

Authentication

HTTP 80 TCP - user'sclient


HTTPS 443 TCP - user'sclient


Secure Shell(SSH)

22 TCP - user'sclient

Securely manage and configure PacketShaperwith a command line interface

HTTPS WebService

3333 TCP - - Internal proxy port used by HTTPS web service

HTTPS WebService

3334 TCP - - Internal proxy port used by HTTPS web service forcustomer portal

SNMP 161 UDP - SNMPanalysistools

Listen for queries from remote SNMP analysis tools(if SNMP is enabled)

SNMP Traps 162 UDP - SNMPtraps

SNMP traps (PacketShaper uses this asdestination port for sending traps; not applicable toPolicyCenter)

Latest content

Back to top

PolicyCenter S-Series

PolicyCenter S-Series 1.1 Port Usage


LDAP 389 TCP - LDAPserver

Authentication

LDAPS 636 TCP - LDAPserver

Authentication

HTTP 80 TCP - user'sclient


https://origin-symwisedownload.symantec.com/resources/webguides/packetguide/9.2/info/port-usage.htm

PolicyCenter S-Series 1.1 Port Usage


HTTPS 443 TCP - user'sclient


Secure Shell(SSH)

22 TCP - user'sclient

Securely manage and configure PacketShaperwith a command line interface

HTTPS WebService

3333 TCP - - Internal proxy port used by HTTPS web service

HTTPS WebService

3334 TCP - - Internal proxy port used by HTTPS web service forcustomer portal

SNMP 161 UDP - SNMPanalysistools

Listen for queries from remote SNMP analysis tools(if SNMP is enabled)

SNMP Traps 162 UDP - SNMPtraps

SNMP traps (PacketShaper uses this asdestination port for sending traps; not applicable toPolicyCenter)

Latest content

Back to top

ProxySG

ProxySG (All Versions) Inbound Connections


Client Manager 8084 TCP Yes SymantecUnified Agent,ProxyClient

Unified Agent/ProxyClientconfiguration check

HTTPSManagementConsole

8082 TCP Yes Client browser Secured ProxySG web interface(Proxy tab in Advanced SecureGateway)

HTTP ManagementConsole

8081 TCP Yes Client browser Non-secured ProxySG webinterface (Proxy tab in AdvancedSecure Gateway)

RIP 520 UDP No Local serverhostingRIP file

Routing Information Protocols(RIP)

SSH 520 TCP No SSH client SSH management of theappliance

https://origin-symwisedownload.symantec.com/resources/webguides/packetguide/pc1.1/index.htm#Topics/info/port-usage.htm

ProxySG (All Versions) Inbound Connections


SNMP 22 UDP Yes SNMP Listen for queries from remoteSNMP analysis tools (if SNMP isenabled)

Latest content

Back to top

ProxySG Appliance (All Versions) Outbound Connections


Appliancecertificate

444 TCP No Symanteccertificateserver

Certificate updates

BCAAAauthenticationwith COREid,IWA, SitemInder,and XML realms

16101 TCP Yes Authenticationserver

Authentication- and authorization-related queries to the configuredserver

DNS 53 TCP/UDP No DNS server Port used by your DNS servers

Diagnostics 443 TCP No Symantecserver

Heartbeats, Sysinfo uploads

Email notifications 25 TCP No SMTP server Email notifications

HTTP 80 TCP No Internet Regular HTTP access to internet

ICAP (Plain) 1344 TCP Yes SymantecContentAnalysis orother ICAPservice

Forwarding requests for contentscanning (Not applicable toAdvanced Secure Gateway)

ICAP (Secure) 1344 TCP Yes SymantecContentAnalysis orother ICAPservice

Forwarding requests for contentscanning (Not applicable toAdvanced Secure Gateway)

IWA-BCAAA 16101 TCP Yes IWA Server Authentication with IWAauthentication services

IWA-Kerberosauthentication

88 TCP/UDP Yes IWA Server Kerberos for IWA Directauthentication

https://www.symantec.com/docs/DOC10459



LDAP 389 TCP Yes IWA Server LDAP for IWA Directauthentication

Log client(custom)

69 TCP Yes Custom logserver

Sending access logs toconfigured server

Log client (FTP,plain and secure)

21 TCP Yes FTP/S logserver


Log client (Kafka) 9092 TCP Yes Kafka broker Sending access logs toconfigured Kafka broker cluster

Log client(SymantecReporter client)

9081 TCP Yes Reporter Deprecated log streaming toReporter version 9

Log client (SCP) 22 TCP Yes SCP logserver


SymantecManagementCenter, SymantecDirector

22 TCP No ManagementCenter,Director

Management Center and Directorregistration (Not applicable toAdvanced Secure Gateway)

Monitoringstatistics toManagementCenter (plain)

9009 TCP No ManagementCenter

Export of monitoring statistics toManagement Center

Monitoringstatistics toManagementCenter (secure)

9010 TCP No ManagementCenter

Export of monitoring statistics toManagement Center

Novell SSO 389 TCP Yes Novell server Novell authentication

NTP 123 UDP Yes NTP server Periodic time update from defaultor configured NTP servers

RADIUS 1812 TCP Yes RADIUSserver

RADIUS authentication

SMB 139,445

TCP Yes IWA server CIFS services in transparentdeployments

SOCKS 1080 TCP/UDP No SOCKSserver

Forwarding traffic to SOCKSproxy

Syslog 514 UDP No Syslog server Syslog uploads to remote server



WCCP 2048 UDP No WCCP-compliantrouter orswitch

Traffic redirection from router tothe appliance in out-of-pathdeployments

Latest content

Back to top

ProxySG Appliance (All Versions) Inbound/Outbound Connections


ADN datatunnel (plain)

3035 TCP Yes ProxySGappliance

Connection to ADN manager for updates(Not applicable to Advanced SecureGateway)

ADN datatunnel(secure)


Connection to ADN manager for updates(Not applicable to Advanced SecureGateway)

ADNmanagement(plain)


Explicit connections between two ProxySGpeers (Not applicable to Advanced SecureGateway)

ADNmanagement(secure)


Explicit connections between two ProxySGpeers (Not applicable to Advanced SecureGateway)

ADNconnectionforwarding


Load balancing and asymmetric routing(Not applicable to Advanced SecureGateway)

Flash media 1935 TCP/UDP No Origin contentserver

Streaming Flash and RTMP

Real Media 554 UDP No Origin contentserver

Streaming Real Media (RTSP)

SafeNet JavaHSM

8443 TCP Yes SafeNet JavaHSM

Communication with SafeNet Java HSM

WindowsMedia

1755 UDP No Origin contentserver

Streaming Windows Media (MMS)

Latest content



Back to top

ProxySG Appliance (All Versions) Required URLs


Symantec license andvalidation

*.es.bluecoat.com HTTPSTCP

443 License and validation services,subscription database downloads,database differential updates

Symantec certificateauthority


443 Symantec CA

Trust package downloads appliance.bluecoat.com HTTPSTCP

443 -

Time zone databasedownloads

download.bluecoat.com HTTPTCP

80 -

Appliance heartbeatinformation to Symantec

hb.bluecoat.com HTTPSTCP

443 -

WebFilter, IWF, Optenet,and Proventia databasedownloads

list.bluecoat.com HTTPSTCP

443 -

Web Security Serviceregistration

portal.threatpulse.com HTTPSTCP

443 -

License administration services.bluecoat.com HTTPSTCP

443 -

Latest content

Back to top

ProxySG Appliance (All Versions) IP Addresses

Service IP Address Description

av-download.bluecoat. com 8.28.16.208

103.246.38.208

199.19.249.208

199.116.169.248

Antivirus pattern updates fromSymantec Content Analysis (Notapplicable to Advanced SecureGateway)

contentanalysis-ma.es.bluecoat.com

199.116.169.239 Malware reporting from ContentAnalysis


192.19.237.100 Appliance license management




download.bluecoat.com 199.91.133.16

192.19.237.102

Time zone database downloads

list.bluecoat.com 8.28.16.206

103.246.38.206

199.19.249.206

199.116.169.246

Only IP address is returned when there is aDNS query. If the IP address fails to respond,one of the other active addresses is returned.

Symantec WebFilter, IWF, Optenet,and Proventia databasedownloads

securitylabs.es.bluecoat.com 8.28.16.7 Security intelligence

subscription.es.bluecoat.com 8.28.16.243 Subscription-based servicesmanagement



webpulse.es.bluecoat.com 199.19.249.201

199.19.249.203

199.116.169.244

199.116.169.245

8.28.16.201

8.28.16.203

103.246.38.201

103.246.38.203

103.246.39.212

103.246.39.213

103.246.36.212

103.246.36.213

54.233.145.171

54.207.85.173

123.103.64.94*

123.103.64.95*

197.96.129.181

197.96.129.182

199.116.173.201

199.116.173.203

199.116.173.215

180.179.142.109

13.114.137.119

52.64.80.74

13.114.129.165

13.54.6.129

Symantec Global IntelligenceNetwork



180.179.142.110

8.28.16.202

46.235.158.215

52.65.118.140

54.64.46.133

54.207.87.150

103.246.38.202

180.179.142.115

185.2.196.215

199.19.249.211

199.116.169.242

199.116.173.215

* These addresses are returned only whenthe request originates in China.

Latest content

Back to top

Reporter

Reporter 10.5 Inbound Connections

ServicePort(s)

Protocol Configurable Destination Description

Web UI/API 8081 TCP Yes Admin HTTP UI access - redirects to HTTPS

WebUI/API SSL

8082 TCP No Admin HTTPS UI access (encrypted)

FTP 21 TCP Yes Local /accesslogsdirectory

Non-secure access logs fileuploads/downloads/inspection

https://origin-symwisedownload.symantec.com//resources/webguides/reporter/103/Content/security/ports.htm


ServicePort(s)


FTPS 990 TCP Yes Local /accesslogsdirectory

Secure access logs fileuploads/downloads/inspection

SCP 2024 TCP No Local /accesslogsdirectory

Secure access log file uploads

SNMP 161 TCP Yes Admin SNMP communication

Back to top

Reporter 10.5 Outbound Connections

ServicePort(s)


LDAP 389 TCP Yes LDAP server User authentication

LDAPS 636 TCP Yes LDAP server(encrypted)

User authentication

SMTP 25 TCP No SMTP server Emails, reports, and event notifications

HTTPS 443 TCP No Symantec Licensing and updates for products,subscriptions, ect..

DNS 53 UDP/TCP No Domainname server

Hostname resolution

FTP 21 TCP Yes FTP log fileserver

Access log file upload

NTP 123 UDP No Time server Network time synching

SNMP trap 162 TCP Yes SNMP trapserver

SNMP communication

syslog 514 UDP/TCP Yes syslogserver(s)

Sending syslog messages to remotehost (disabled by default)

Cloud logdownload

443 TCP No SymantecWSS

Request download of archived accesslogs from the Cloud Reporting service

Back to top

Reporter 10.5 Required URLs


Blue Coat Support support.symantec.com HTTPS 443 Support links to software, support cases,and documentation.

Blue Coat Support upload.bluecoat.com HTTPS 443 A web form for submitting files toSymantec Support.

Time Zone download.bluecoat.com HTTP 80 Time zone database downloads .

SymantecSoftware Portal

esdhttp.flexnetoperations.com HTTPS 443 Software portal.

Device Licensing device-services.es.bluecoat.com

HTTPS 443 License related.

Back to top



WebUI/API

8082 TCP Yes Admin HTTP UI access (encrypted)








CLI SSH 22 TCP No Admin CLI management shell access

Latest content

Back to top

https://symwisedownload.symantec.com/resources/webguides/reporter/104/Content/Topics/Admin/Security/ports.htm





User authentication

SMTP 25 TCP No SMTP server Emails, reports, and eventnotifications



Hostname resolution





SNMP communication



Cloud logdownload


Request download of archivedaccess logs from the CloudReporting service

Latest content

Back to top



Blue Coat Support support.symantec.com HTTPS 443 Support links to software, support cases,and documentation.

Blue Coat Support upload.bluecoat.com HTTPS 443 A web form for submitting files toSymantec Support.

Time Zone download.bluecoat.com HTTP 80 Time zone database downloads .

SymantecSoftware Portal

esdhttp.flexnetoperations.com HTTPS 443 Software portal.

Device Licensing device-services.es.bluecoat.com

HTTPS 443 License related.

https://symwisedownload.symantec.com/resources/webguides/reporter/104/Content/Topics/Admin/Security/ports.htm



Latest content

Back to top




WebUI/API SSL










Latest content

Back to top





User authentication








Hostname resolution





SNMP communication



Cloud logdownload



Latest content

Back to top




WebUI/API SSL










Latest content


https://origin-symwisedownload.symantec.com//resources/webguides/symreporter/reference/ports.htm

Back to top





User authentication




Hostname resolution





SNMP communication



Cloud logdownload



Latest content

Back to top

Security Analytics

Security Analytics 8.0 Inbound Connections

Service Port Protocol URL Source Description

CentralManagementVPN

1194 oras

specified

TCP/UDP bond0 ofCMC

- All sensors must be able to access the CMC'sbond0 over port 1194.

FTP File Mover 2021

TCP/UDP - - Use port 21 for active mode. If you are not usingFTP File Mover, you should delete the internalfirewall rules that permit ftp-data through port20.

https://origin-symwisedownload.symantec.com//resources/webguides/symreporter/reference/ports.htm



HTTP 80 TCP/UDP - - All HTTP requests are automatically redirectedto HTTPS. Symantec recommends that youdelete the internal firewall rules that permit httpthrough port 80.

HTTPS 1 443 TCP/UDP - - Change the default on Settings > Security. AllCMCs and their sensors must use the sameHTTPS port.

SSH 1 22 TCP - - The port can be changed on Settings > Security.

1 Service is always used by [[[Undefined variable Primary.SA-short]]].

Latest content

Back to top

Security Analytics 8.0 Outbound Connections


ActiveDirectory

3268 TCP/UDP [none] - ForLDAP authentication.

AdvancedThreatProtection(ATP) Manager3

443 TCP [as needed]


1194 oras

specified

TCP/UDP bond0 of CMC All sensors must be ableto access the CMC'sbond0 over port 1194.

ClamAV®1 80 TCP *.clamav.net Requires only HTTPaccess to update thesignature database.Analysis is performedlocally on the appliance.

Cuckoo 3 8090 TCP/UDP [as needed]

DeepSight1,3 443 TCP sso.trm.symantec.com

DNS 2 53 TCP/UDP [as needed]

Domain AgeReporter 1,4

[same asWHOIS]

TCP [same as WHOIS] The WHOIS settingsalso permit Domain AgeReporter traffic.

https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/ENG/80/Content/ENG/Security/ports_and_protocols.htm



File ReputationService1,3

8443 TCP *.es.bluecoat.com185.2.196.2048.28.16.233

199.116.169.204103.246.38.204

The URL for theFile Reputation Servicewill usually befrs.es.bluecoat.com;Symantec recommendsthat you create a rule forall of the listed IPaddresses.

Future EngineeringServices resources willalso be provided fromthe *.es.bluecoat.comdomain.

FireEye®3 [asneeded]

[as needed] AX-series is supported.

Google SafeBrowsing®

443 TCP sb-ssl.google.com Uses Internetconnection fromworkstation.

Google®

Search443 TCP google.com Uses Internet

connection fromworkstation.

HTTP 2 80 TCP/UDP [none] Change the default onSettings > Security.

HTTPS 2 443 TCP/UDP [none] Change the default onSettings > Security. AllCMCs and theirsensors must use thesame HTTPS port.

IntelligenceServices 1,3

— — See File Reputation Serviceand Web ReputationService

ICAP 3 1344 TCP(plaintext)

[as needed] Security Analytics doesnot support port 11344for Content Analysisintegration.

Lastline®1,3 443 TCP analysis.lastline.com

LDAPauthentication

389 TCP/UDP [none]



Live-feedindicators

80443

TCP/UDPTCP

rules.emergingthreats.net:80mirror1.malwaredomains.com:80

*.abuse.ch:443isc.sans.edu:443

LoginCorrelationService

8843 TCP [none] This port is used tocommunicate betweenthe LCS and the agent'sUI application. TheSecurity Analyticsfirewall has a rule toaccept this traffic.

[[[UndefinedvariablePrimary.MAA-short]]]3

80443

TCP/UDP [as needed]

MATI 443 TCP deepsightapi.symantec.com/v1

NTP 123 UDP [as needed]

OCSPrequests

80 TCP ocsp.entrust.net Various SecurityAnalytics services useOCSP for certificate-chain validation.

ProxySG 3 8845 TCP [proxy_sg]

RADIUS 18121813

UDP [as needed]

RobTex®1 80 TCP robtex.com Uses Internetconnection fromworkstation.

SANS ISC®1 443 TCP isc.sans.edu Host and IP queries aretransmitted over SSL.

SEP 8446 TCP [SEP Manager hostname/IP]

SMTP 25 TCP [as needed]

SNMP 161

162

TCP(polling)TCP/UDP(trap)

[as needed]

SORBSDNSBL®1

53 UDP dnsbl.sorbs.net



syslog 514 UDP [as needed]

ThreatExplorer1,3

443 TCP threatexplorer.bluecoat.com Service must beenabled on Settings >Data Enrichment.

VirusTotal®1,3 443 TCP www.virustotal.com

WebReputationService1,3

443 TCP sp.cwfservice.net

WebReputationService localdatabaseupdates 1,3

443 TCP list.bluecoat.com Used by the WebReputation Service andADM.

WHOIS 1,4 43 TCP [as needed] The WHOIS lookupservice will querydifferent WHOIS serversbased on the registryassociated with the top-level domain of thetarget. Consult thisauthoritative list ofWHOIS servers.

1 Service requires internet access.2 Service is always used by [[[Undefined variable Primary.SA-short]]].3 Licensing for this service is the responsibility of the user.4 Service cannot be used behind a proxy.

Latest content

Back to top




1194 oras

specified

TCP/UDP eth0 ofCMC

- All sensors must be able to access the CMC'sbond0 over port 1194.

http://www.iana.org/domains/root/db/



https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/ENG/80/Content/ENG/Security/ports_and_protocols.htm



FTP File Mover 2021

TCP/UDP - - Use port 21 for active mode. If you are not usingFTP File Mover, you should delete the internalfirewall rules that permit ftp-data through port20.

HTTP 80 TCP/UDP - - All HTTP requests are automatically redirectedto HTTPS. Symantec recommends that youdelete the internal firewall rules that permit httpthrough port 80.

HTTPS 1 443 TCP/UDP - - Change the default on Settings > Security. AllCMCs and their sensors must use the sameHTTPS port.

SSH 1 22 TCP - - The port can be changed on Settings > Security.


Latest content

Back to top



ActiveDirectory

3268 TCP/UDP [none] - ForLDAP authentication.


443 TCP [as needed]


1194 oras

specified

TCP/UDP bond0 of CMC All sensors must be ableto access the CMC'seth0 over port 1194.

ClamAV®1 80 TCP *.clamav.net Requires only HTTPaccess to update thesignature database.Analysis is performedlocally on the appliance.

Cuckoo 3 8090 TCP/UDP [as needed]

DeepSight1,3 443 TCP sso.trm.symantec.com

https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/73/desktop/ENG/Security/ports_and_protocols.htm





[same asWHOIS]

TCP [same as WHOIS] The WHOIS settingsalso permit Domain AgeReporter traffic.



199.116.169.204103.246.38.204

The URL for theFile Reputation Servicewill usually befrs.es.bluecoat.com;Symantec recommendsthat you create a rule forall of the listed IPaddresses.

Future EngineeringServices resources willalso be provided fromthe *.es.bluecoat.comdomain.




443 TCP sb-ssl.google.com Uses Internetconnection fromworkstation.

Google®

Search443 TCP google.com Uses Internet

connection fromworkstation.

HTTP 2 80 TCP/UDP [none] Change the default onSettings > Security.

HTTPS 2 443 TCP/UDP [none] Change the default onSettings > Security. AllCMCs and theirsensors must use thesame HTTPS port.


— — See File Reputation Serviceand Web ReputationService




[as needed] [[[Undefined variablePrimary.SA-short]]] doesnot support port 11344for Content Analysisintegration.


LDAPauthentication

389 TCP/UDP [none]

Live-feedindicators

80443

TCP/UDPTCP

rules.emergingthreats.net:80mirror1.malwaredomains.com:80

*.abuse.ch:443isc.sans.edu:443


8843 TCP [none] This port is used tocommunicate betweenthe LCS and the agent'sUI application. TheSecurity Analyticsfirewall has a rule toaccept this traffic.

MalwareAnalysis3

80443

TCP/UDP [as needed]


OCSPrequests

80 TCP ocsp.entrust.net Various SecurityAnalytics services useOCSP for certificate-chain validation.

RADIUS 18121813

UDP [as needed]

RobTex®1 80 TCP robtex.com Uses Internetconnection fromworkstation.





SNMP 161

162


[as needed]

SORBSDNSBL®1







443 TCP list.bluecoat.com Used by the WebReputation Service andADM.

WHOIS 1,4 43 TCP [as needed] The WHOIS lookupservice will querydifferent WHOIS serversbased on the registryassociated with the top-level domain of thetarget. Consult thisauthoritative list ofWHOIS servers.


Latest content

Back to top



CentralManagement

443 TCP/UDP - - CMCs cannot communicate with their sensorsover alternate HTTPS ports.




https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/73/desktop/ENG/Security/ports_and_protocols.htm




1194 or asspecified

TCP/UDP 10.x.x.x/x - These defaults can be changed on the CMC.

FTP File Mover 2021

TCP/UDP - - Use port 21 for active mode.

HTTP 80 TCP/UDP - - Change the default on Settings > Security. (Donot change if your appliance is or is beingmanaged by a CMC.)

HTTPS 1 443 TCP/UDP - - Change the default on Settings > Security. (Donot change if your appliance is or is beingmanaged by a CMC.)

SSH 1 22 TCP - - The port can be changed on Settings >Security.


Latest content

Back to top



Licensing 443 TCP license.soleranetworks.com -

ActiveDirectory

3268 TCP/UDP [none] - For LDAP authentication.


443 TCP [as needed]


1194 oras

specified

TCP/UDP bond0 of CMC These defaults can bechanged on the CMC.

ClamAV®1 80 TCP *.clamav.net Requires only HTTP accessto update the signaturedatabase. Analysis isperformed locally on theappliance.

https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/7.2/platform_webguide//desktop/ENG/Security/ports_and_protocols.htm



Cuckoo 3 8090 TCP/UDP [as needed] In version 7.1.x the portnumber was 9420. If you areupgrading from an earlierversion of Security Analytics,use dsportmapping to changethe port to 8090 or specify<cuckoo_ip>:8090 in theLocation field.



[same asWHOIS]

TCP [same as WHOIS] The WHOIS settings alsopermit Domain Age Reportertraffic.



199.116.169.204103.246.38.204

The URL for theFile Reputation Service willusually befrs.es.bluecoat.com;Symantec recommends thatyou create a rule for all of thelisted IP addresses.

Future Engineering Servicesresources will also beprovided from the*.es.bluecoat.com domain.




443 TCP sb-ssl.google.com Uses Internet connection fromworkstation.

Google®

Search443 TCP google.com Uses Internet connection from

workstation.

HTTP 2 80 TCP/UDP [none] Change the default onSettings > Security. (Do notchange if your appliance is oris being managed by a CMC.)

HTTPS 2 443 TCP/UDP [none] Change the default onSettings > Security. (Do notchange if your appliance is oris being managed by a CMC.)


— — See File Reputation Service andWeb Reputation Service




[as needed] Consult the documentationfor your ContentAnalysis/ICAP device to verifythe port numbers.


LDAPauthentication

389 TCP/UDP [none]


8843 TCP [none] This port is used tocommunicate between theLCS and the agent's UIapplication. The SecurityAnalytics firewall has a rule toaccept this traffic.

MalwareAnalysis3

80443

TCP/UDP [as needed]


OCSPrequests

80 TCP ocsp.entrust.net Various Security Analyticsservices use OCSP forcertificate-chain validation.

RADIUS 18121813

UDP [as needed]

RobTex®1 80 TCP robtex.com Uses Internet connection fromworkstation.



SNMP 161

162


[as needed]

SORBSDNSBL®1


SSH 22 TCP [none] The port can be changed onSettings > Security.


Team Cymru1 443 TCP hash.cymru.com Formerly SANS ISC Hash



ThreatExplorer1,3

443 TCP threatexplorer.bluecoat.com Service must be enabled onSettings > Data Enrichment.





443 TCP list.bluecoat.com Used by the Web ReputationService and ADM

WHOIS 1,4 43 TCP [as needed] The WHOIS lookup servicewill query different WHOISservers based on the registryassociated with the top-leveldomain of the target. Consultthis authoritative list ofWHOIS servers.


Latest content

Back to top

SSL Visibility

SSL Visibility 5.0 Inbound Connections


WebUI Admin GUI 8082 HTTPSTCP

No User client Management Interface WebUIservice

SSH Admin CLI 22 TCP No User client SSH Admin CLI service

SNMP management 161 UDP No User client SNMP agent for SNMPmanagement access

NTP 123 UDP No NTP server NTP time synchronization service



https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/7.2/platform_webguide//desktop/ENG/Security/ports_and_protocols.htm



Remote DiagnosticsFacility (RDF)

2024 TCP No RDF Can be opened for supportrequests; normally closed

Latest content

Back to top

SSL Visibility 5.0 Outbound Connections


SMTP/SecureSMTP

25, 465, 587,525, 2526 *

TCP

TLS

Yes SMTPserver

SMTP alerts

Syslog 514, 601 *

514 *

TCP

UDP

TLS

Yes Syslogserver

Remote syslog server

DNS 53 TCP

UDP

No DNS server Domain Name Systemservice

SNMP Trap 162 UDP No SNMP Trapreceiver

SNMP traps

HostCategorization(BCWF)

443 HTTPS No Symantec Host categorizationdatabase

TACACS+ 49 TCP Yes TACACSserver

TACACS+ authentication

NTP 123 UDP No NTP serverlist

Synchronization tocustomer-configured NTPserver

DiagnosticsUpload

443 HTTPS No Symantec Diagnostics upload service

Latest content

Back to top

https://origin-symwisedownload.symantec.com//resources/webguides/sslv/50/Content/Topics/troubleshooting/Required_Ports__Protocol.htm


SSL Visibility 5.0 Required URLs



443 Symantec CA


443 License, validation, and subscriptionservices

appliance.bluecoat.com/sgos/trust_package.bctp

HTTP TCP 80 Trust package downloads

upload.bluecoat.com

mft.symantec.com

HTTPSTCP

443 Upload diagnostic reports to Symantecsupport

Latest content

Back to top






Symantec/Blue CoatLicense

443 HTTPS No Licenseserver

Symantec/Blue Coat licenseservice





Latest content

Back to top





SMTP/SecureSMTP

25, 465, 587,525, 2526 *

TCP

TLS

Yes SMTPserver

SMTP alerts

Syslog 514, 601 *

6514 *514 *

TCP

TLS (3x)

UDP

TLS

Yes Syslogserver


DNS 53 TCP

UDP



SNMP traps







DiagnosticsUpload


Latest content

Back to top




443 Symantec CA








upload.bluecoat.com

mft.symantec.com

HTTPSTCP


Latest content

Back to top













Latest content

Back to top



SMTP/SecureSMTP

25, 465, 587,525, 2526 *

TCP

TLS

Yes SMTPserver

SMTP alerts





Syslog 514, 601 *

6514 *514 *

TCP

TLS (3x)

UDP

TLS

Yes Syslogserver


DNS 53 TCP

UDP



SNMP traps





DiagnosticsUpload


Latest content

Back to top




443 Symantec CA







Latest content



Back to top

SSL Visibility 3.1.2 Inbound Connections










DHCP 68 UDP No DHCP server DHCP service



Latest content

Back to top

SSL Visibility 3.1.2 Outbound Connections


SMTP/SecureSMTP

25, 465, 587,525, 2526 *

TCP Yes SMTP server SMTP alerts

Syslog 514, 601 *

6514 *514 *

TCP

TLS

UDP

Yes Syslogserver


DNS 53 TCP

UDP



SNMP traps

https://support.symantec.com/en_US/article.DOC11119.html

SSL Visibility 3.1.2 Outbound Connections




HSM 443 TCP No HSMappliance

HSM authentication andrequests





DHCP 67 UDP No DHCP server DHCP service

DiagnosticsUpload


Latest content

Back to top

SSL Visibility 3.1.2 Required URLs



443 Symantec CA







Latest content

Back to top

Back to top



Web Isolation

Web Isolation 1.12

From To Protocol Port Function

Symantec Threat Isolation Platform (Mandatory)

Admin Terminal All SymantecThreatIsolationgateways

TCP SSH 22 Administrator SSH access to the server

Admin Terminal Management TCP SSH 22 Administrator SSH access to the server

Admin Terminal Management TCP 9000 Administrator access to the Management portal

All SymantecThreat Isolationgatewaysincludingmanagement

PDP TCP 3004

3005

Symantec Threat Isolation control protocol forpolicy distribution

End User Browser TIE TCP 80/443 Accessing TIE server from LAN endpoints

End User Browser Proxy TCP 8080 Proxying HTTP/S requests. The port isconfigurable. For assistance, contact SymantecThreat Isolation technical support

End User Browser Proxy TCP 8081 Downloading PAC file

End User Browser Proxy TCP HTTP/S80/443

Downloading resources e.g. index.html,Symantec Threat Isolation propriety protocollogic

Report Server All SymantecThreatIsolationgateways

TCP 6380 Logging and report data

Management PDP TCP 9100

9101


Proxy ExternalDNS Server

TCP 53 URL resolution

Web Isolation 1.12


Proxy Internet TCP HTTP/S

80/443

Enables Proxy Internet browsing, i.e. forBypass /Inspect websites.

The ports are mandatory. For websites thatlisten to higher ports, also open the higherports (according to your organization’s policy).

If there is no next hop proxy, the proxy mustaccess the Internet via port 80/443 or higher.

Proxy Explicit nexthop proxy/server

TCP HTTP/S

8080

Enables Symantec Threat Isolation ProxyInternet browsing for non-isolated contentwhen there is a proxy between SymantecThreat Isolation Proxy and Internet (optional).

The port is configurable in the Next Hop Proxyobject. For more information, see section 5.11

TIE ExternalDNS Server


TIE Internet TCP HTTP/S

80/443

Enables TIE Internet browsing. The ports aremandatory. For websites that listen to higherports, also open the higher ports (according toyour organization’s policy).

If there is no next hop proxy, the TIE mustaccess the Internet via port 80/443 or higher.

TIE Explicit nexthop proxy/server

TCP HTTP/S

8080

Enables TIE Internet browsing when there is aproxy between TIE and Internet (optional).

The port is configurable in the Next Hop Proxyobject. For more information, see section 5.11

Integration with External Servers

Management AD TCP 389 Enables LDAP Queries

Proxy AD TCP LDAP/S

389/636

Enables LDAP authentication

Proxy AD TCP Kerberos 88 Enables Kerberos authentication



Management IdP TCP 80 /443 Enables IdP Metadata to be imported from aURL. For more information, see SAML sections5.5.4, 5.5.5

Web Isolation 1.12


Proxy/TIE RADIUS UDP Configurable(No defaultport)

Enables RADIUS authentication. For moreinformation, see section 5.6.2.1

Proxy/TIE Emal TCP ConfigurableDefault =465

For more information, see section 5.12

Proxy/TIE SNMP UDP 162 Port 162 is the default port for sending traps tothe SNMP server. For more information, seesection 5.13

SNMP Proxy/TIE UDP 161 Port 161 is the default listening port for “ Expose system metrics” in response to SNMPWalk/GET requests by the SNMP server. Formore information, see section 5.13

Management Syslog TCP/UDP

Default=UDP

ConfigurableDefault =514

Enables syslog logging. For more information,see section 5.14

Management ArcSight TCP/UDP

Default=UDP

ConfigurableDefault =514

Enables syslog logging. For more information,see section 5.14

Management Kafka TCP Configurable(No defaultport)

Enables Kafka logging. For more information,see section 5.16

Latest content

Back to top

Web Isolation 1.11 - Firewall Rules for Symantec Threat Isolation Explicit Proxy









All Symantec ThreatIsolation gatewaysincluding management

PDP TCP 3004

3005


End User Browser TIE TCP 80/443 Accessing TIE server from LAN endpoints




Downloading resources e.g. index.html,Symantec Threat Isolation propriety protocollogic




9101


Management AD TCP 389 LDAP queries



Proxy AD TCP LDAP/S389/636

LDAP authentication

Proxy AD UDP Kerberos88

Kerberos authentication

Proxy Internet TCP HTTP/S

80/443

Enables Proxy Internet browsing, i.e. forBypass /Inspect websites.

The ports are mandatory. For websites thatlisten to higher ports, also open the higherports (according to your organization’s policy).

If there is no next hop proxy, the proxy mustaccess the Internet via port 80/443 or higher.






80/443

Enables TIE Internet browsing.


TCP HTTP/S

8080


Latest content

Back to top

Web Isolation 1.10 - Firewall Rules for Symantec Threat Isolation Classic Proxy






All Symantec ThreatIsolation gatewaysincludingmanagement

PDP TCP 3004

3005


End User Browser TIE TCP Websocket80/443

Accessing TIE server from LAN endpoints




Downloading resources e.g. index.html,Symantec Threat Isolation propriety protocol logic







9101






LDAP authentication



Proxy Explicit nexthopproxy/server

TCP HTTP/S

8080

Enables Symantec Threat Isolation Proxy Internetbrowsing for non-isolated content when there is aproxy between Symantec Threat Isolation Proxyand Internet (optional)




80/443



TCP HTTP/S

8080


Latest content

Back to top










All Symantec ThreatIsolation gatewaysincludingmanagement

PDP TCP 3004

3005


End User Browser TIE TCP Websocket80/443

Accessing TIE server from LAN endpoints




Downloading resources e.g. index.html,Symantec Threat Isolation propriety protocol logic




9101






LDAP authentication



Proxy Next hop TCP HTTP/S

8080

Enables Symantec Threat Isolation Proxy Internetbrowsing for non-isolated content when there is aproxy between Symantec Threat Isolation Proxyand Internet (optional)




80/443




TIE Next hop TCP HTTP/S

8080


Latest content

Back to top

Web Security Service


Method Port Protocol Resolves to

support.broadcom.com

Providesknowledgebase articlesand supportinformation.

WSS portal accessURL.

IP addresses foradministration ofyour WSS policy andconfiguration.

443 portal.threatpulse.com

35.245.151.22434.82.146.64

Partner Portal Functionality

35.245.151.23134.82.146.71

Firewall/VPN (IPsec) UDP 500(ISAKMP)

UDP4500 iffirewall isbehind aNAT.

IPsec/ESP

Proxy Forwarding TCP 8080/8443

TCP 8084*

HTTP/HTTPS proxy.threatpulse.net

Use when the forwarding host isconfigured for localSSL interception.

Explicit Proxy 8080 TCP PAC File Management Service(PFMS)pfms.wss.symantec.com

To proxy.threatpulse.net

https://portal.threatpulse.com/pac




Explicit Proxy

SEP PAC FileManagementSystem or DefaultPAC file

TCP 443

Default PACfile: TCP8080

n Firewall rules to allowPFMS access:

o By hostname:pfms.wss.symantec.com

o By IP Address:

o 35.155.165.94

o 35.162.233.131

o 52.21.20.251

o 52.54.167.220

o 199.247.42.187

o 199.19.250.187

n The default PAC filedirects browser traffic toproxy.threatpulse.net.

WSS Agent TCP/UDP 443

SSL ctc.threatpulse.com (for TCP,UDP, and software updates)

130.211.30.2



Unified Agent TCP 80

TCP/UDP 443

TCP, SSL Port 80/443 toportal.threatpulse.com(199.19.250.192) (for captivenetwork information and updates)

Port 443 toctc.threatpulse.com(130.211.30.2)Port 443 toclient.threatpulse.net(DNS fallback)

TCP port 443 toclient.threatpulse.net(DNS fallback), UDP added foragent version v4.9.1 or above.

Mobile (SEPMobile/iOS/Androidapp)

UDP 500(ISAKMP)

UDP 4500(NAT-T)

IPSec/ESP mobility.threatpulse.com

35.245.151.22834.82.146.68

Universal PolicyEnforcement(UPE)/Hybrid Policy

On-Premises Policy Management(sgapi.threatpulse.com andsgapi.es.bluecoat.com)

35.245.151.229

34.82.146.69

If connectivity to WSS is behindstringent firewall rules, adjust therules to allow traffic to pass tothese IP addresses on port 443.

Auth Connector 443 SSL to auth.threatpulse.com:

199.19.250.193

199.116.168.193

portal.threatpulse.com:

199.19.250.192



Auth Connector TCP 443 SSL auth.threatpulse.com:

35.245.151.22634.82.146.65

portal.threatpulse.com:

Auth Connector toActive Directory

TCP 139,445

SMB

TCP 389 LDAP

TCP 3268 ADSI LDAP

TCP 135 Location Services

TCP 88 Kerberos

49152-65535

TCP Open when Auth Connector isinstalled on a new WindowsServer 2012 Member rather thana Domain Controller.

AC-LogonApp

TCP 80 Port 80 from allclients to the server.

SAML TCP 8443(over VPN)

Explicit and IPSec saml.threatpulse.net

RoamingCaptivePortal

TCP 8080

Latest content

http://portal.threatpulse.com/docs/sol/reference/ref-openports.htm

Legal Notice

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visitwww.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improvereliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable.However, Broadcom does not assume any liability arising out of the application or use of this information, northe application or use of any product or circuit described herein, neither does it convey any license under itspatent rights nor the rights of others.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDINGANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLYINVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTALORCONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USEOF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION ISSUBJECT TOCHANGEWITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICALSERVICES, AND ANY OTHER TECHNICALDATA REFERENCED IN THIS DOCUMENT ARESUBJECT TOU.S. EXPORT CONTROLAND SANCTIONS LAWS, REGULATIONS ANDREQUIREMENTS, AND MAY BE SUBJECT TOEXPORTOR IMPORT REGULATIONS IN OTHERCOUNTRIES. YOU AGREE TOCOMPLY STRICTLY WITH THESE LAWS, REGULATIONS ANDREQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TOOBTAIN ANYLICENSES, PERMITS OR OTHER APPROVALS THATMAY BE REQUIRED IN ORDER TOEXPORT,RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TOYOU.

Tuesday, May 26, 2020

http://www.broadcom.com/

RequiredPorts,Protocols,andServicesforSymantec … · 2020-05-29 ·...

Documents

Transcript of RequiredPorts,Protocols,andServicesforSymantec … · 2020-05-29 ·...