The following tables list the port definitions and use by the Trellix SIEM appliances:
ESM
Application |
Direction |
Ports |
Protocol |
Destination / Description |
Active Directory |
Out |
389, 3268 |
TCP |
Active Directory. Port 3268 is used for LDAP |
Backup |
In/out |
445,111,2049 |
TCP |
Backup and Restore – CIFS uses 445; NFS uses 111 and 2049 |
DNS |
Out |
53 |
UDP |
Primary and Secondary DNS server |
FIPS |
In |
4242 |
TCP |
Port used to communicate to ensure FIPS compliance |
HTTP |
In/out |
80 |
TCP/UDP |
Rules Server - www.nitroguard.com (out); redirection to web server on port 443 (in) |
HTTPS |
In/out |
443 |
TCP/UDP |
Client logon and Call Home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25. Redundant, Distributed ESM, or both |
Kafka 1 |
Out |
9092 |
TCP |
Port used by databus for broadcasting and consuming data |
NTP |
Out |
123 |
UDP |
NTP server |
RADIUS |
In/out |
1812 |
TCP/UDP |
Radius |
SMTP |
Out |
25 |
TCP/UDP |
Email Alerts and Reports |
SNMP |
In/out |
161,162 |
TCP/UDP |
Traps received from Trellix appliances or sent to the SNMP Trap collector |
SSH |
In/out |
22 |
TCP/UDP |
All Trellix appliances and to access command line |
WHOIS |
Out |
43 |
TCP/UDP |
Whois lookups |
Snowflex(server) gossip 1 |
In/out |
1210 |
TCP |
Snowflex(server) gossip Port used for a clustered environment behind a firewall |
Snowclient/jdbc gossip - ESMs 1 |
In/out |
8103 |
TCP |
Snowflex/jdbc gossip Port used for a clustered environment behind a firewall |
Snowflex - ESMs 1 |
In/out |
1211 |
TCP |
Snowflex Port used for a clustered environment behind a firewall |
Snowclient/jdbc response - ESMs 1 |
In/out |
8104 |
TCP |
Snowclient/JDBC response Port used for a clustered environment behind a firewall |
Snowman - ESMs 1 |
In/out |
1212 |
TCP |
Snowman Port used for a clustered environment behind a firewall |
EDB Secure Port 1 |
In/out |
1119 |
TCP |
EDB Secure Port |
Databus management port1 |
In/out |
2181 |
TCP |
Databus management port (internal communication only) used for a clustered environment behind a firewall |
1 SIEM 11.0 and later.
Receiver
Application |
Direction |
Ports |
Protocol |
Destination / Description |
DNS |
Out |
53 |
UDP |
Primary and Secondary DNS server |
FIPS |
Out |
4242 |
TCP |
Port used to communicate to ensure FIPS compliance |
HTTPS |
Out |
443 |
TCP/UDP |
Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25. |
Kafka 1 |
In/out |
9092 |
TCP |
Port used by databus for broadcasting and consuming data. |
NTP |
Out |
123 |
UDP |
NTP server |
SNMP |
In/out |
161,162 |
TCP/UDP |
Traps received from Trellix appliances or sent to the SNMP Trap collector |
SSH |
In/out |
22 |
TCP/UDP |
To/From ESM, ELM and to access command line |
1 SIEM 11.0 and later.
ELM
Application |
Direction |
Ports |
Protocol |
Destination / Description |
Data Archival |
In/out |
445,111,2049 |
TCP/UDP |
Data storage destination – CIFS use 445; NFS uses 111 and 2049 |
DNS |
Out |
53 |
UDP |
Primary and Secondary DNS server |
FIPS |
Out |
4242 |
TCP |
Port used to communicate to ensure FIPS compliance |
iSCSI |
Out |
860, 3260 |
TCP |
To communicate with iSCSI storage. |
HTTPS |
Out |
443 |
TCP/UDP |
Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25. |
Kafka 1 |
Out |
9092 |
TCP |
Port used by databus for broadcasting and consuming data. |
NTP |
Out |
123 |
UDP |
NTP server |
SNMP |
In/out |
161,162 |
TCP/UDP |
Traps received from Trellix appliances or sent to the SNMP Trap collector |
SSH |
In/out |
22 |
TCP/UDP |
To/From ESM, Receiver and to access command line |
sFTP |
In/out |
23 |
TCP/UDP |
Allow the sFTP client to access raw log files |
1 SIEM 11.0 and later.
ADM
Application |
Direction |
Ports |
Protocol |
Destination / Description |
HTTPS |
Out |
443 |
TCP/UDP |
Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25. |
FIPS |
Out |
4242 |
TCP |
Port used to communicate to make sure FIPS compliance |
Kafka 1 |
Out |
9092 |
TCP |
Port used by databus for broadcasting and consuming data. |
NTP |
Out |
123 |
UDP |
NTP server |
SNMP |
In/out |
161,162 |
TCP/UDP |
Traps received from Trellix appliances or sent to SNMP Trap collector |
SSH |
In/out |
22 |
TCP/UDP |
To/From ESM and to access command line. |
1 SIEM 11.0 and later.
ACE
Application |
Direction |
Ports |
Protocol |
Destination / Description |
DNS |
Out |
53 |
UDP |
Primary and Secondary DNS server |
FIPS |
Out |
4242 |
TCP |
Port used to communicate to ensure FIPS compliance |
HTTPS |
Out |
443 |
TCP/UDP |
Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25. |
Kafka 1 |
In/out |
9092 |
TCP |
Port used by databus for broadcasting and consuming data. |
NTP |
Out |
123 |
UDP |
NTP server |
SNMP |
In/out |
161,162 |
TCP/UDP |
Traps received from Trellix appliances or sent to the SNMP Trap collector |
SSH |
In/out |
22 |
TCP/UDP |
To/From ESM and to access command line |
1 SIEM 11.0 and later.
DEM
Application |
Direction |
Ports |
Protocol |
Destination / Description |
Agent |
In/out |
11098, 11099 |
TCP/UDP |
To Trellix DBM |
FIPS |
Out |
4242 |
UDP |
Port used to communicate to ensure FIPS compliance |
HTTPS |
Out |
443 |
TCP/UDP |
Call home - OpenVPN client - IP address varies. Current IP address used is 161.69.23.25. |
Kafka 1 |
Out |
9092 |
TCP |
Port used by databus for broadcasting and consuming data. |
NTP |
Out |
123 |
UDP |
NTP server |
SNMP |
In/out |
161,162 |
TCP/UDP |
Traps received from Trellix appliances or sent to SNMP Trap collector |
SSH |
In/out |
22 |
TCP/UDP |
To/From ESM, Administrative tasks |
1 SIEM 11.0 and later.
Listed below are ports that data sources defined to a Trellix Event Receiver would typically use.
Data Sources
Description |
Port |
Protocol |
Cisco Mars |
993 |
TCP |
eStreamer |
8302 |
TCP |
Flat File |
21,22,80,445,111,2049 CIFS uses 445; NFS uses 111 and 2049;
SCP and SFTP use 22; HTTP uses 80; FTP uses 21 |
TCP |
iTron |
21 |
TCP |
Trellix Event Agent/ SIEM Collector |
8081 (pre-9.4.2)
8082 (9.4.2 onwards), user configurable. |
TCP/UDP |
Trellix NSM |
3306 |
TCP |
Microsoft Azure Event Hub |
5671, 5672 |
TCP |
mssql |
1433. User configurable. Several data sources use this port. |
TCP/UDP |
mysql |
3306 |
TCP/UDP |
netflow |
2055, 9993 |
UDP |
OPSEC |
18184. User configurable |
TCP |
Oracle |
1521 |
TCP |
Postgres DB |
5432 |
TCP |
SDEE |
443 |
TCP, UDP |
SilverSpring |
21 |
TCP |
Sophos |
1127 |
TCP |
Syslog |
514 |
TCP/UDP |
WMI |
135,139, 445
49152–65535 |
TCP/UDP, ICMP |
Vulnerability Assessment
Description |
Port |
Protocol |
SNMP |
161,162 |
UDP |
SQL |
205,1433 |
TCP/UDP |
HTTPS |
443 |
TCP/UDP |
SCP |
22 |
TCP/UDP |
FTP |
20, 21 |
TCP/UDP |
NFS |
2049, 3780 |
TCP/UDP |
For outbound actions
Description |
Port |
Protocol |
ePO |
8443 |
TCP |
NSM |
443 |
TCP |
NOTES:
- Some ports are configurable.
- This list might be incomplete because of new data sources. If you're unsure of a particular data source, contact Technical Support.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.