Loading...

Knowledge Center


SIEM port definitions by appliance
Technical Articles ID:   KB84217
Last Modified:  9/5/2019
Rated:


Environment

McAfee SIEM Advanced Correlation Engine (ACE) 11.x.x, 10.x.x
McAfee SIEM Application Data Monitor (ADM) 11.x.x, 10.x.x
McAfee SIEM Database Event Monitor (DBM) 11.x.x, 10.x.x
McAfee SIEM Enterprise Log Manager (ELM) 11.x.x, 10.x.x
McAfee SIEM Enterprise Security Manager (ESM) 11.x.x, 10.x.x
McAfee SIEM Event Receiver (Receiver) 11.x.x, 10.x.x

Summary

The following tables list port definitions and use by the McAfee SIEM appliances.

Enterprise Security Manager

Application Direction Ports Protocol Destination / Description
Active Directory out 389, 3268 TCP Active Directory. Port 3268 is used for LDAP.
Backup in/out 445,111,2049 TCP Backup and Restore – CIFS use 445; NFS uses 111 and 2049
DNS out 53 UDP Primary, Secondary DNS server
FIPS in 4242 TCP Port used to communicate to ensure FIPS compliance
HTTP in/out 80 TCP/UDP Rules Server - www.nitroguard.com (out), Redirection to web server on port 443 (in)
HTTPS in/out 443 TCP/UDP Client logon and Call Home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25. Redundant, Distributed ESM, or both
Kafka 1 out 9092 TCP Port used by databus for broadcasting and consuming data.
NTP out 123 UDP NTP server
RADIUS in/out 1812 TCP/UDP Radius
SMTP out 25 TCP/UDP Email Alerts and Reports
SNMP in/out 161,162 TCP/UDP Traps received from McAfee appliances or sent to SNMP Trap collector
SSH in/out 22 TCP/UDP All McAfee appliances and to access command line
WHOIS out 43 TCP/UDP Whois lookups
Snowflex(server) gossip 1 in/out 1210 TCP Snowflex(server) gossip Port used for clustered environment behind a firewall
Snowclient/jdbc gossip - ESMs 1 in/out 8103 TCP Snowflex/jdbc gossip Port used for clustered environment behind a firewall
Snowflex - ESMs 1 in/out 1211 TCP Snowflex Port used for clustered environment behind a firewall
Snowclient/jdbc response - ESMs 1 in/out 8104 TCP Snowclient/JDBC response Port used for clustered environment behind a firewall
Snowman - ESMs 1 in/out 1212 TCP Snowman Port used for clustered environment behind a firewall
EDB Secure Port 1 in/out 1119 TCP EDB Secure Port

SIEM 11.0 and later.

Event Receiver

Application Direction Ports Protocol Destination / Description
DNS out 53 UDP Primary, Secondary DNS server
FIPS out 4242 TCP Port used to communicate to ensure FIPS compliance
HTTPS out 443 TCP/UDP Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25.
Kafka 1 in/out 9092 TCP Port used by databus for broadcasting and consuming data.
NTP out 123 UDP NTP server
SNMP in/out 161,162 TCP/UDP Traps received from McAfee appliances or sent to SNMP Trap collector
SSH in/out 22 TCP/UDP To/From ESM, ELM and to access command line
EDB Secure Port 1 in/out 1119 TCP EDB Secure Port

1 SIEM 11.0 and later.

Enterprise Log Manager

Application Direction Ports Protocol Destination / Description
Data Archival in/out 445,111,2049 TCP/UDP Data storage destination – CIFS use 445; NFS uses 111 and 2049
DNS out 53 UDP Primary, Secondary DNS server
FIPS out 4242 TCP Port used to communicate to ensure FIPS compliance
iSCSI out 860, 3260 TCP To communicate with iSCSI storage.
HTTPS out 443 TCP/UDP Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25.
Kafka 1 out 9092 TCP Port used by databus for broadcasting and consuming data.
NTP out 123 UDP NTP server
SNMP in/out 161,162 TCP/UDP Traps received from McAfee appliances or sent to SNMP Trap collector
SSH in/out 22 TCP/UDP To/From ESM, Receiver and to access command line
sFTP in/out 23 TCP/UDP Allow sFTP client to access raw log files
EDB Secure Port 1 in/out 1119 TCP EDB Secure Port

1 SIEM 11.0 and later.

Application Data Monitor

Application Direction Ports Protocol Destination / Description
HTTPS out 443 TCP/UDP Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25.
FIPS out 4242 TCP Port used to communicate to ensure FIPS compliance
Kafka 1 out 9092 TCP Port used by databus for broadcasting and consuming data.
NTP out 123 UDP NTP server
SNMP in/out 161,162 TCP/UDP Traps received from McAfee appliances or sent to SNMP Trap collector
SSH in/out 22 TCP/UDP To/From ESM and to access command line.
EDB Secure Port 1 in/out 1119 TCP EDB Secure Port EDB Secure Port

1 SIEM 11.0 and later.

Advanced Correlation Engine

Application Direction Ports Protocol Destination / Description
DNS out 53 UDP Primary, Secondary DNS server
FIPS out 4242 TCP Port used to communicate to ensure FIPS compliance
HTTPS out 443 TCP/UDP Call home – OpenVPN client – IP address varies. Current IP address used is 161.69.23.25.
Kafka 1 out 9092 TCP Port used by databus for broadcasting and consuming data.
NTP out 123 UDP NTP server
SNMP in/out 161,162 TCP/UDP Traps received from McAfee appliances or sent to SNMP Trap collector
SSH in/out 22 TCP/UDP To/From ESM and to access command line
EDB Secure Port 1 in/out 1119 TCP EDB Secure Port

1 SIEM 11.0 and later.

Database Event Monitor

Application Direction Ports Protocol Destination / Description
Agent in/out 11098, 11099 TCP/UDP To McAfee DBM
FIPS out 4242 UDP Port used to communicate to ensure FIPS compliance
HTTPS out 443 TCP/UDP Call home - OpenVPN client - IP address varies. Current IP address used is 161.69.23.25.
Kafka 1 out 9092 TCP Port used by databus for broadcasting and consuming data.
NTP out 123 UDP NTP server
SNMP in/out 161,162 TCP/UDP Traps received from McAfee appliances or sent to SNMP Trap collector
SSH in/out 22 TCP/UDP To/From ESM, Administrative tasks
EDB Secure Port 1 in/out 1119 TCP EDB Secure Port
1 SIEM 11.0 and later.

Listed below are ports that data sources defined to a McAfee Event Receiver would typically use.

Data Sources
Description Port Protocol
Cisco Mars 993 TCP
eStreamer 8302 TCP
Flat File 21,22,80,445,111,2049 CIFS uses 445; NFS uses 111 and 2049;
SCP and SFTP use 22; HTTP uses 80; FTP uses 21
TCP
iTron 21 TCP
McAfee Event Agent/ SIEM Collector 8081 (pre-9.4.2)
8082 (9.4.2 onwards), user configurable.
TCP/UDP
McAfee NSM 3306 TCP
Microsoft Azure Event Hub 5671 TCP
mssql 1433. User configurable. Several data sources use this port. TCP/UDP
mysql 3306 TCP/UDP
netflow 2055, 9993 UDP
OPSEC 18184. User configurable TCP
Oracle 1521 TCP
Postgres DB 5432 TCP
SDEE 443 TCP, UDP
SilverSpring 21 TCP
Sophos 1127 TCP
syslog 514 TCP/UDP
WMI 135–139, 443, 445
49152–65535
TCP/UDP, ICMP

Vulnerability Assessment
Description Port Protocol
SNMP 161,162 UDP
SQL 205,1433 TCP/UDP
HTTPS 443 TCP/UDP
SCP 22 TCP/UDP
FTP 20, 21 TCP/UDP
NFS 2049, 3780 TCP/UDP

For outbound actions
Description Port Protocol
ePO 8443 TCP
MVM 3800 TCP
NSM 443 TCP

NOTE: This list might be incomplete because of new data sources. If you are unsure for a particular data source, contact Technical Support.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.