McAfee SIEM Port Usage by Appliance

Similar documents
McAfee Enterprise Security Manager 10.3.x Release Notes

HP ArcSight Port and Protocol Information

MA0-104.Passguide PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0

McAfee Enterprise Security Manager 10.3.x Release Notes

McAfee Enterprise Security Manager

McAfee Enterprise Security Manager

Log Sources Users Guide

VMware vsphere 4. Architecture VMware Inc. All rights reserved

McAfee Enterprise Security Manager 9.5.2

Security, Internet Access, and Communication Ports

Cisco ISE Ports Reference

Security, Internet Access, and Communication Ports

Security, Internet Access, and Communication Ports

Recording user activity on a SIMATIC Controller using a SIEM System. SIMATIC Controller S H, S7-410E SIMATIC PCS 7

Cisco Security Monitoring, Analysis and Response System 4.2

McAfee Enterprise Security Manager 9.5.0

Security in the Privileged Remote Access Appliance

Cisco ISE Ports Reference

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.3. Version 01 14/03/2016. Clearswift Public

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.8. Version 2.0. July Clearswift Public

Dell Compellent FS8600

Ports and Protocols. Clearswift SECURE ICAP Gateway v4.9. Version 2.3. November Clearswift Public

Compare Security Analytics Solutions

IBM Security QRadar Version Architecture and Deployment Guide IBM

Cisco ISE Ports Reference

McAfee Enterprise Security Manager 11.1.x Release Notes

McAfee ESM Release 9.1.3

Security, Internet Access, and Communication Ports

Avaya Port Matrix. Avaya Orchestrator 1.4. Issue 1.0 November 2, November 2018 Avaya Port Matrix: Avaya Orchestration 1.4 1

McAfee Data Loss Prevention 9.3.3

Port Utilization in Finesse

OpenManage Integration for VMware vcenter Version 4.1. Compatibility Matrix

Cisco ISE Ports Reference

Dell EMC OpenManage Version Port Information Guide. Version 9.1

Requirements and Dependencies

McAfee Data Loss Prevention 9.3.2

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.2

Dell OpenManage Port Information Guide Version 7.2

All Events. One Platform.

IMC Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP

akkadian Global Directory 3.0 System Administration Guide

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Understanding the ACS Server Deployment

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

SYSLOG and SUPERVISOR S WORKSHOP Knowledge Module for PATROL - Data Sheet Version Made by AXIVIA Conseil

Technical Response Logging and Monitoring Requirements December 23, 2010

Securing CS-MARS C H A P T E R

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

SIEM Product Comparison

Security in Bomgar Remote Support

Network Security Platform 8.1

Subscriber Data Correlation

ManageEngine EventLog Analyzer Quick Start Guide

Proficy Application Suite Port (Firewall) Requirements Plant Applications, SOA/Workflow, Vision, Historian, Universal Client (UC), and Licensing

McAfee Network Security Platform 9.1

Dell OpenManage Port Information Guide Version 7.4

ASA/PIX Security Appliance

McAfee Network Security Platform 8.3

Open Mic #13: Log Source Protocols

Optimizing Security for Situational Awareness

Clearswift SECURE Exchange Gateway V4.8

JSA Common Ports Lists

Port Mirroring in CounterACT. CounterACT Technical Note

Dell OpenManage Version 8.5 Port Information Guide

McAfee Advanced Threat Defense 3.4.4

Exam Name: Riverbed Certified Solutions Professional - Network Performance Management

HPE Security ArcSight Connectors

Manual Ftp Windows Server 2008 R2 Enterprise Virtual Edition

OER uses the following default value if this command is not configured or if the no form of this command is entered: timer: 300

IMC Network Traffic Analyzer 7.2 (E0401P04) Copyright 2016 Hewlett Packard Enterprise Development LP

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Ports and Protocols. Clearswift SECURE Web Gateway v4.x. Issue /04/2017. Clearswift Public

FireSIGHT Virtual Installation Guide

Cisco Exam Questions & Answers

McAfee Network Security Platform

McAfee Network Security Platform 8.3

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Seceon s Open Threat Management software

Security Manager Policy Table Lookup from a MARS Event

IBM IBM Internet Security Systems Technical Test V1. Download Full Version :

Manual Ftp Windows Server 2008 Firewall Port Forwarding

SecureVue. SecureVue

Cisco Exam. Volume: 223 Questions. Question No: 1 Which three commands can be used to harden a switch? (Choose three.)

Stonesoft Management Center. Release Notes Revision A

McAfee Network Security Platform 9.2

Configuration Export and Import

User and System Administration

2 Hardening the appliance

McAfee Network Security Platform 9.1

Dell OpenManage Version 8.4 Port Information Guide

McAfee Data Loss Prevention 9.3.1

Sophos Virtual Appliance. setup guide

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Top 10 use cases of HP ArcSight Logger

Clearswift SECURE Exchange Gateway V4.9

Configuring Antivirus Devices

Selftestengine q

Best Practices: Server Security Hardening

The Bomgar Appliance in the Network

Transcription:

McAfee SIEM Port Usage by Appliance Application Direction Port(s) Protocol Destination / Description ETM Enterprise Security Manager Active Directory out 389, 3268 tcp Active Directory. Port 3268 is used for LDAP. Backup In/out 445,111,2049 tcp/udp EDB Backup and Restore CIFS use 445; NFS uses 111 and 2049 out tcp Port used to communicate to ensure compliance HTTP out 80 tcp/udp Rules Server - www.nitroguard.com HTTPS in/out tcp/udp Client login & OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management iscsi out 860, 3260 tcp To communicate with iscsi storage. RADIUS in/out 1812 tcp/udp Radius SMTP out 25 tcp/udp Email Alerts and Reports in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp All McAfee appliances and to access command line. WHOIS out 43 tcp/udp Whois lookups. ERC - Event Receiver out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM, ELM and to access command line. ELM Enterprise Log Manager Data Archival in/out 445,111,2049 tcp/udp Data storage destination CIFS use 445; NFS uses 111 and 2049; out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management iscsi out 860, 3260 tcp To communicate with iscsi storage. in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM, Receiver and to access command line. sftp in/out 23 tcp/udp Allow sftp client to access raw log files. ADM Application Data Monitor out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM and to access command line.

ACE Advance Correlation Engine out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM and to access command line. DEM Database Event Monitor for SIEM out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From Nitro ESM, Administrative

Below are the ports that data sources defined to a Event Receiver would typically use. This may be an incomplete list depending on new data sources that were added after the publication of this document. Data Sources Description Port Protocol Cisco Mars 993 tcp Cisco ASA NSEL 2055. User configurable. tcp Cisco RDEP. User configurable. Tcp estreamer 8302 tcp Flat File 21,,80,445,111,2049 CIFS uses 445; NFS uses 111 and 2049; SCP & SFTP use ; HTTP uses 80; FTP uses 21 tcp IBMTivoli ID Mgr 50000 (sql pull). User configurable. tcp IPFIX 4739 udp/tcp itron 21 tcp McAfee Event Agent 8081. User configurable. tcp/udp McAfee NSM 3306. User configurable. tcp mssql pull 1433. User configurable. Various data source use this. tcp/udp mysql 3306. User configurable. tcp/udp netflow 2055, 9993. User configurable. udp McAfee NSM 3306 (sql pull). User configurable. tcp McAfee 8. User configurable. tcp OPSEC 18184. User configurable. tcp Oracle 1521 tcp Postgres DB 5432 tcp SDEE tcp/udp SilverSpring 21 tcp Sophos 1127 tcp syslog 514 tcp/udp Vmware vcenter tcp WMI 135,139, 1025-5000 49152-655 Windows 2000 will use 139 & W2K3 and above will us 139. W2K3 and below will use dynamic port range 1025-5000. W2K8 and above will use dynamic port range 49152-655 tcp/udp

Vulnerability Assessment udp SQL 205,1433 tcp/udp HTTPS tcp/udp SCP tcp/udp FTP 20,21 tcp/udp NFS 2049, 3780 tcp/udp For outbound Actions (NOTE: The ports listed here are the defaults and can be changes in the ESM GUI) epo 8 tcp NVM 3800 tcp NSM tcp

ETM to External Sources Active Directory Backup Rules & GTI RADIUS SMTP WHOIS ACE Correlation Appliance Rules and Risk Engines Original Events flow from ESM CE Events flow to ESM ACE 389, 3268 445,111,2049 80 1812 25 43 Rules & GTI connect to www.nitroguard.com Call home connects to 69.20.166.9 ACE to External Sources GUI via HTTPS 80 & ETM ETM Stores parsed event s in EDB Hosts GUI Central point for all administration - - DEM Passively Monitors DB Traffic DEM DEM to External Sources SPAN Access to see DB Events Span Port Event Receiver Parses Events Normalizes Events Aggregates Events Parsed to ETM Raw to ELM - - Event Receiver - ADM Passively Monitors Application Traffic Inspects Layer 3 & layer 7 ADM ERC to External Sources ELM Stores Raw Events Full Text Indexing User definable storage User definable Compression ELM ERC to VA Sources FTP NFS SQL SCP Updated 08.07.2014 and as of v9.4 ADM to External Sources 20,21 2049,3780 205, 1433 SPAN Access to see Events ERC to Data Sources See Page 3 of this document for a complete list. ELM to External Sources Data Archival iscsi sftp 445,111,2049 860, 3260 23 Span Port

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback