McAfee SIEM Port Usage by Appliance Application Direction Port(s) Protocol Destination / Description ETM Enterprise Security Manager Active Directory out 389, 3268 tcp Active Directory. Port 3268 is used for LDAP. Backup In/out 445,111,2049 tcp/udp EDB Backup and Restore CIFS use 445; NFS uses 111 and 2049 out tcp Port used to communicate to ensure compliance HTTP out 80 tcp/udp Rules Server - www.nitroguard.com HTTPS in/out tcp/udp Client login & OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management iscsi out 860, 3260 tcp To communicate with iscsi storage. RADIUS in/out 1812 tcp/udp Radius SMTP out 25 tcp/udp Email Alerts and Reports in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp All McAfee appliances and to access command line. WHOIS out 43 tcp/udp Whois lookups. ERC - Event Receiver out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM, ELM and to access command line. ELM Enterprise Log Manager Data Archival in/out 445,111,2049 tcp/udp Data storage destination CIFS use 445; NFS uses 111 and 2049; out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management iscsi out 860, 3260 tcp To communicate with iscsi storage. in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM, Receiver and to access command line. sftp in/out 23 tcp/udp Allow sftp client to access raw log files. ADM Application Data Monitor out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM and to access command line.
ACE Advance Correlation Engine out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From ESM and to access command line. DEM Database Event Monitor for SIEM out tcp Port used to communicate to ensure compliance HTTPS out tcp/udp Callhome OpenVPN client IP varies. Currently 9.1.x uses 69.20.166.9 In udp For Remote management in/out tcp/udp Traps received from McAfee appliances or sent to Trap collector in/out tcp/udp To/From Nitro ESM, Administrative
Below are the ports that data sources defined to a Event Receiver would typically use. This may be an incomplete list depending on new data sources that were added after the publication of this document. Data Sources Description Port Protocol Cisco Mars 993 tcp Cisco ASA NSEL 2055. User configurable. tcp Cisco RDEP. User configurable. Tcp estreamer 8302 tcp Flat File 21,,80,445,111,2049 CIFS uses 445; NFS uses 111 and 2049; SCP & SFTP use ; HTTP uses 80; FTP uses 21 tcp IBMTivoli ID Mgr 50000 (sql pull). User configurable. tcp IPFIX 4739 udp/tcp itron 21 tcp McAfee Event Agent 8081. User configurable. tcp/udp McAfee NSM 3306. User configurable. tcp mssql pull 1433. User configurable. Various data source use this. tcp/udp mysql 3306. User configurable. tcp/udp netflow 2055, 9993. User configurable. udp McAfee NSM 3306 (sql pull). User configurable. tcp McAfee 8. User configurable. tcp OPSEC 18184. User configurable. tcp Oracle 1521 tcp Postgres DB 5432 tcp SDEE tcp/udp SilverSpring 21 tcp Sophos 1127 tcp syslog 514 tcp/udp Vmware vcenter tcp WMI 135,139, 1025-5000 49152-655 Windows 2000 will use 139 & W2K3 and above will us 139. W2K3 and below will use dynamic port range 1025-5000. W2K8 and above will use dynamic port range 49152-655 tcp/udp
Vulnerability Assessment udp SQL 205,1433 tcp/udp HTTPS tcp/udp SCP tcp/udp FTP 20,21 tcp/udp NFS 2049, 3780 tcp/udp For outbound Actions (NOTE: The ports listed here are the defaults and can be changes in the ESM GUI) epo 8 tcp NVM 3800 tcp NSM tcp
ETM to External Sources Active Directory Backup Rules & GTI RADIUS SMTP WHOIS ACE Correlation Appliance Rules and Risk Engines Original Events flow from ESM CE Events flow to ESM ACE 389, 3268 445,111,2049 80 1812 25 43 Rules & GTI connect to www.nitroguard.com Call home connects to 69.20.166.9 ACE to External Sources GUI via HTTPS 80 & ETM ETM Stores parsed event s in EDB Hosts GUI Central point for all administration - - DEM Passively Monitors DB Traffic DEM DEM to External Sources SPAN Access to see DB Events Span Port Event Receiver Parses Events Normalizes Events Aggregates Events Parsed to ETM Raw to ELM - - Event Receiver - ADM Passively Monitors Application Traffic Inspects Layer 3 & layer 7 ADM ERC to External Sources ELM Stores Raw Events Full Text Indexing User definable storage User definable Compression ELM ERC to VA Sources FTP NFS SQL SCP Updated 08.07.2014 and as of v9.4 ADM to External Sources 20,21 2049,3780 205, 1433 SPAN Access to see Events ERC to Data Sources See Page 3 of this document for a complete list. ELM to External Sources Data Archival iscsi sftp 445,111,2049 860, 3260 23 Span Port