000029828 - Port Scanning Tool for RSA Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000029828
Applies ToRSA Product Set: Security Analytics

RSA Product/Service Type: SA Series 4s Appliances
RSA Version/Condition: 10.4.x

Platform: CentOS

O/S Version: 6
IssueSecurity Analytics version 10.4.0.2 requires a number of ports to communicate between SA appliances and other hosts.  A port diagram and list of the required ports is posted at sadocs.emc.com and you may use this article and the attached Python script to check the status of these ports.  
This script also checks for the two additional ports (8140 and 61614) noted in RSA Security Analytics 10.4 is experiencing connectivity issues due to blocked ports, (KB article 29087)


Download the attached script, copy it to each of your SA appliances and run the script to check the 60 ports used by SA.  



 
ResolutionFollow these steps to test ports between Security Analytics appliances.
  1. Download saportscan.py from this article. 
  2. Copy saportscan.py to each SA appliance to be tested using scp, WinSCP or a similar tool.
  3. Change to the folder where you have copied the script: cd /tmp
  4. Change the script to executable with the following command:  chmod + x saportscan.py
  5. Execute the script:  ./saportscan.py 
  6. Enter the host name or IP Address of the target host to be scanned when prompted.
  7. Wait for the script to complete.  This will take between 2 seconds and 2 minutes in most cases.
  8. Review the output file for details:  less /tmp/portstatus.txt
The output file will provide the date the report was run, the source and target host names, a timestamp for each port tested, and the port number and status.  Status is either OPEN or CLOSED. 
If the time between port tests is longer than a few milliseconds, it might imply network latency.  In our test lab, hosts on the same switch reply within a few milliseconds while hosts on different switches take as log as one second to respond.  
Study the closed ports that are used by your specific appliance using the Network Architecture and Ports found at sadocs.emc.com as a guide.  Make sure all ports used by any given appliance are OPEN.  
Sample Output of "portstatus.txt"
Run Date: Mon Mar 16 19:09:37 2015  [# Date report created]
Source Host:  CS-Broker-01          [# Host report created on]
Target Host:  10.20.30.41           [# Destination host tested] 
19:09:37.5402                       [# Time port test started]
Port 22: OPEN                       [# Port checked and status (Port 22 is OPEN)]
19:09:37.5407
**Port 25: *CLOSED*
19:09:37.5419
Port 111: OPEN
19:09:37.5424
**Port 389: *CLOSED*
[snipped]
19:09:37.5465
**Port 9998: *CLOSED*
19:09:37.5467
**Port 50001: *CLOSED*
19:09:37.5469
**Port 50002: *CLOSED*
19:09:37.5474
**Port 50003: *CLOSED*
19:09:37.5476
**Port 50004: *CLOSED*
19:09:37.5478
**Port 50005: *CLOSED*
19:09:37.5480
Port 50006: OPEN
19:09:37.5482
**Port 50007: *CLOSED*
19:09:37.5484
**Port 50008: *CLOSED*
19:09:37.5486
**Port 50009: *CLOSED*
19:09:37.5510
Port 50106: OPEN
[snipped]
19:09:37.5546
**Port 60007: *CLOSED*
19:09:37.5548
**Port 61614: *CLOSED*
(END)

 
NotesNote that not every port will be used in every environment.  For example, if you do not deploy ESA appliances, ports 50030 and 27017 will not be used.
 

Attachments

Outcomes

    Visibility: RSA NetWitness Logs & Network Knowledge Base467 Views
    Last modified on Apr 21, 2017 8:52 PM
    Tags:
    Ratings: