Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your NetWitness Platform deployment to communicate with each other.
See NetWitness Endpoint Architecture at the end of this topic for individual Endpoint Architectural diagrams.
NetWitness Platform Network Architecture Diagram
The following diagram illustrates the NetWitness Platform network architecture including all of its component products.
Note: NetWitness Platform core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.
NetWitness Network (Packets) Network Architecture Diagram
The following diagram illustrates the NetWitness Network (Packets ) network architecture.
NetWitness Logs Network Architecture Diagram
The following diagram illustrates the NetWitness Logs network architecture.
Comprehensive List of NetWitness Platform Host, Service, and iDRAC Ports
Note: For ports used in event collection through the NetWitness Logs, see the "The Basics" in the RSA NetWitness Suite Log Collection Deployment Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
This section contains the port specifications for the following hosts.
NW Server Host
| Admin Workstation | NW Server | TCP 443, 80 | nginx - NetWitness UI |
| Admin Workstation | NW Server | TCP 15671 | RabbitMQ Management UI |
| Admin Workstation | NW Server | TCP 22 | SSH |
| NW Hosts | NW Server | TCP 53
UDP 53 | DNS |
| NW Hosts | NW Server | TCP 15671 | RabbitMQ Management UI |
| NW Hosts | NW Server | TCP 4505, 4506 | Salt Master Ports |
| NW Hosts | NW Server | TCP 443 | RSA Update Repository |
| NW Hosts | NW Server | TCP 5671 | RabbitMQ-amqp |
| NW Hosts | NW Server | UDP 123 | NTP |
| NW Hosts | NW Server | TCP 27017 | MongoDB |
| NW Server | cloud.netwitness.com | TCP 443 | Live |
| NW Server | cms.netwitness.com | TCP 443 | Live |
| NW Server | smcupdates.emc.com | TCP 443 | Live |
| NW Server | NFS Server | TCP 111, 2049,
UDP 111, 2049
| iDRAC Installations |
| NW Server | NW Hosts | UDP 123 | NTP |
| NW Server | NW Endpoint | TCP 443, 9443 | For NW Endpoint 4.x integrations |
Archiver Host
| Admin Workstation | Archiver | TCP 15671 | RabbitMQ Management UI |
| Archiver | NW Server | TCP 15671 | RabbitMQ Management UI |
| Archiver | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Archiver | TCP 22 | SSH |
| NW Server | Archiver | TCP 56008 (SSL), 50108 (REST) | Archiver Application Ports |
| NW Server | Archiver | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Archiver | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| NW Server | Archiver | TCP 514, 6514, 56007 (SSL), 50107 (REST), UDP 514 | Workbench Application Ports |
| Archiver | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
Broker Host
| Admin Workstation | Broker | TCP 15671 | RabbitMQ Management UI |
| Broker | Concentrator | TCP 56005 | Concentrator Application Port |
| Broker | NW Server | TCP 15671 | RabbitMQ Management UI |
| Broker | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Broker | TCP 22 | SSH |
| NW Server | Broker | TCP 56003 (SSL), 50103 (REST) | Broker Application Ports |
| NW Server | Broker | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Broker | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Broker | NW Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
| Endpoint Broker | NW Server | TCP 443 | RSA Update Repository |
Concentrator Host
| Admin Workstation | Concentrator | TCP 15671 | RabbitMQ Management UI |
| Concentrator | Log Decoder | TCP 56002 | Concentrator Application Port |
| Concentrator | Network Decoder | TCP 56004 | Concentrator Application Port |
| Concentrator | NW Server | TCP 15671 | RabbitMQ Management UI |
| Concentrator | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Concentrator | TCP 22 | SSH |
| NW Server | Concentrator | TCP 56005 (SSL), 50105 (REST) | Concentrator Application Ports |
| Malware | Concentrator | TCP 56005 (SSL) | Malware |
| NW Server | Concentrator | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Concentrator | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Concentrator | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
Endpoint Log Hybrid
| Endpoint Agent | Endpoint Log Hybrid | TCP 443 UDP 444 | NGINX HTTPS NGINX UDP. If UDP port 444 is not acceptable in your environment, see How to Change UDP Port for Endpoint Log Hybrid. |
| Endpoint Agent | Log Decoder or Virtual Log Collector | TCP 514 (Syslog) UDP 514 (Syslog) TLS 6514 | Windows Log Collection |
| Endpoint Log Hybird | Log Decoder (External) | TCP 50102 (REST) 56202 (Protobuf SSL) 50202 (Protobuf) | To forward meta to an external Log Decoder |
| Endpoint Log Hybird | NW Server | TCP 443 | RSA Update Repository |
| NW Server | Endpoint Log Hybrid | TCP 7050 | UI web traffic |
| Endpoint Log Hybrid | NW Server | TCP 5671 | Message Bus |
| Endpoint Log Hybird | NW Server | TCP 27017 | MongoDB |
| NW Server | Endpoint Log Hybird | TCP 7054 | UI web traffic |
| NW Server | NFS Server | TCP 111, 2049
UDP 111, 2049 | iDRAC Installations |
Event Stream Analysis (ESA) Host
| Admin Workstation | ESA | TCP 15671 | RabbitMQ Management UI |
| ESA Primary and Secondary | NW Server | TCP 15671 | RabbitMQ Management UI |
| ESA Primary and Secondary | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | ESA | TCP 22 | SSH |
NW Server,
ESA Secondary | ESA Primary | TCP 27017 | MongoDB |
| NW Server | ESA Primary | TCP 7005 | Context Hub Launch Port - (ESA Primary) |
| NW Server | ESA | TCP 50030 (SSL) | ESA Application Port |
| NW Server | ESA | TCP 50035 (SSL) | ESA Application Port |
| NW Server | ESA | TCP 50036 (SSL) | ESA Application Port |
| NW Server | ESA | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| ESA Primary and Secondary | cms.netwitness.com | TCP 443 | Live |
| ESA Primary and Secondary | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
| ESA Primary and Secondary | Active Directory | 636 (SSL)/389 (Non-SSL) | |
| NW Server | ESA | 80 (HTTP)/ 443 (HTTPS)(REST) | |
| ESA Primary | Archer | 443 (SSL)/80 (Non-SSL) | |
| ESA Primary | ESA Primary | TCP 7007 | Launch Port |
iDRAC Ports
| 22* | SSH | Default, configurable port through which iDRAC listens for connections |
| 443* | HTTP | Default, configurable port through which iDRAC listens for connections |
| 5900* | Virtual Console keyboard and mouse redirection,
Virtual Media, Virtual Folders, and Remote File Share. | Default, configurable port through which iDRAC listens for connections |
| 111, 2049 | TCP | NetWitness Platform hosts to NFS Server |
| 111, 2049 | UDP | NetWitness Platform hosts to NFS Server |
Log Collector Host
| Admin Workstation | Log Collector | TCP 15671 | RabbitMQ Management UI |
| Log Collector | NW Server | TCP 15671 | RabbitMQ Management UI |
| Log Collector | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Log Collector | TCP 22 | SSH |
| Log Collector | Log Event Sources | See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. | |
| Log Event Sources | Log Collector | TCP 514 (Syslog)
UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow),
4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)" | Log Collection Ports |
| Log Event Sources | Log Collector | TCP 21, 64000, 64001, 64002, 64003, 64004,
64005, 64006, 64007, 64008,64009 | Log Collection FTP/S Ports |
| NW Server | Log Collector | TCP 56001 (SSL), 50101 (REST) | Log Collector Application Ports |
| NW Server | Log Collector | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Log Collector | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Log Collector | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC installations |
| Log Collector | Virtual Log Collector | TCP 5671 | In Pull Mode |
| Virtual Log Collector | Log Collector | TCP 5671 | In Push Mode |
Log Decoder Host
| Admin Workstation | Log Decoder | TCP 15671 | RabbitMQ Management UI |
| Log Decoder | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Log Decoder | TCP 22 | SSH |
| Log Decoder | Log Event Sources | See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. | |
| Log Event Sources | Log Decoder | TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) | Log Collection Ports |
| Log Event Sources | Log Decoder | TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009 | Log Collection FTP/S Ports |
| NW Server | Log Decoder | TCP 56001 (SSL), 50101 (REST) | Log Collector Application Ports |
| NW Server | Log Decoder | TCP 56002 (SSL),56202 (Endpoint), 50102 (REST) | Log Decoder Application Ports |
| NW Server | Log Decoder | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Log Decoder | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Log Decoder | Log Collector | TCP 6514 | |
| Log Decoder | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
Log Hybrid Host
| Admin Workstation | Log Hybrid | TCP 15671 | RabbitMQ Management UI |
| Log Hybrid | NW Server | TCP 15671 | RabbitMQ Management UI |
| Log Hybrid | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Log Hybrid | TCP 22 | SSH |
| Log Collector | Log Event Sources | See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents. | |
| Log Event Sources | Log Hybrid | TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) | Log Collection Ports |
| Log Event Sources | Log Hybrid | TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009 | Log Collection FTP/S Ports |
| NW Server | Log Hybrid | TCP 56001 (SSL), 50101 (REST) | Log Collector Application Ports |
| NW Server | Log Hybrid | TCP 56002 (SSL), 56202 (Endpoint), 50102 (REST) | Log Decoder Application Ports |
| NW Server | Log Hybrid | TCP 56005 (SSL), 50105 (REST) | Concentrator Application Ports |
| NW Server | Log Hybrid | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Log Hybrid | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Log Hybrid | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
Malware Host
| Admin Workstation | Malware | TCP 15671 | RabbitMQ Management UI |
| Malware | NW Server | TCP 15671 | RabbitMQ Management UI |
| Malware | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Malware | TCP 22 | SSH |
| NW Server | Malware | TCP 60007 | Malware Application Ports |
| NW Server | Malware | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Malware | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| NW Server | Malware | TCP 5432 | Postgresql |
| NW Server | Malware | TCP 56003 (SSL), 50103 (REST) | Broker Application Ports |
| Malware | panacea.threatgrid.com | TCP 443 | Threatgrid |
| Malware | cloud.netwitness.com | TCP 443 | Community evaluation / Opswat |
| Malware | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
Network Decoder Host
| Admin Workstation | Network Decoder | TCP 15671 | RabbitMQ Management UI |
| Network Decoder | NW Server | TCP 15671 | RabbitMQ Management UI |
| Network Decoder | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Network Decoder | TCP 22 | SSH |
| NW Server | Network Decoder | TCP 56004 (SSL), 50104 (REST) | Network Decoder Application Ports |
| NW Server | Network Decoder | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Network Decoder | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Network Decoder | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
Network Hybrid Host
| Admin Workstation | Network Hybrid | TCP 15671 | RabbitMQ Management UI |
| Network Hybrid | NW Server | TCP 15671 | RabbitMQ Management UI |
| Network Hybrid | NW Server | TCP 443 | RSA Update Repository |
| Admin Workstation | Network Hybrid | TCP 22 | SSH |
| NW Server | Network Hybrid | TCP 56004 (SSL), 50104 (REST) | Network Decoder Application Ports |
| NW Server | Network Hybrid | TCP 56005 (SSL), 50105 (REST) | Concentrator Application Ports |
| NW Server | Network Hybrid | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
| NW Server | Network Hybrid | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
| Network Hybrid | NFS Server | TCP 111 2049
UDP 111 2049 | iDRAC Installations |
UEBA Host
| UEBA Server | NW Server | TCP 443 | RSA Update Repository |
| UEBA Server | Broker | TCP 56003 (SSL), 50103 (REST) | Broker Application Ports |
| UEBA Server | Concentrator | TCP 56005 (SSL), 50105 (REST) | Concentrator Application Ports |
| Admin Workstation | UEBA Server | 443 | UEBA Monitoring |
| Admin Workstation | UEBA Server | 22 | SSH |
| UEBA Server | NW Server | 15671 | UEBA Alerts forwarding to Respond |
| NW Server | NFS Server | TCP 111, 2049
UDP 111, 2049 | iDRAC Installations |
NetWitness Endpoint Architecture
NetWitness Endpoint 4.4 Integration with NetWitness Platform
For more information on the services running on Endpoint Log Hybrid, see RSA NetWitness Endpoint Configuration Guide.
How to Change UDP Port for Endpoint Log Hybrid
The following steps tell you how to change the Endpoint Log Hybrid default UDP port 444 if it is not acceptable in your environment. 555 is the example this procedures uses as a replacement for 444 UDP port.
There are two tasks you need to o change the Endpoint Log Hybrid default UDP port 444:
Task 1 - Tell All Agents to Use a New UDP Port
Task 2 - Update the Port on All Endpoint Log Hybrid Hosts in Your Environment
Note: If you did not select the custom firewall rules option when you ran the nwsetup-tui, NetWitness platform overwrites the firewall rules are overwritten after a period of time. Please refer to the following Knowledge Base Article 00036446 (https://community.rsa.com/docs/DOC-93651) if this is the case.
Task 1 - Tell All Agents to Use a New UDP Port
Complete the following steps to update the UDP port in the default Enterprise Data Replication (EDR) policy, and all other policies you have, to tell all agents to use a new UDP port.
-
In the NetWitness Platform menu, select ADMIN > Endpoint Sources > Policies.
The Policies view is displayed.
- Select the Default EDR Policy and click Edit from the toolbar.
- roll down to find the UDP PORT and change the value (for example, change from 444 to 555).
- Click Publish Policy at the bottom of the view.
Task 2 - Update the Port on All Endpoint Log Hybrid Hosts in Your Environment
SSH to o each Endpoint Log Hybrid host in your environment with admin credentials and make the following updates.
- Update the iptables rules to allow 555 in place of 444.
- Replace 444 with 555 in the following file.
vi /etc/sysconfig/iptables - Restart iptables with the following command string.
systemctl restart iptables - Verify the change with the following command string.
iptables -L -n
The following is an example of what is displayed for a correct change.
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp multiport dports 555 /* EndpointNginxPort */ ctstate NEW
- Update the SELinux policy. 555 is a privileged port, so you must update SELinux policy to allow this port.
- Run the following command string.
semanage port -a -t http_port_t -p udp 555
If you received any python errors or warnings, ignored them. - Verify the change with the following command string.
semanage port -l | grep http_port_t
The following is an example of what is displayed for a correct change.
http_port_t udp 555, 444 - (Optional) Remove 444.
- Update nginx config.
- Edit the following file.
vi /etc/nginx/nginx.conf - Search for the following string.
listen 444 udp; - Replace 444 with 555.
- Restart nginx with the following command string.
systemctl restart nginx
- Verify that agents are communicating over the new port.
- Run the following command string.
tcpdump -i eth0 port 555 - Wait for 30 seconds because the port sends out a beacon every 30 seconds. If t everything is working correctly, information similar to the following will be displayed.
09:20:12.571316 IP 10.40.15.103.60807 > NiranjanEPS1.rsa.lab.emc.com.dsf: UDP, length 20
09:20:12.572433 IP NiranjanEPS1.rsa.lab.emc.com.dsf > 10.40.15.103.60807: UDP, length 1
Both lines must be returned. One is the size request (20 bytes) and the other is the response size (1 byte).
