Deployment: Network Architecture and Ports

Document created by RSA Information Design and Development on Oct 17, 2017Last modified by Susan Ewald on Oct 18, 2017
Version 7Show Document
  • View in full screen mode
 

Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your NetWitness Suite deployment to communicate with each other.

NetWitness Suite Network Architecture Diagram

The following diagram illustrates the NetWitness Suite network architecture including all of its component products.

Note: NetWitness Suite core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

 

 

Comprehensive List of NetWitness Suite Host and Service Ports

Note: 1.) For ports used in event collection through the NetWitness Logs, see "Log Collection Architecture" in the Log Collection Configuration Guide.

This section contains the port specifications for the following hosts.

                             

NW Server Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationNW ServerTCP 443, 80nginx - NetWitness UI

Admin Workstation

NW ServerTCP 15671RabbitMQ Management UI
Admin WorkstationNW ServerTCP 22SSH
NW HostsNW ServerTCP 4505, 4506Salt Master Ports
NW HostsNW ServerUDP 123NTP

NW Hosts

NW ServerTCP 27017MongoDB

NW Server

NW ServerUDP 123NTP
    

NW Server

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Archiver Host

                                                         

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationArchiverTCP 15671RabbitMQ Management UI
Admin WorkstationArchiverTCP 22SSH
NW ServerArchiverTCP 56008 (SSL), 50008 (Non-SSL), 50108 (REST)Archiver Application Ports
NW ServerArchiverTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerArchiverTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerArchiverTCP 514, 6514, 56007 (SSL), 50007 (Non-SSL), 50107 (REST), UDP 514Workbench Application Ports

Archiver

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Broker Host

                                                   

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationBrokerTCP 15671RabbitMQ Management UI
Admin WorkstationBrokerTCP 22SSH
NW ServerBrokerTCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST)Broker Application Ports
NW ServerBrokerTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerBrokerTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
BrokerNW ServerTCP 111 2049
UDP 111 2049
iDRAC Installations

Concentrator Host

                                                   

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationConcentratorTCP 15671RabbitMQ Management UI
Admin WorkstationConcentratorTCP 22SSH
NW ServerConcentratorTCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST)Concentrator Application Ports
NW ServerConcentratorTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports
NW ServerConcentratorTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Concentrator

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Event Stream Analysis (ESA) Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationESATCP 15671RabbitMQ Management UI
Admin WorkstationESATCP 22SSH
NW Server,
NW Endpoint,
ESA Secondary
ESA PrimaryTCP 27017MongoDB
NW ServerESA PrimaryTCP 7005Context Hub Launch Port - (ESA Primary)
NW ServerESATCP 50030 (SSL)ESA Application Port
NW ServerESATCP 50035 (SSL)ESA Application Port
NW ServerESATCP 50036 (SSL)ESA Application Port
NW ServerESATCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
ESAcms.netwitness.comTCP 443Live

ESA

NFS Server

TCP 111 2049
UDP 111 2049

NTP

Log Collector Host

                                                                     

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog CollectorTCP 15671RabbitMQ Management UI
Admin WorkstationLog CollectorTCP 22SSH
Log CollectorLog Event SourcesSee Log Collection Configuration Guide. Go to the Master Table of Contents for Version 11.0 to find NetWitness Suite 11.0 documents.
Log Event SourcesLog CollectorTCP 514 (Syslog)
UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow),
4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)"
Log Collection Ports
Log Event SourcesLog Collector

TCP 21, 64000, 64001, 64002, 64003, 64004,
64005, 64006, 64007, 64008,64009

Log Collection FTP/S Ports
NW ServerLog Collector

TCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)

Log Collector Application Ports
NW ServerLog Collector

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerLog CollectorTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Collector

NFS Server

TCP 111 2049
UDP 111 2049

iDRAC installations

Log Decoder Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog DecoderTCP 15671RabbitMQ Management UI
Admin WorkstationLog DecoderTCP 22SSH
Log DecoderLog Event SourcesSee Log Collection Configuration Guide. Go to the Master Table of Contents for Version 11.0 to find NetWitness Suite 11.0 documents. 
Log Event SourcesLog DecoderTCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)Log Collection Ports
Log Event SourcesLog DecoderTCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog DecoderTCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)Log Collector Application Ports
NW ServerLog DecoderTCP 56002 (SSL), 50002 (Non-SSL), 56202 (Endpoint), 50102 (REST)Log Decoder Application Ports

NW Server

Log Decoder

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog DecoderTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Decoder

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Log Hybrid Host

                                                                                 

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationLog HybridTCP 15671RabbitMQ Management UI
Admin WorkstationLog HybridTCP 22SSH
Log CollectorLog Event SourcesSee Log Collection Configuration Guide. Go to the Master Table of Contents for Version 11.0 to find NetWitness Suite 11.0 documents. 
Log Event SourcesLog HybridTCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)Log Collection Ports
Log Event SourcesLog HybridTCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009Log Collection FTP/S Ports
NW ServerLog HybridTCP 56001 (SSL), 50001 (Non-SSL), 50101 (REST)Log Collector Application Ports
NW ServerLog HybridTCP 56002 (SSL), 50002 (Non-SSL), 56202 (Endpoint), 50102 (REST)Log Decoder Application Ports
NW ServerLog HybridTCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST)Concentrator Application Ports

NW Server

Log Hybrid

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports

NW ServerLog HybridTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.

Log Hybrid

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Malware Host

                                                                           

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationMalwareTCP 15671RabbitMQ Management UI
Admin WorkstationMalwareTCP 22SSH
NW ServerMalwareTCP 60007Malware Application Ports
NW ServerMalwareTCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)NetWitness Appliance Ports

NW Server

MalwareTCP 5671RabbitMQ (AMQPS) message bus for all NW hosts.
NW ServerMalwareTCP 5432Postgresql
NW ServerMalwareTCP 56003 (SSL), 50003 (Non-SSL), 50103 (REST)Broker Application Ports
Malwarepanacea.threatgrid.comTCP 443Threatgrid
Malwarecloud.netwitness.comTCP 443Community evaluation / Opswat

Malware

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Packet Decoder Host

                                                   

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationPacket DecoderTCP 15671RabbitMQ Management UI
Admin WorkstationPacket DecoderTCP 22SSH
NW ServerPacket DecoderTCP 56004 (SSL), 50004 (Non-SSL), 50104 (REST)Packet Decoder Application Ports

NW Server

Packet Decoder

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerPacket DecoderTCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Packet Decoder

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

Packet Hybrid Host

                                                         

Source Host

Destination Host

Destination Ports

Comments

Admin WorkstationPacket HybridTCP 15671RabbitMQ Management UI
Admin WorkstationPacket HybridTCP 22SSH
NW ServerPacket HybridTCP 56004 (SSL), 50004 (Non-SSL), 50104 (REST)Packet Decoder Application Ports
NW ServerPacket HybridTCP 56005 (SSL), 50005 (Non-SSL), 50105 (REST)Concentrator Application Ports

NW Server

Packet Hybrid

TCP 56006 (SSL), 50006 (Non-SSL), 50106 (REST)

NetWitness Appliance Ports
NW ServerPacket HybridTCP 5671

RabbitMQ (AMQPS) message bus for all NW hosts.

Packet Hybrid

NFS Server

TCP 111 2049
UDP 111 204

iDRAC Installations

 

 

 

Previous Topic:Deployment: The Basics
You are here

Table of Contents > Deployment: Network Architecture and Ports

Attachments

    Outcomes