Refer to the following diagrams and port tables to ensure that all the relevant ports are opened for components in your NetWitness Platform deployment to communicate with each other.
See NetWitness Endpoint Architecture at the end of this topic for individual Endpoint Architectural diagrams.
NetWitness Platform Network Architecture Diagram
The following diagram illustrates the NetWitness Platform network architecture including all of its component products.
Note: NetWitness Platform core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.
NetWitness Network (Packets) Architecture Diagram with Ports
NetWitness Logs Architecture Diagram with Ports
Event Stream Analysis Network (Packets) Architecture Diagram with Ports
The following diagram illustrates the Event Stream Analysis network architecture with packet capture.
Event Stream Analysis (Logs) Architecture Diagram with Ports
The following diagram illustrates the Event Stream Analysis network architecture with log collection.
NetWitness Platform Firewall Requirements Summary
The following table lists all the ports that need to be open in your firewall by host.
Note: The "NW Server" host ports apply to both the Primary and Warm Standby NW Server. Synchronization between the Primary and Warm Stanby is done through TCP Port 22.
Source Host | Destination Host | Ports |
---|---|---|
NW Server | ESA Primary | TCP: 22, 80, 443, 5671, 7005 UDP:123 |
NW Server | ESA | TCP: 22, 80, 443, 5671 |
NW Server | Network Decoder | TCP: 22, 5671, 50004 (Non-SSL), 50006 (Non-SSL), 50104 (REST), 50106 (REST), 56004 (SSL), 56006 (SSL) |
NW Server | Broker | TCP: 5671, 50003 (Non-SSL), 50006 (Non-SSL), 50103 (REST), 50106 (REST) 56003 (SSL), 56006 (SSL) |
NW Server | Concentrator (Network & Logs) | TCP: 22, 5671, 50005 (Non-SSL), 50006 (Non-SSL), 50105 (REST), 50106 (REST), 56005 (SSL), 56006 (SSL) UDP: 123 |
NW Server | Network Hybrid | TCP: 22, 5671, 50004 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50104 (REST), 50105 (REST), 50106 (REST), 56004 (SSL), 56005 (SSL), 56006 (SSL) UDP: 123 |
NW Server | Log Decoder | TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56006 (SSL) UDP: 123 |
NW Server | Log Hybrid | TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56005 (SSL), 56006 (SSL) UDP: 123 |
NW Server | Log Hybrid - Retention | TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56006 (SSL) UDP: 123 |
NW Server | Endpoint Log Hybrid | TCP: 22, 5671, 7050, 7054, 50001 (Non-SSL), 50002 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56005 (SSL), 56006 (SSL), 56202 (Endpoint) UDP: 123 |
NW Server | VLC | TCP: 22, 5671, 50001 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50106 (REST), 56001 (SSL), 56006 (SSL) UDP: 123 |
NW Server | Archiver | TCP: 22, 514, 5671, 6514, 50006(Non-SSL), 50007 (Non-SSL), 50008 (Non-SSL), 50106 (REST), 50107 (REST), 50108 (REST), 56006 (SSL), 56007 (SSL), 56008 (SSL) UDP: 123, 514 |
NW Server | Malware | TCP: 22, 5671, 5432, 50003 (Non-SSL), 50006 (Non-SSL), 50103 (REST), 50106 (REST), 56003 (SSL), 56006 (SSL), 60007 |
NW Server | UEBA | TCP: 22, 15671, 5671, 443 |
ESA | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017 UDP: 123, 53 |
ESA | Active Directory | TCP: 389 (Non-SSL), 636 (SSL) |
ESA | Archer | TCP: 80 (Non-SSL), 443 (SSL), |
ESA Secondary | ESA Primary | TCP: 27017 |
ESA Primary or Secondary | Concentrator | TCP: 50005 (Non-SSL), 56005 (SSL) |
Network Decoder | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017, UDP: 53, 123 |
Concentrator (Network & Logs) | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017 UDP: 53, 123 |
Network Hybrid | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017) UDP: 53, 123 |
Log Decoder | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017 UDP: 53, 123 |
Log Hybrid | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017 UDP: 53, 123 |
Log Hybrid - Retention | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017 UDP: 53, 123 |
VLC | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017 UDP: 53, 123 |
VLC | Log Collector | TCP: 5671 |
Log Collector | VLC | TCP: 5671 |
Endpoint Log Hybrid | NW Server | TCP: 53, 80, 443, 5671, 4505, 4506, 15671, 27017 UDP: 53, 123 |
Endpoint Log Hybrid | Log Decoder | TCP: 50202 (Non-SSL), 50102 (REST), 56202 (SSL) UDP: 514 |
Endpoint Agent | Log Decoder | TCP: 514, 6514 UDP: 514 |
Endpoint Agent | Endpoint Log Hybrid | TCP: 443 UDP: 444 |
UEBA | NW Server | TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017, 50003 (Broker-Non-SSL), 50103 (Broker/REST), 56003 (Broker/SSL) UDP: 53, 123 |
UEBA | Concentrator | TCP: 50005 (Non-SSL), 50105 (REST), 56005 (SSL) |
www connections | ||
NW Server | cloud.netwitness.com cms.netwitness.com download.rsasecurity.com panacea.threatgrid.com quantum.subscribenet.com rsasecurity.subscribenet.com smcupdate.emc.com | TCP: 80, 443 |
ESA (Primary & Secondary) | cloud.netwitness.com download.rsasecurity.com panacea.threatgrid.com quantum.subscribenet.com rsasecurity.subscribenet.com smcupdate.emc.com | TCP: 80, 443 |
Malware | panacea.threatgrid.com | TCP: 443 |
Comprehensive List of NetWitness Platform Host, Service, and iDRAC Ports
Note: For ports used in event collection through the NetWitness Logs, see the Log Collection Configuration Guide for RSA NetWitness Platform. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.
This section contains the port specifications for the following hosts.
NW Server Host (Primary and Warm Standby NW Server Host)
Note: Primary or Secondary Server is a type of appliance, while Active or Standby refers to an appliance's state, whether active or standby.
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | NW Server | TCP 443, 80 | nginx - NetWitness UI |
Admin Workstation | NW Server | TCP 15671 | RabbitMQ Management UI |
Admin Workstation | NW Server | TCP 22 | SSH Primary to Standby NW Server |
Admin Workstation | NW Server | TCP 22 | SSH |
NW Hosts | NW Server | TCP 53 | DNS |
NW Hosts | NW Server | TCP 15671 | RabbitMQ Management UI |
NW Hosts | NW Server | TCP 4505, 4506 | Salt Master Ports |
NW Hosts | NW Server | TCP 443 | RSA Update Repository |
NW Hosts | NW Server | TCP 5671 | RabbitMQ-amqp |
NW Hosts | NW Server | UDP 123 | NTP |
NW Hosts | NW Server | TCP 27017 | MongoDB |
NW Server | cloud.netwitness.com | TCP 443 | Live |
NW Server | cms.netwitness.com | TCP 443 | Live |
NW Server | smcupdate.emc.com | TCP 443 | Live |
NW Server | NFS Server | TCP 111, 2049, | iDRAC Installations |
NW Server | NW Hosts | UDP 123 | NTP |
NW Server | NW Endpoint | TCP 443, 9443 | For NW Endpoint 4.x integrations |
NW Server | Active Directory | TCP 3268, TLS 3269 | For NW User Authentication |
Analyst UI Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Analyst UI | NW Server | TCP 7006 | The Content Server is listening on this port. |
Analyst UI | NW Server | TCP 7009 | The Admin Server is listening on this port. |
Analyst UI | NW Server | TCP 7012 | The Integration Server is listening on this port. |
Analyst UI | NW Server | TCP 7015 | The Source Server is listening on this port. |
Analyst UI | NW Server | TCP 7016 | The License Server is listening on this port. |
NW Hosts | Analyst UI | TCP 5671 | RabbitMQ-amqp |
Analyst UI | NW Server | UDP 123 | NTP |
Archiver Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | Archiver | TCP 15671 | RabbitMQ Management UI |
Archiver | Log Decoder | TCP 50002 (Non-SSL), 56002 (SSL) | Log Decoder Application Ports |
Archiver | NW Server | TCP 15671 | RabbitMQ Management UI |
Archiver | NW Server | TCP 443 | RSA Update Repository |
Admin Workstation | Archiver | TCP 22 | SSH |
NW Server | Archiver | TCP 50008 (Non-SSL), 56008 (SSL), 50108 (REST) | Archiver Application Ports |
NW Server | Archiver | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
NW Server | Archiver | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
NW Server | Archiver | TCP 50007 (Non-SSL), 56007 (SSL), 50107 (REST) | Workbench Application Ports |
Archiver | NFS Server | TCP 111 2049 | iDRAC Installations |
Broker Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | Broker | TCP 15671 | RabbitMQ Management UI |
Broker | Concentrator | TCP 50005 (Non-SSL), 56005 | Concentrator Application Port |
Broker | Archiver | TCP 50008 (Non-SSL), 56008 (SSL) | Archiver Application Ports |
Broker | NW Server | TCP 15671 | RabbitMQ Management UI |
Broker | NW Server | TCP 443 | RSA Update Repository |
Admin Workstation | Broker | TCP 22 | SSH |
NW Server | Broker | TCP 50003 (Non-SSL), 56003 (SSL), 50103 (REST) | Broker Application Ports |
NW Server | Broker | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
NW Server | Broker | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
Broker | NW Server | TCP 111 2049 UDP 111 2049 | iDRAC Installations |
Endpoint Broker | NW Server | TCP 443 | RSA Update Repository |
Concentrator Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | Concentrator | TCP 15671 | RabbitMQ Management UI |
Concentrator | Log Decoder | TCP 50002 (Non-SSL), 56002 (SSL) | Log Decoder Application Port |
Concentrator | Network Decoder | TCP 56004, 50004 (Non-SSL) | Network Application Port |
Concentrator | NW Server | TCP 15671 | RabbitMQ Management UI |
Concentrator | NW Server | TCP 443 | RSA Update Repository |
Admin Workstation | Concentrator | TCP 22 | SSH |
NW Server | Concentrator | TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST) | Concentrator Application Ports |
Malware | Concentrator | TCP TCP 50005 (Non-SSL), 56005 (SSL) | Malware |
NW Server | Concentrator | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
NW Server | Concentrator | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
Concentrator | NFS Server | TCP 111 2049 | iDRAC Installations |
Endpoint Log Hybrid
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Endpoint Agent | Endpoint Log Hybrid | TCP 443 UDP 444 | NGINX HTTPS NGINX UDP. If UDP port 444 is not acceptable in your environment, see How to Change UDP Port for Endpoint Log Hybrid. |
Endpoint Agent | Log Decoder or Virtual Log Collector | TCP 514 (Syslog) UDP 514 (Syslog) TLS 6514 | Windows Log Collection |
Endpoint Log Hybrid | Log Decoder (External) | TCP 50102 (REST) 56202 (Protobuf SSL) 50202 (Protobuf) | To forward meta to an external Log Decoder |
Endpoint Log Hybrid | NW Server | TCP 443 | RSA Update Repository |
NW Server | Endpoint Log Hybrid | TCP 7050 | UI web traffic |
Endpoint Log Hybrid | NW Server | TCP 5671 | Message Bus |
Endpoint Log Hybrid | NW Server | TCP 27017 | MongoDB |
NW Server | Endpoint Log Hybrid | TCP 7054 | UI web traffic |
NW Server | NFS Server | TCP 111, 2049 | iDRAC Installations |
NW Server | Endpoint Log Hybrid | TCP 50001 (Non-SSL), 56001 (SSL), 50101(REST) | Log Collector application ports |
NW Server | Endpoint Log Hybrid | TCP 50002 (Non-SSL), 56002 (SSL), 56202 (Endpoint), 50102 (REST) | Log Decoder application ports |
Admin Workstation | Endpoint Log Hybrid | TCP 15671 | RabbitMQ Management UI |
Endpoint Log Hybrid | NW Server | TCP 15671 | RabbitMQ Management UI |
Endpoint Relay Server
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Endpoint Agent | Relay Server | TCP 443 | To forward host data to the Relay Server |
Endpoint Log Hybrid | Relay Server | TCP 443 | Pull host data from the Relay Server |
Event Stream Analysis (ESA) Host
Note: The ports in this table are for the ESA Primary an ESA Secondary hosts. The Content Hub, Correlation and ESA Analytics services are co-located on the ESA Primary host. The Correlation and ESA Analytics services are co-located on the ESA Secondary host.
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | ESA | TCP 15671 | RabbitMQ Management UI |
ESA Primary and Secondary | NW Server | TCP 15671 | RabbitMQ Management UI |
ESA Primary and Secondary | NW Server | TCP 443 | RSA Update Repository |
Admin Workstation | ESA | TCP 22 | SSH |
NW Server, ESA Secondary | ESA Primary | TCP 27017 | MongoDB |
NW Server | ESA Primary | TCP 7005 | Context Hub Launch Port - (ESA Primary) |
NW Server | ESA | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
ESA Primary and Secondary | cms.netwitness.com | TCP 443 | Live |
ESA Primary and Secondary | NFS Server | TCP 111 2049 | iDRAC Installations |
ESA Primary and Secondary | Active Directory | 636 (SSL)/389 (Non-SSL) |
|
NW Server | ESA | 80 (HTTP)/ 443 (HTTPS)(REST) |
|
ESA Primary | Archer | 443 (SSL)/80 (Non-SSL) |
|
ESA Primary | ESA Primary | TCP 7007 | Launch Port |
New Health and Wellness
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | Standalone Health & Wellness Host | TCP 22 | SSH |
Admin Workstation | Standalone Health & Wellness Host | TCP 5601 | Kibana UI |
NW Hosts | Standalone Health & Wellness Host | TCP 9200 | Elasticsearch REST API Port |
NW Server | Standalone Health & Wellness Host | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
NW Server | Standalone Health & Wellness Host | TCP 15671 | RabbitMQ Management UI |
NW Server | Standalone Health & Wellness Host | TCP 7018 | Metrics Server Launch Port |
NW Server | Standalone Health & Wellness Host | TCP 7020 | Node Infra Server Launch Port |
iDRAC Ports
Port | Function | Comments |
---|---|---|
22* | SSH | Default, configurable port through which iDRAC listens for connections |
443* | HTTP | Default, configurable port through which iDRAC listens for connections |
5900* | Virtual Console keyboard and mouse redirection, Virtual Media, Virtual Folders, and Remote File Share. | Default, configurable port through which iDRAC listens for connections |
111, 2049 | TCP | NetWitness Platform hosts to NFS Server |
111, 2049 | UDP | NetWitness Platform hosts to NFS Server |
Log Collector Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | Log Collector | TCP 15671 | RabbitMQ Management UI |
Log Collector | NW Server | TCP 15671 | RabbitMQ Management UI |
Log Collector | NW Server | TCP 443 | RSA Update Repository |
Admin Workstation | Log Collector | TCP 22 | SSH |
Log Collector | Log Event Sources | See Log Collection Configuration Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. | |
Log Event Sources | Log Collector | TCP 514 (Syslog) UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)" | Log Collection Ports |
Log Event Sources | Log Collector | TCP 21, 64000, 64001, 64002, 64003, 64004, | Log Collection FTP/S Ports |
NW Server | Log Collector | TCP 50001 (Non-SSL), 56001 (SSL), 50101 (REST) | Log Collector Application Ports |
NW Server | Log Collector | TCP 56006 (SSL), 50106 (REST) | NetWitness Appliance Ports |
NW Server | Log Collector | TCP 5671 | RabbitMQ (AMQPS) message bus for all NW hosts. |
Log Collector | NFS Server | TCP 111 2049 UDP 111 2049 | iDRAC installations |
Log Collector | Virtual Log Collector | TCP 5671 | In Pull Mode |
Virtual Log Collector | Log Collector | TCP 5671 | In Push Mode |
Log Decoder Host
Source Host | Destination Host | Destination Ports | Comments |
---|---|---|---|
Admin Workstation | Log Decoder | TCP 15671 | RabbitMQ Management UI |
Log Decoder | NW Server | TCP 443 | RSA Update Repository |
Admin Workstation | Log Decoder | TCP 22 | SSH |
Log Decoder | Log Event Sources | See Log Collection Configuration Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. | |
Log Event Sources | Log Decoder | TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow) | Log Collection P |