Deployment Guide: Network Architecture and Ports

Document created by RSA Information Design and Development on Oct 17, 2017•Last modified by RSA Information Design and Development on Sep 19, 2019

Version 22Show Document

Like • Show 2 Likes2
Comment • 0
View in full screen mode

Refer to the following diagram and port table to ensure that all the relevant ports are opened for components in your NetWitness Platform deployment to communicate with each other.

See NetWitness Endpoint Architecture at the end of this topic for individual Endpoint Architectural diagrams.

NetWitness Platform Network Architecture Diagram

The following diagram illustrates the NetWitness Platform network architecture including all of its component products.

Note: NetWitness Platform core hosts must be able to communicate with the NetWitness Server (Primary Server in a multiple server deployment) through UDP port 123 for Network Time Protocol (NTP) time synchronization.

NetWitness Network (Packets) Architecture Diagram with Ports

NetWitness Logs Architecture Diagram with Ports

Event Stream Analysis Network (Packets) Architecture Diagram with Ports

The following diagram illustrates the Event Stream Analysis network architecture with packet capture.

Event Stream Analysis (Logs) Architecture Diagram with Ports

The following diagram illustrates the Event Stream Analysis network architecture with log collection.

NetWitness Platform Firewall Requirements Summary

The following table lists all the ports that need to be open in your firewall by host.

Source Host	Destination Host	Ports
NW Server	ESA Primary	TCP: 22, 80, 443, 5671, 7005, 50030 (SSL), 50035 (SSL), 50036 (SSL) UDP:123
NW Server	ESA	TCP: 22, 80, 443, 5671, 50035 (SSL), 50036 (SSL) UDP: 123
NW Server	Network Decoder	TCP: 22, 5671, 50004 (Non-SSL), 50006 (Non-SSL), 50104 (REST), 50106 (REST), 56004 (SSL), 56006 (SSL) UDP: 123
NW Server	Broker	TCP: 5671, 50003 (Non-SSL), 50006 (Non-SSL), 50103 (REST), 50106 (REST) 56003 (SSL), 56006 (SSL) UDP: 123
NW Server	Concentrator (Network & Logs)	TCP: 22, 5671, 50005 (Non-SSL), 60006 (Non-SSL), 50105 (REST), 50106 (REST), 56005 (SSL), 56006 (SSL) UDP: 123
NW Server	Network Hybrid	TCP: 22, 5671, 50004 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50104 (REST), 50105 (REST), 50106 (REST), 56004 (SSL), 56005 (SSL), 56006 (SSL) UDP: 123
NW Server	Log Decoder	TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56006 (SSL) UDP: 123
NW Server	Log Hybrid	TCP: 22, 5671, 50001 (Non-SSL), 50002 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56005 (SSL), 56006 (SSL) UDP: 123
NW Server	Endpoint Log Hybrid	TCP: 22, 5671, 7050, 7054, 50001 (Non-SSL), 50002 (Non-SSL), 50005 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50102 (REST), 50105 (REST), 50106 (REST), 56001 (SSL), 56002 (SSL), 56005 (SSL), 56006 (SSL), 56202 (Endpoint) UDP: 123
NW Server	VLC	TCP: 22, 5671, 50001 (Non-SSL), 50006 (Non-SSL), 50101 (REST), 50106 (REST), 56001 (SSL), 56006 (SSL) UDP: 123
NW Server	Archiver	TCP: 22, 514, 5671, 6514, 50006(Non-SSL), 50007 (Non-SSL), 50008 (Non-SSL), 50106 (REST), 50107 (REST), 50108 (REST), 56006 (SSL), 56007 (SSL), 56008 (SSL) UDP: 123, 514
NW Server	Malware	TCP: 22, 5671, 5432, 50003 (Non-SSL), 50006 (Non-SSL), 50103 (REST), 50106 (REST), 56003 (SSL), 56006 (SSL), 60007 UDP: 123
NW Server	UEBA	TCP: 22 UDP: 123
ESA	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017 UDP: 123, 53
ESA	Active Directory	TCP: 389 (Non-SSL), 636 (SSL)
ESA	Archer	TCP: 80 (Non-SSL), 443 (SSL),
ESA Secondary	ESA Primary	TCP: 27017
Network Decoder	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017, UDP: 53, 123
Concentrator (Network & Logs)	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017 UDP: 53, 123
Network Hybrid	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017) UDP: 53, 123
Log Decoder	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017 UDP: 53, 123
Log Hybrid	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017 UDP: 53, 123
VLC	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671,15671, 27017 UDP: 53, 123
VLC	Log Collector	TCP: 5671
Log Collector	VLC	TCP: 5671
Endpoint Log Hybrid	NW Server	TCP: 53, 80, 443, 5671, 4505, 4506, 15671, 27017 UDP: 53, 123
Endpoint Log Hybrid	Log Decoder	TCP: 50202 (Non-SSL), 50102 (REST), 56202 (SSL) UDP: 514
Endpoint Agent	Log Decoder	TCP: 514, 6514 UDP: 514
Endpoint Agent	Endpoint Log Hybrid	TCP: 443 UDP: 444
UEBA	NW Server	TCP: 53, 80, 443, 4505, 4506, 5671, 15671, 27017, 50003 (Broker-Non-SSL), 50103 (Broker/REST), 56003 (Broker/SSL) UDP: 53, 123
UEBA	Concentrator	TCP: 50005 (Non-SSL), 50105 (REST), 56005 (SSL)
www connections
NW Server	cloud.netwitness.com cms.netwitness.com download.rsasecurity.com panacea.threatgrid.com quantum.subscribenet.com rsasecurity.subscribenet.com smcupdate.emc.com	TCP: 80, 443
ESA (Primary & Secondary)	cloud.netwitness.com cms.netwitness.com download.rsasecurity.com panacea.threatgrid.com quantum.subscribenet.com rsasecurity.subscribenet.com smcupdate.emc.com	TCP: 80, 443
Malware	panacea.threatgrid.com cloud.netwitness.com	TCP: 443

Comprehensive List of NetWitness Platform Host, Service, and iDRAC Ports

Note: For ports used in event collection through the NetWitness Logs, see the "The Basics" in the RSA NetWitness Suite Log Collection Deployment Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

This section contains the port specifications for the following hosts.

NW Server Host	Log Collector Host
Archiver Host	Log Decoder Host
Broker Host	Log Hybrid Host
Concentrator Host	Malware Host
Endpoint Log Hybrid Host	Network Decoder Host
Event Stream Analysis Host	Network Hybrid Host
Relay Server	UEBA Host
iDRAC Ports

NW Server Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	NW Server	TCP 443, 80	nginx - NetWitness UI
Admin Workstation	NW Server	TCP 15671	RabbitMQ Management UI
Admin Workstation	NW Server	TCP 22	SSH
NW Hosts	NW Server	TCP 53 UDP 53	DNS
NW Hosts	NW Server	TCP 15671	RabbitMQ Management UI
NW Hosts	NW Server	TCP 4505, 4506	Salt Master Ports
NW Hosts	NW Server	TCP 443	RSA Update Repository
NW Hosts	NW Server	TCP 5671	RabbitMQ-amqp
NW Hosts	NW Server	UDP 123	NTP
NW Hosts	NW Server	TCP 27017	MongoDB
NW Server	cloud.netwitness.com	TCP 443	Live
NW Server	cms.netwitness.com	TCP 443	Live
NW Server	smcupdate.emc.com	TCP 443	Live
NW Server	NFS Server	TCP 111, 2049, UDP 111, 2049	iDRAC Installations
NW Server	NW Hosts	UDP 123	NTP
NW Server	NW Endpoint	TCP 443, 9443	For NW Endpoint 4.x integrations

Archiver Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Archiver	TCP 15671	RabbitMQ Management UI
Archiver	NW Server	TCP 15671	RabbitMQ Management UI
Archiver	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Archiver	TCP 22	SSH
NW Server	Archiver	TCP 50008 (Non-SSL), 56008 (SSL), 50108 (REST)	Archiver Application Ports
NW Server	Archiver	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Archiver	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
NW Server	Archiver	TCP 514, 6514, 50007 (Non-SSL) 56007 (SSL), 50107 (REST), UDP 514	Workbench Application Ports
Archiver	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations

Broker Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Broker	TCP 15671	RabbitMQ Management UI
Broker	Concentrator	TCP 50005 (Non-SSL), 56005	Concentrator Application Port
Broker	NW Server	TCP 15671	RabbitMQ Management UI
Broker	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Broker	TCP 22	SSH
NW Server	Broker	TCP 50003 (Non-SSL), 56003 (SSL), 50103 (REST)	Broker Application Ports
NW Server	Broker	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Broker	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Broker	NW Server	TCP 111 2049 UDP 111 2049	iDRAC Installations
Endpoint Broker	NW Server	TCP 443	RSA Update Repository

Concentrator Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Concentrator	TCP 15671	RabbitMQ Management UI
Concentrator	Log Decoder	TCP 50002 (Non-SSL), 56002 (SSL)	Log Decoder Application Port
Concentrator	Network Decoder	TCP 56004, 50004 (Non-SSL)	Network Application Port
Concentrator	NW Server	TCP 15671	RabbitMQ Management UI
Concentrator	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Concentrator	TCP 22	SSH
NW Server	Concentrator	TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST)	Concentrator Application Ports
Malware	Concentrator	TCP TCP 50005 (Non-SSL), 56005 (SSL)	Malware
NW Server	Concentrator	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Concentrator	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Concentrator	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations

Endpoint Log Hybrid

Source Host	Destination Host	Destination Ports	Comments
Endpoint Agent	Endpoint Log Hybrid	TCP 443 UDP 444	NGINX HTTPS NGINX UDP. If UDP port 444 is not acceptable in your environment, see How to Change UDP Port for Endpoint Log Hybrid.
Endpoint Agent	Log Decoder or Virtual Log Collector	TCP 514 (Syslog) UDP 514 (Syslog) TLS 6514	Windows Log Collection
Endpoint Log Hybird	Log Decoder (External)	TCP 50102 (REST) 56202 (Protobuf SSL) 50202 (Protobuf)	To forward meta to an external Log Decoder
Endpoint Log Hybird	NW Server	TCP 443	RSA Update Repository
NW Server	Endpoint Log Hybrid	TCP 7050	UI web traffic
Endpoint Log Hybrid	NW Server	TCP 5671	Message Bus
Endpoint Log Hybird	NW Server	TCP 27017	MongoDB
NW Server	Endpoint Log Hybrid	TCP 7054	UI web traffic
NW Server	NFS Server	TCP 111, 2049 UDP 111, 2049	iDRAC Installations
NW Server	Endpoint Log Hybrid	TCP 50001 (Non-SSL), 56001 (SSL), 50101(REST)	Log Collector application ports
NW Server	Endpoint Log Hybrid	TCP 50002 (Non-SSL), 56002 (SSL), 56202 (Endpoint), 50102 (REST)	Log Decoder application ports
Admin Workstation	Endpoint Log Hybrid	TCP 15671	RabbitMQ Management UI
Endpoint Log Hybrid	NW Server	TCP 15671	RabbitMQ Management UI

Relay Server

Source Host	Destination Host	Destination Ports	Comments
Endpoint Agent	Relay Server	TCP 443	To forward host data to the Relay Server
Endpoint Log Hybrid	Relay Server	TCP 443	Pull host data from the Relay Server

Event Stream Analysis (ESA) Host

Note: The ports in this table are for the ESA Primary an ESA Secondary hosts. The Content Hub, Correlation and ESA Analytics services are co-located on the ESA Primary host. The Correlation and ESA Analytics services are co-located on the ESA Secondary host.

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	ESA	TCP 15671	RabbitMQ Management UI
ESA Primary and Secondary	NW Server	TCP 15671	RabbitMQ Management UI
ESA Primary and Secondary	NW Server	TCP 443	RSA Update Repository
Admin Workstation	ESA	TCP 22	SSH
NW Server, ESA Secondary	ESA Primary	TCP 27017	MongoDB
NW Server	ESA Primary	TCP 7005	Context Hub Launch Port - (ESA Primary)
NW Server	ESA	TCP 50030 (SSL)	ESA Application Port
NW Server	ESA	TCP 50035 (SSL)	ESA Application Port
NW Server	ESA	TCP 50036 (SSL)	ESA Application Port
NW Server	ESA	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
ESA Primary and Secondary	cms.netwitness.com	TCP 443	Live
ESA Primary and Secondary	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations
ESA Primary and Secondary	Active Directory	636 (SSL)/389 (Non-SSL)
NW Server	ESA	80 (HTTP)/ 443 (HTTPS)(REST)
ESA Primary	Archer	443 (SSL)/80 (Non-SSL)
ESA Primary	ESA Primary	TCP 7007	Launch Port

iDRAC Ports

Port	Function	Comments
22*	SSH	Default, configurable port through which iDRAC listens for connections
443*	HTTP	Default, configurable port through which iDRAC listens for connections
5900*	Virtual Console keyboard and mouse redirection, Virtual Media, Virtual Folders, and Remote File Share.	Default, configurable port through which iDRAC listens for connections
111, 2049	TCP	NetWitness Platform hosts to NFS Server
111, 2049	UDP	NetWitness Platform hosts to NFS Server

Log Collector Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Log Collector	TCP 15671	RabbitMQ Management UI
Log Collector	NW Server	TCP 15671	RabbitMQ Management UI
Log Collector	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Log Collector	TCP 22	SSH
Log Collector	Log Event Sources	See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Log Event Sources	Log Collector	TCP 514 (Syslog) UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)"	Log Collection Ports
Log Event Sources	Log Collector	TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008,64009	Log Collection FTP/S Ports
NW Server	Log Collector	TCP 50001 (Non-SSL), 56001 (SSL), 50101 (REST)	Log Collector Application Ports
NW Server	Log Collector	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Log Collector	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Log Collector	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC installations
Log Collector	Virtual Log Collector	TCP 5671	In Pull Mode
Virtual Log Collector	Log Collector	TCP 5671	In Push Mode

Log Decoder Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Log Decoder	TCP 15671	RabbitMQ Management UI
Log Decoder	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Log Decoder	TCP 22	SSH
Log Decoder	Log Event Sources	See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Log Event Sources	Log Decoder	TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)	Log Collection Ports
Log Event Sources	Log Decoder	TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009	Log Collection FTP/S Ports
NW Server	Log Decoder	TCP 50001 (Non-SSL),56001 (SSL), 50101 (REST)	Log Collector Application Ports
NW Server	Log Decoder	TCP 50002 (Non-SSL), 56002 (SSL),56202 (Endpoint), 50102 (REST)	Log Decoder Application Ports
NW Server	Log Decoder	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Log Decoder	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Log Decoder	Log Collector	TCP 6514
Log Decoder	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations
Log Decoder	NW Server	TCP 15671	RabbitMQ Management UI

Log Hybrid Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Log Hybrid	TCP 15671	RabbitMQ Management UI
Log Hybrid	NW Server	TCP 15671	RabbitMQ Management UI
Log Hybrid	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Log Hybrid	TCP 22	SSH
Log Collector	Log Event Sources	See Log Collection Configuration Guide. Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.
Log Event Sources	Log Hybrid	TCP 514 (Syslog), UDP 162 (SNMP), 514 (Syslog), 2055 (NetFlow), 4739 (NetFlow), 6343 (NetFlow), 9995 (NetFlow)	Log Collection Ports
Log Event Sources	Log Hybrid	TCP 21, 64000, 64001, 64002, 64003, 64004, 64005, 64006, 64007, 64008, 64009	Log Collection FTP/S Ports
NW Server	Log Hybrid	TCP 50001 (Non-SSL), 56001 (SSL), 50101 (REST)	Log Collector Application Ports
NW Server	Log Hybrid	TCP 50002 (Non-SSL), 56002 (SSL), 56202 (Endpoint), 50102 (REST)	Log Decoder Application Ports
NW Server	Log Hybrid	TCP TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST)	Concentrator Application Ports
NW Server	Log Hybrid	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Log Hybrid	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Log Hybrid	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations

Malware Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Malware	TCP 15671	RabbitMQ Management UI
Malware	NW Server	TCP 15671	RabbitMQ Management UI
Malware	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Malware	TCP 22	SSH
NW Server	Malware	TCP 60007	Malware Application Ports
NW Server	Malware	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Malware	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
NW Server	Malware	TCP 5432	Postgresql
NW Server	Malware	TCP 56003 (SSL), 50103 (REST)	Broker Application Ports
Malware	panacea.threatgrid.com	TCP 443	Threatgrid
Malware	cloud.netwitness.com	TCP 443	Community evaluation / Opswat
Malware	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations

Network Decoder Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Network Decoder	TCP 15671	RabbitMQ Management UI
Network Decoder	NW Server	TCP 15671	RabbitMQ Management UI
Network Decoder	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Network Decoder	TCP 22	SSH
NW Server	Network Decoder	TCP 56004 (SSL), 50104 (REST), 50004 (Non-SSL)	Network Decoder Application Ports
NW Server	Network Decoder	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Network Decoder	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Network Decoder	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations

Network Hybrid Host

Source Host	Destination Host	Destination Ports	Comments
Admin Workstation	Network Hybrid	TCP 15671	RabbitMQ Management UI
Network Hybrid	NW Server	TCP 15671	RabbitMQ Management UI
Network Hybrid	NW Server	TCP 443	RSA Update Repository
Admin Workstation	Network Hybrid	TCP 22	SSH
NW Server	Network Hybrid	TCP 56004 (SSL), 50104 (REST), 50004 (Non-SSL)	Network Decoder Application Ports
NW Server	Network Hybrid	TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST)	Concentrator Application Ports
NW Server	Network Hybrid	TCP 56006 (SSL), 50106 (REST)	NetWitness Appliance Ports
NW Server	Network Hybrid	TCP 5671	RabbitMQ (AMQPS) message bus for all NW hosts.
Network Hybrid	NFS Server	TCP 111 2049 UDP 111 2049	iDRAC Installations

UEBA Host

Source Host	Destination Host	Destination Ports	Comments
UEBA Server	NW Server	TCP 443	RSA Update Repository
UEBA Server	Broker	TCP 56003 (SSL), 50103 (REST)	Broker Application Ports
UEBA Server	Concentrator	TCP TCP 50005 (Non-SSL), 56005 (SSL), 50105 (REST)	Concentrator Application Ports
Admin Workstation	UEBA Server	443	UEBA Monitoring
Admin Workstation	UEBA Server	22	SSH
UEBA Server	NW Server	15671	UEBA Alerts forwarding to Respond
NW Server	NFS Server	TCP 111, 2049 UDP 111, 2049	iDRAC Installations

NetWitness Endpoint Architecture

NetWitness Endpoint 4.4 Integration with NetWitness Platform

NetWitness Endpoint 11.3.1 Architecture with Ports

For more information on the services running on Endpoint Log Hybrid, see RSA NetWitness Endpoint Configuration Guide.

How to Change UDP Port for Endpoint Log Hybrid

The following steps tell you how to change the Endpoint Log Hybrid default UDP port 444 if it is not acceptable in your environment. 555 is the example this procedures uses as a replacement for 444 UDP port.
There are two tasks you need to o change the Endpoint Log Hybrid default UDP port 444:

Task 1 - Tell All Agents to Use a New UDP Port

Task 2 - Update the Port on All Endpoint Log Hybrid Hosts in Your Environment

Note: If you did not select the custom firewall rules option when you ran the nwsetup-tui, NetWitness platform overwrites the firewall rules are overwritten after a period of time. Please refer to the following Knowledge Base Article 00036446 (https://community.rsa.com/docs/DOC-93651) if this is the case.

Task 1 - Tell All Agents to Use a New UDP Port

Complete the following steps to update the UDP port in the default Enterprise Data Replication (EDR) policy, and all other policies you have, to tell all agents to use a new UDP port.

In the NetWitness Platform menu, select ADMIN > Endpoint Sources > Policies.
The Policies view is displayed.
Select the Default EDR Policy and click Edit from the toolbar.
roll down to find the UDP PORT and change the value (for example, change from 444 to 555).
Click Publish Policy at the bottom of the view.

Task 2 - Update the Port on All Endpoint Log Hybrid Hosts in Your Environment

SSH to each Endpoint Log Hybrid host in your environment with admin credentials and make the following updates.

Update the iptables rules to allow 555 in place of 444.
1. Replace 444 with 555 in the following file.
  vi /etc/sysconfig/iptables
2. Restart iptables with the following command string.
  systemctl restart iptables
3. Verify the change with the following command string.
  iptables -L -n
  The following is an example of what is displayed for a correct change.
  ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp multiport dports 555 /* EndpointNginxPort */ ctstate NEW
Update the SELinux policy. 555 is a privileged port, so you must update SELinux policy to allow this port.
1. Run the following command string.
  semanage port -a -t http_port_t -p udp 555
  If you received any python errors or warnings, ignored them.
2. Verify the change with the following command string.
  semanage port -l | grep http_port_t
  The following is an example of what is displayed for a correct change.