We are currently on v10.6.6.0 and in preparation for v11 upgrade. Our firewall team validated that all FW ports are open from SA Head to downstream servers. However, during telnet testing the ports are still failing (One IP allowed 15671 port in test). A RSA Support engineer said that these ports cannot be validated while on v10.6.6 and we would need to be on v11 in order to validate these specific ports. I just wanted to make sure this statement is true and valid before upgrade. Thanks.
Hi David,
I appreciate the response. However, I have this document and I have the list of ports for v11 but my question is can these ports be validated if we are on v10.6.6? I was told by RSA that there is no way to validate these ports while still on v10.6.6. So I'm basically left to believe the firewall team has implemented the correct rules and polices but I did not want to be in the middle of an upgrade and then determine the ports are actually not working. Thanks.
Hey Dwayne,
This KB article I think has what you are looking for to test if the ports are open and listening
Dwayne,
I shared with your Webex recordings during our engagement on how to use the listener python script to listen on those new ports so you can test your FW rules. Let me know if you need some pointers on how to use that script I provided.
Sent from my iPhone
I have a suggestion. It's not ideal, but you can at least tell if communication is going there in the first place.
Firewall rules exist on the box that do not allow for all of those ports, simply because most of the services are not there yet or we have conflicting firewall rules presently. So a curl will come back as a fail.
However, if you run a tcpdump at the same time on the device you are trying to connect to, you should still see something hit it, ideally.
Take the below output. The top capture is from the Head. The bottom is from a Concentrator in the same subnet.
[root@S4S-SA ~]# curl -v telnet://X.X.X.X:4505
* About to connect() to X.X.X.X port 4505 (#0)
* Trying X.X.X.X... No route to host
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host
[root@S4S-CON ~]# tcpdump -i any port 4505
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
15:40:04.157660 IP puppetmaster.local.40158 > S4S-CON.4505: Flags [S], seq 2013550665, win 14600, options [mss 1460,sackOK,TS val 3016162374 ecr 0,nop,wscale 7], length 0
Regretfully, this will not help you in the circumstance that your firewall is blocking certain types of traffic. For instance, I had someone yesterday that was allowing only certain parts of traffic on the SSL port. They probably had their firewall set to not accept SSL traffic over unusual ports like 56001 or something.
Hi Dwayne,
This link will provide all the ports required for the 11.x system
https://community.rsa.com/docs/DOC-83050
Thank you
David
David C. Poirier
Principal Engineer Technical Support
RSA the Security Division of EMC
(781) 515-7757
Fax: 781-515-7710
David.Poirier@rsa.com<mailto:David.Poirier@rsa.com>