JSA Port Usage
Review the list of common ports that JSA services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the JSA console to communicate with remote event processors.
WinCollect Remote Polling
WinCollect agents that remotely poll other MicrosoftWindows operating systems might require additional port assignments.
For more information, see the Juniper Secure Analytics WinCollect User Guide.
JSA Listening Ports
The following table shows the JSA ports that are
open in a LISTEN state. The LISTEN ports are valid only when iptables is enabled
on your system. Unless otherwise noted, information about the assigned
port number applies to all JSA products.
Table 1: Listening Ports That Are Used by JSA Services and Components
Port | Description | Protocol | Direction | Requirement |
|---|---|---|---|---|
22 | SSH | TCP | Bidirectional from the JSA console to all other components. | Remote management access. Adding a remote system as a managed host. Log source protocols to retrieve files from external devices, for example the log file protocol. Users who use the command-line interface to communicate from desktops to the Console. High-availability (HA). |
25 | SMTP | TCP | From all managed hosts to the SMTP gateway. | Emails from JSA to an SMTP gateway. Delivery of error and warning email messages to an administrative email contact. |
37 | rdate (time) | UDP/TCP | All systems to the JSA console. JSA console to the NTP or rdate server. | Time synchronization between the JSA console and managed hosts. |
111 | Port mapper | TCP/UDP | Managed hosts that communicate with the JSA console. Users that connect to the JSA console. | Remote Procedure Calls (RPC) for required services, such as Network File System (NFS). |
123 | Network Time Protocol (NTP) | TCP/UDP | JSA Console to the NTP server. HA primary to secondary, and vice versa. | Time synchronization between QRadar HA pairs, and between the QRadar Console and the NTP server. |
135 and dynamically allocated ports above 1024 for RPC calls. | DCOM | TCP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. | This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Note: DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation. |
137 | Windows NetBIOS name service | UDP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. | This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
138 | Windows NetBIOS datagram service | UDP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. | This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
139 | Windows NetBIOS session service | TCP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. | This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
162 | NetSNMP | UDP | JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors. | UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
199 | NetSNMP | TCP | JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors. | TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
427 | Service Location Protocol (SLP) | UDP/TCP | The Integrated Management Module uses the port to find services on a LAN. | |
443 | Apache/HTTPS | TCP | Bidirectional traffic for secure communications from all products to the JSA console. | Configuration downloads to managed hosts from the JSA console. JSA managed hosts that connect to the JSA console. Users to have log in access to JSA. JSA console that manage and provide configuration updates for WinCollect agents. |
445 | Microsoft Directory Service | TCP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. | This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
514 | Syslog | UDP/TCP | External network appliances that provide TCP syslog events use bidirectional traffic. External network appliances that provide UDP syslog events use uni-directional traffic. Internal syslog traffic from JSA hosts to the JSA console. | External log sources to send event data to JSA components. Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to JSA. |
762 | Network File System (NFS) mount daemon (mountd) | TCP/UDP | Connections between the JSA console and NFS server. | The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location. |
1514 | Syslog-ng | TCP/UDP | Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging. | Internal logging port for syslog-ng. |
2049 | NFS | TCP | Connections between the JSA console and NFS server. | The Network File System (NFS) protocol to share files or data between components. |
2055 | NetFlow data | UDP | From the management interface on the flow source (typically a router) to the JSA Flow Processor. | NetFlow datagram from components, such as routers. |
2375 | Docker command port | TCP | Internal communications. This port is not available externally. | Used to manage JSA application framework resources. |
3389 | Remote Desktop Protocol (RDP) and Ethernet over USB is enabled | TCP/UDP | If the MicrosoftWindows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open. | |
3900 | Integrated Management Module remote presence port | TCP/UDP | Use this port to interact with the JSA console through the Integrated Management Module. | |
4333 | Redirect port | TCP | This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution. | |
5432 | Postgres | TCP | Communication for the managed host that is used to access the local database instance. | Required for provisioning managed hosts from the Admin tab. |
6514 | Syslog | TCP | External network appliances that provide encrypted TCP syslog events use bidirectional traffic. | External log sources to send encrypted event data to JSA components. |
6543 | High-availability heartbeat | TCP/UDP | Bidirectional between the secondary host and primary host in an HA cluster. | Heartbeat ping from a secondary host to a primary host in an HA cluster to detect hardware or network failure. |
7676, 7677, and four randomly bound ports above 32000. | Messaging connections (IMQ) | TCP | Message queue communications between components on a managed host. | Message queue broker for communications between components on a managed host. Note: You must permit access to these ports from the JSA console to unencrypted hosts. Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports. For more information about finding randomly bound ports, see Viewing IMQ Port Associations. |
7777, 7778, 7779, 7780, 7781, 7782, 7783, 7788, 7790, 7791, 7792, 7793, 7795, 7799, and 8989. | JMX server ports | TCP | Internal communications. These ports are not available externally. | JMX server (Java Management Beans) monitoring for all internal JSA processes to expose supportability metrics. These ports are used by JSA support. |
7789 | HA Distributed Replicated Block Device (DRBD) | TCP/UDP | Bidirectional between the secondary host and primary host in an HA cluster. | Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations. |
7800 | Apache Tomcat | TCP | From the Event Collector to the JSA console. | Real-time (streaming) for events. |
7801 | Apache Tomcat | TCP | From the Event Collector to the JSA console. | Real-time (streaming) for flows. |
7803 | Apache Tomcat | TCP | From the Event Collector to the JSA console. | Anomaly detection engine port. |
7804 | QRM Arc builder | TCP | Internal control communications between JSA processes and ARC builder. | This port is used for JSA Risk Manager only. It is not available externally. |
8000 | Event Collection service (ECS) | TCP | From the Event Collector to the JSA console. | Listening port for specific Event Collection Service (ECS). |
8001 | SNMP daemon port | UDP | External SNMP systems that request SNMP trap information from the JSA console. | UDP listening port for external SNMP data requests. |
8005 | Apache Tomcat | TCP | Internal communications. Not available externally. | Open to control tomcat. This port is bound and only accepts connections from the local host. |
8009 | Apache Tomcat | TCP | From the HTTP daemon (HTTPd) process to Tomcat. | Tomcat connector, where the request is used and proxied for the web service. |
8080 | Apache Tomcat | TCP | From the HTTP daemon (HTTPd) process to Tomcat. | Tomcat connector, where the request is used and proxied for the web service. |
8413 | WinCollect agents | TCP | Bidirectional traffic between WinCollect agent and JSA console. | This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode. |
8844 | Apache Tomcat | TCP | Unidirectional from the JSA console to the appliance that is running the JSA Vulnerability Manager processor. | Used by Apache Tomcat to read RSS feeds from the host that is running the JSA Vulnerability Manager processor. |
9090 | XForce IP Reputation database and server | TCP | Internal communications. Not available externally. | Communications between JSA processes and the XForce Reputation IP database. |
9913 plus one dynamically assigned port | Web application container | TCP | Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines | When the web application is registered, one additional port is dynamically assigned. |
9995 | NetFlow data | UDP | From the management interface on the flow source (typically a router) to the JSA flow processor. | NetFlow datagram from components, such as routers. |
9999 | JSA Vulnerability Manager processor | TCP | Unidirectional from the scanner to the appliance running the JSA Vulnerability Manager processor | Used for JSA Vulnerability Manager (QVM) command information. The JSA console connects to this port on the host that is running the JSA Vulnerability Manager processor. This port is only used when QVM is enabled. |
10000 | JSA web-based, system administration interface | TCP/UDP | User desktop systems to all JSA hosts. | In JSA 2014.5 and earlier, this port is used for server changes, such as the hosts root password and firewall access. Port 10000 is disabled in 2014.6. |
10101, 10102 | Heartbeat command | TCP | Bidirectional traffic between the primary and secondary HA nodes. | Required to ensure that the HA nodes are still active. |
15433 | Postgres | TCP | Communication for the managed host that is used to access the local database instance. | Used for JSA Vulnerability Manager (QVM) configuration and storage. This port is only used when QVM is enabled. |
20000-23000 | SSH Tunnel | TCP | Bidirectional from the QRadar Console to all other encrypted managed hosts. | Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management. |
23111 | SOAP web server | TCP | SOAP web server port for the Event Collection Service (ECS). | |
32004 | Normalized event forwarding | TCP | Bidirectional between JSA components. | Normalized event data that is communicated from an off-site source or between JSA Event Collectors. |
32005 | Data flow | TCP | Bidirectional between JSA components. | Data flow communication port between JSA Event Collectors when on separate managed hosts. |
32006 | Ariel queries | TCP | Bidirectional between JSA components. | Communication port between the Ariel proxy server and the Ariel query server. |
32007 | Offense data | TCP | Bidirectional between JSA components. | Events and flows contributing to an offense or involved in global correlation. |
32009 | Identity data | TCP | Bidirectional between JSA components. | Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS). |
32010 | Flow listening source port | TCP | Bidirectional between JSA components. | Flow listening port to collect data from JSA Flow Processor. |
32011 | Ariel listening port | TCP | Bidirectional between JSA components. | Ariel listening port for database searches, progress information, and other associated commands. |
32000-33999 | Data flow (flows, events, flow context) | TCP | Bidirectional between JSA components. | Data flows, such as events, flows, flow context, and event search queries. |
40799 | PCAP data | UDP | From Juniper Networks SRX Series appliances to JSA. | Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances. Note: The packet capture on your device can use a different port. For more information about configuring packet capture, see your Juniper Networks SRX Series appliance documentation. |
ICMP | ICMP | Bidirectional traffic between the secondary host and primary host in an HA cluster. | Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP). |