Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Common Ports and Servers Used by JSA

 

JSA requires that certain ports are ready to receive information from JSA components and external infrastructure. To ensure that JSA is using the most recent security information, it also requires access to public servers and RSS feeds.

SSH Communication on Port 22

All the ports that are used by the JSA console to communicate with managed hosts can be tunneled, by encryption, through port 22 over SSH.

The console connects to the managed hosts using an encrypted SSH session to communicate securely. These SSH sessions are initiated from the console to provide data to the managed host. For example, the JSA console can initiate multiple SSH sessions to the Event Processor appliances for secure communication. This communication can include tunneled ports over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. Flow Processors that use encryption can initiate SSH sessions to Flow Processor appliances that require data.

Open Ports That Are Not Required by JSA

You might find additional open ports in the following situations:

  • When you mount or export a network file share, you might see dynamically assigned ports that are required for RPC services, such as rpc.mountd and rpc.rquotad.

JSA Port Usage

Review the list of common ports that JSA services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the JSA console to communicate with remote event processors.

WinCollect Remote Polling

WinCollect agents that remotely poll other Microsoft Windows operating systems might require additional port assignments.

For more information, see the Juniper Secure Analytics WinCollect User Guide.

JSA Listening Ports

The following table shows the JSA ports that are open in a LISTEN state. The LISTEN ports are valid only when iptables is enabled on your system. Unless otherwise noted, information about the assigned port number applies to all JSA products.

Table 1: Listening Ports That Are Used by JSA Services and Components

Port

Description

Protocol

Direction

Requirement

22

SSH

TCP

Bidirectional from the JSA console to all other components.

Remote management access.

Adding a remote system as a managed host.

Log source protocols to retrieve files from external devices, for example the log file protocol.

Users who use the command-line interface to communicate from desktops to the Console.

High-availability (HA).

25

SMTP

TCP

From all managed hosts to the SMTP gateway.

Emails from JSA to an SMTP gateway.

Delivery of error and warning email messages to an administrative email contact.

111

Port mapper

TCP/UDP

Managed hosts that communicate with the JSA console.

Users that connect to the JSA console.

Remote Procedure Calls (RPC) for required services, such as Network File System (NFS).

123

Network Time Protocol (NTP)

TCP/UDP

JSA Console to the NTP server. HA primary to secondary, and vice versa.

Time synchronization between JSA HA pairs, and between the JSA Console and the NTP server.

135 and dynamically allocated ports above 1024 for RPC calls.

DCOM

TCP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

Note: DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation.

137

Windows NetBIOS name service

UDP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

138

Windows NetBIOS datagram service

UDP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

139

Windows NetBIOS session service

TCP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

162

NetSNMP

UDP

JSA managed hosts that connect to the JSA console.

External log sources to JSA Event Collectors.

UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled.

199

NetSNMP

TCP

JSA managed hosts that connect to the JSA console.

External log sources to JSA Event Collectors.

TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled.

443

Apache/HTTPS

TCP

Bidirectional traffic for secure communications from all products to the JSA console.

Configuration downloads to managed hosts from the JSA console.

JSA managed hosts that connect to the JSA console.

Users to have log in access to JSA.

JSA console that manage and provide configuration updates for WinCollect agents.

445

Microsoft Directory Service

TCP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events.

Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

514

Syslog

UDP/TCP

External network appliances that provide TCP syslog events use bidirectional traffic.

External network appliances that provide UDP syslog events use uni-directional traffic.

Internal syslog traffic from JSA hosts to the JSA console.

External log sources to send event data to JSA components.

Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to JSA.

762

Network File System (NFS) mount daemon (mountd)

TCP/UDP

Connections between the JSA console and NFS server.

The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location.

1514

Syslog-ng

TCP/UDP

Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging.

Internal logging port for syslog-ng.

2049

NFS

TCP

Connections between the JSA console and NFS server.

The Network File System (NFS) protocol to share files or data between components.

2055

NetFlow data

UDP

From the management interface on the flow source (typically a router) to the JSA Flow Processor.

NetFlow datagram from components, such as routers.

2375

Docker command port

TCP

Internal communications. This port is not available externally.

Used to manage JSA application framework resources.

3389

Remote Desktop Protocol (RDP) and Ethernet over USB is enabled

TCP/UDP

 

If the Microsoft Windows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open.

4333

Redirect port

TCP

 

This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution.

5000

Used to allow communication to the docker si-registry running on the Console. This allows all managed hosts to pull images from the Console that will be used to create local containers.

TCP

Unidirectional from the JSA managed host to the JSA Console. The port is only opened on the Console. Managed hosts must pull from the Console..

Required for apps running on an App Host.

5432

Postgres

TCP

Communication for the managed host that is used to access the local database instance.

Required for provisioning managed hosts from the Admin tab.

6514

Syslog

TCP

External network appliances that provide encrypted TCP syslog events use bidirectional traffic.

External log sources to send encrypted event data to JSA components.

7676, 7677, and four randomly bound ports above 32000.

Messaging connections (IMQ)

TCP

Message queue communications between components on a managed host.

Message queue broker for communications between components on a managed host.

Note: You must permit access to these ports from the JSA console to unencrypted hosts.

Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports.

For more information about finding randomly bound ports, see "Viewing IMQ Port Associations".

7777, 7778, 7779, 7780, 7781, 7782, 7783, 7788, 7790, 7791, 7792, 7793, 7795, 7799, and 8989.

JMX server ports

TCP

Internal communications. These ports are not available externally.

JMX server (Java Management Beans) monitoring for all internal JSA processes to expose supportability metrics.

These ports are used by JSA support.

7789

HA Distributed Replicated Block Device (DRBD)

TCP/UDP

Bidirectional between the secondary host and primary host in an HA cluster.

Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations.

7800

Apache Tomcat

TCP

From the Event Collector to the JSA console.

Real-time (streaming) for events.

7801

Apache Tomcat

TCP

From the Event Collector to the JSA console.

Real-time (streaming) for flows.

7803

Anomaly Detection Engine

TCP

From the Event Collector to the JSA console.

Anomaly detection engine port.

7804

JSA Risk Manager Arc builder

TCP

Internal control communications between JSA processes and ARC builder.

This port is used for JSA Risk Manager only. It is not available externally.

8000

Event Collection service (ECS)

TCP

From the Event Collector to the JSA console.

Listening port for specific Event Collection Service (ECS).

8001

SNMP daemon port

TCP

External SNMP systems that request SNMP trap information from the JSA console.

Listening port for external SNMP data requests.

8005

Apache Tomcat

TCP

Internal communications. Not available externally.

Open to control tomcat.

This port is bound and only accepts connections from the local host.

8009

Apache Tomcat

TCP

From the HTTP daemon (HTTPd) process to Tomcat.

Tomcat connector, where the request is used and proxied for the web service.

8080

Apache Tomcat

TCP

From the HTTP daemon (HTTPd) process to Tomcat.

Tomcat connector, where the request is used and proxied for the web service.

8082

Secure tunnel for JSA Risk Manager

TCP

Bidirectional traffic between the JSA Console and JSA Risk Manager

Required when encryption is used between JSA Risk Manager and the JSA Console.

8413

WinCollect agents

TCP

Bidirectional traffic between WinCollect agent and JSA console.

This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode.

8844

Apache Tomcat

TCP

Unidirectional from the JSA console to the appliance that is running the JSA Vulnerability Manager processor.

Used by Apache Tomcat to read RSS feeds from the host that is running the JSA Vulnerability Manager processor.

9000

Conman

Unidirectional from the JSA Console to a JSA App Host.

Used with an App Host. It allows the Console to deploy apps to an App Host and to manage those apps.

9090

XForce IP Reputation database and server

TCP

Internal communications. Not available externally.

Communications between JSA processes and the XForce Reputation IP database.

9381

Certificate files download

TCP

Unidirectional from JSA managed host or external network to JSA Console.

Downloading JSA CA certificate and CRL files, which can be used to validate JSA generated certificates.

9913 plus one dynamically assigned port

Web application container

TCP

Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines

When the web application is registered, one additional port is dynamically assigned.

9995

NetFlow data

UDP

From the management interface on the flow source (typically a router) to the JSA flow processor.

NetFlow datagram from components, such as routers.

9999

JSA Vulnerability Manager processor

TCP

Unidirectional from the scanner to the appliance running the JSA Vulnerability Manager processor

Used for JSA Vulnerability Manager command information. The JSA console connects to this port on the host that is running the JSA Vulnerability Manager processor. This port is only used when JSA Vulnerability Manager is enabled.

10000

JSA web-based, system administration interface

TCP/UDP

User desktop systems to all JSA hosts.

In JSA 2014.5 and earlier, this port is used for server changes, such as the hosts root password and firewall access.

Port 10000 is disabled in 2014.6.

10101, 10102

Heartbeat command

TCP

Bidirectional traffic between the primary and secondary HA nodes.

Required to ensure that the HA nodes are still active.

15432

Required to be open for internal communication between JSA Risk Manager and JSA.

15433

Postgres

TCP

Communication for the managed host that is used to access the local database instance.

Used for JSA Vulnerability Manager configuration and storage. This port is only used when JSA Vulnerability Manager is enabled.

20000-23000

SSH Tunnel

TCP

Bidirectional from the JSA Console to all other encrypted managed hosts.

Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management.

23111

SOAP web server

TCP

 

SOAP web server port for the Event Collection Service (ECS).

32000

Normalized flow forwarding

TCP

Bidirectional between JSA components.

Normalized flow data that is communicated from an off-site source or between JSA Flow Processors.

32004

Normalized event forwarding

TCP

Bidirectional between JSA components.

Normalized event data that is communicated from an off-site source or between JSA Event Collectors.

32005

Data flow

TCP

Bidirectional between JSA components.

Data flow communication port between JSA Event Collectors when on separate managed hosts.

32006

Ariel queries

TCP

Bidirectional between JSA components.

Communication port between the Ariel proxy server and the Ariel query server.

32007

Offense data

TCP

Bidirectional between JSA components.

Events and flows contributing to an offense or involved in global correlation.

32009

Identity data

TCP

Bidirectional between JSA components.

Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS).

32010

Flow listening source port

TCP

Bidirectional between JSA components.

Flow listening port to collect data from JSA Flow Processor.

32011

Ariel listening port

TCP

Bidirectional between JSA components.

Ariel listening port for database searches, progress information, and other associated commands.

32000-33999

Data flow (flows, events, flow context)

TCP

Bidirectional between JSA components.

Data flows, such as events, flows, flow context, and event search queries.

ICMP

ICMP

 

Bidirectional traffic between the secondary host and primary host in an HA cluster.

Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP).

Viewing IMQ Port Associations

Several ports that are used by JSA allocate extra random port numbers. For example, Message Queues (IMQ) open random ports for communication between components on a managed host. You can view the random port assignments for IMQ by using telnet to connect to the local host and doing a lookup on the port number.

Random port associations are not static port numbers. If a service is restarted, the ports that are generated for the service are reallocated and the service is provided with a new set of port numbers.

  1. Using SSH, log in to the JSA console as the root user.
  2. To display a list of associated ports for the IMQ messaging connection, type the following command:

    telnet localhost 7676

    The results from the telnet command might look similar to this output:

    [root@domain ~]# telnet localhost 7676 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 101 imqbroker 4.4 Update 1 portmapper tcp PORTMAPPER 7676 [imqvarhome=/opt/openmq/mq/var,imqhome=/opt/openmq/mq,sessionid=<session_id>] cluster_discovery tcp CLUSTER_DISCOVERY 44913 jmxrmi rmi JMX 0 [url=service:jmx:rmi://domain.ibm.com/stub/<urlpath>] admin tcp ADMIN 43691 jms tcp NORMAL 7677 cluster tcp CLUSTER 36615

    The telnet output shows 3 of the 4 random high-numbered TCP ports for IMQ. The fourth port, which is not shown, is a JMX Remote Method Invocation (RMI) port that is available over the JMX URL that is shown in the output.

    If the telnet connection is refused, it means that IMQ is not currently running. It is probable that the system is either starting up or shutting down, or that services were shut down manually.

Searching for Ports in Use by JSA

Use the netstat command to determine which ports are in use on the JSA Console or managed host. Use the netstat command to view all listening and established ports on the system.

  1. Using SSH, log in to your JSA console, as the root user.
  2. To display all active connections and the TCP and UDP ports on which the computer is listening, type the following command:
    netstat -nap
  3. To search for specific information from the netstat port list, type the following command:
    netstat -nap | grep port
    • To display all ports that match 199, type the following command:

      netstat -nap | grep 199
    • To display information on all listening ports, type the following command:

      netstat -nap | grep LISTEN

JSA Public Servers

To provide you with the most current security information, JSA requires access to a number of public servers and RSS feeds.

Public Servers

Table 2: Public Servers That JSA Must Access

IP address or hostname

Description

194.153.113.31

JSA Vulnerability Manager DMZ scanner

194.153.113.32

JSA Vulnerability Manager DMZ scanner

download.juniper.net

JSA auto-update servers.

www.iss.net

Juniper X-Force Threat Intelligence Threat Information Center dashboard item

update.xforce-security.com

X-Force Threat Feed update server

license.xforce-security.com

X-Force Threat Feed licensing server

RSS Feeds for JSA Products

Table 3: RSS feeds

Title

URL

Requirements

Security Intelligence

http://feeds.feedburner.com/SecurityIntelligence

JSA and an Internet connection

Security Intelligence Vulns / Threats

http://securityintelligence.com/topics/vulnerabilities-threats/feed

JSA and an Internet connection

Juniper My Notifications

 

JSA and an Internet connection

Security News

http://IP_address_of_QVM_processor

:8844/rss/research/news.rss

JSA Vulnerability Manager processor is deployed

Security Advisories

http://IP_address_of_QVM_processor

:8844/rss/research/news.rss

JSA Vulnerability Manager processor is deployed

Latest Published Vulnerabilities

http://IP_address_of_QVM_processor

:8844/rss/research/vulnerabilities.rss

JSA Vulnerability Manager processor deployed

Scans Completed

http://IP_address_of_QVM_processor

:8844/rss/scanresults/completedScans.rss

JSA Vulnerability Manager processor is deployed

Scans In Progress

http://IP_address_of_QVM_processor

:8844/rss/scanresults/runningScans.rss

JSA Vulnerability Manager processor is deployed