Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

JSA Port Usage

Review the list of common ports that JSA services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the JSA console to communicate with remote event processors.

WinCollect Remote Polling

WinCollect agents that remotely poll other MicrosoftWindows operating systems might require additional port assignments.

For more information, see the Juniper Secure Analytics WinCollect User Guide.

JSA Listening Ports

The following table shows the JSA ports that are open in a LISTEN state. The LISTEN ports are valid only when iptables is enabled on your system. Unless otherwise noted, information about the assigned port number applies to all JSA products.

Table 1: Listening Ports That Are Used by JSA Services and Components

Port

Description

Protocol

Direction

Requirement

22

SSH

TCP

Bidirectional from the JSA console to all other components.

Remote management access.

Adding a remote system as a managed host.

Log source protocols to retrieve files from external devices, for example the log file protocol.

Users who use the command-line interface to communicate from desktops to the Console.

High-availability (HA).

25

SMTP

TCP

From all managed hosts to the SMTP gateway.

Emails from JSA to an SMTP gateway.

Delivery of error and warning email messages to an administrative email contact.

111

Port mapper

TCP/UDP

Managed hosts (MH) that communicate with the JSA console.

Users that connect to the JSA console.

Remote Procedure Calls (RPC) for required services, such as Network File System (NFS).

123

Network Time Protocol (NTP)

UDP

Outbound from the JSA Console to the NTP Server

Outbound from the MH to the JSA Console

Time synchronization via Chrony between:

  • JSA Console and NTP server

  • JSA Managed Hosts and JSA Console

135 and dynamically allocated ports above 1024 for RPC calls.

DCOM

TCP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

Note:

DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation.

137

Windows NetBIOS name service

UDP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

138

Windows NetBIOS datagram service

UDP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

139

Windows NetBIOS session service

TCP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

162

NetSNMP

UDP

JSA managed hosts that connect to the JSA console.

External log sources to JSA Event Collectors.

UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled.

199

NetSNMP

TCP

JSA managed hosts that connect to the JSA console.

External log sources to JSA Event Collectors.

TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled.

443

Apache/HTTPS

TCP

Bidirectional traffic for secure communications from all products to the JSA console.

Unidirectional traffic from the App Host to the JSA Console.

Configuration downloads to managed hosts from the JSA console.

JSA managed hosts that connect to the JSA console.

Users to have log in access to JSA.

JSA console that manage and provide configuration updates for WinCollect agents.

Apps that require access to the JSA API.

445

Microsoft Directory Service

TCP

Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between JSA console components or JSA Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events.

Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.

514

Syslog

UDP/TCP

External network appliances that provide TCP syslog events use bidirectional traffic.

External network appliances that provide UDP syslog events use uni-directional traffic.

Internal syslog traffic from JSA hosts to the JSA console.

External log sources to send event data to JSA components.

Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to JSA.

762

Network File System (NFS) mount daemon (mountd)

TCP/UDP

Connections between the JSA console and NFS server.

The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location.

1514

Syslog-ng

TCP/UDP

Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging.

Internal logging port for syslog-ng.

2049

NFS

TCP

Connections between the JSA console and NFS server.

The Network File System (NFS) protocol to share files or data between components.

2055

NetFlow data

UDP

From the management interface on the flow source (typically a router) to the JSA Flow Processor.

NetFlow datagram from components, such as routers.

2376

Docker command port

TCP

Internal communications. This port is not available externally.

Used to manage JSA application framework resources.

3389

Remote Desktop Protocol (RDP) and Ethernet over USB is enabled

TCP/UDP

 

If the MicrosoftWindows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open.

4333

Redirect port

TCP

 

This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution.

5000

Used to allow communication to the docker si-registry running on the Console. This allows all managed hosts to pull images from the Console that will be used to create local containers.

TCP

Unidirectional from the JSA managed host to the JSA Console. The port is only opened on the Console. Managed hosts must pull from the Console.

Required for apps running on an App Host.

5432

Postgres

TCP

Communication for the managed host that is used to access the local database instance.

Required for provisioning managed hosts from the Admin tab.

6514

Syslog

TCP

External network appliances that provide encrypted TCP syslog events use bidirectional traffic.

External log sources to send encrypted event data to JSA components.

7676, 7677, and four randomly bound ports above 32000.

Messaging connections (IMQ)

TCP

Message queue communications between components on a managed host.

Message queue broker for communications between components on a managed host.

Note:

You must permit access to these ports from the JSA console to unencrypted hosts.

Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports.

For more information about finding randomly bound ports, see Viewing IMQ Port Associations.

7777, 7778, 7779, 7780, 7781, 7782, 7783, 7788, 7790, 7791, 7792, 7793, 7795, 7799, and 8989.

JMX server ports

TCP

Internal communications. These ports are not available externally.

JMX server (Java Management Beans) monitoring for all internal JSA processes to expose supportability metrics.

These ports are used by JSA support.

7789

HA Distributed Replicated Block Device (DRBD)

TCP/UDP

Bidirectional between the secondary host and primary host in an HA cluster.

Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations.

7800

Apache Tomcat

TCP

From the Event Collector to the JSA console.

Real-time (streaming) for events.

7801

Apache Tomcat

TCP

From the Event Collector to the JSA console.

Real-time (streaming) for flows.

7803

Anomaly Detection Engine

TCP

From the Event Collector to the JSA console.

Anomaly detection engine port.

7804

QRM Arc builder

TCP

Internal control communications between JSA processes and ARC builder.

This port is used for JSA Risk Manager only. It is not available externally.

7805

Syslog tunnel communication

TCP

Bidirectional between the JSA Console and managed hosts

Used for encrypted communication between the console and managed hosts.

8000

Event Collection service (ECS)

TCP

From the Event Collector to the JSA console.

Listening port for specific Event Collection Service (ECS).

8001

SNMP daemon port

TCP

External SNMP systems that request SNMP trap information from the JSA console.

Listening port for external SNMP data requests.

8005

Apache Tomcat

TCP

Internal communications. Not available externally.

Open to control tomcat.

This port is bound and only accepts connections from the local host.

8009

Apache Tomcat

TCP

From the HTTP daemon (HTTPd) process to Tomcat.

Tomcat connector, where the request is used and proxied for the web service.

8080

Apache Tomcat

TCP

From the HTTP daemon (HTTPd) process to Tomcat.

Tomcat connector, where the request is used and proxied for the web service.

8082

Secure tunnel for JSA Risk Manager

TCP

Bidirectional traffic between the JSA Console and JSA Risk Manager

Required when encryption is used between JSARisk Manager and the JSA Console.

8413

WinCollect agents

TCP

Bidirectional traffic between WinCollect agent and JSA console.

This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode.

8844

Apache Tomcat

TCP

Unidirectional from the JSA console to the appliance that is running the JSA Vulnerability Manager processor.

Used by Apache Tomcat to read RSS feeds from the host that is running the JSA Vulnerability Manager processor.

9000

Conman

TCP

Unidirectional from the JSA Console to a JSA App Host.

Used with an App Host. It allows the Console to deploy apps to an App Host and to manage those apps.

9090

XForce IP Reputation database and server

TCP

Internal communications. Not available externally.

Communications between JSA processes and the XForce Reputation IP database.

9381

Certificate files download

TCP

Unidirectional from JSA managed host or external network to JSA Console

Downloading JSA CA certificate and CRL files, which can be used to validate JSA generated certificates.

9381

localca-server

TCP

Bidirectional between JSA components.

Used to hold JSA local root and intermediate certificates, as well as associated CRLs.

9393, 9394

vault-qrd

TCP

Internal communications. Not available externally.

Used to hold secrets and allow secure access to them to services.

9913 plus one dynamically assigned port

Web application container

TCP

Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines

When the web application is registered, one additional port is dynamically assigned.

9995

NetFlow data

UDP

From the management interface on the flow source (typically a router) to the JSA flow processor.

NetFlow datagram from components, such as routers.

9999

JSA Vulnerability Manager processor

TCP

Unidirectional from the scanner to the appliance running the JSA Vulnerability Manager processor

Used for JSA Vulnerability Manager (QVM) command information. The JSA console connects to this port on the host that is running the JSA Vulnerability Manager processor. This port is only used when QVM is enabled.

10000

JSA web-based, system administration interface

TCP/UDP

User desktop systems to all JSA hosts.

In JSA 2014.5 and earlier, this port is used for server changes, such as the hosts root password and firewall access.

Port 10000 is disabled in 2014.6.

10101, 10102

Heartbeat command

TCP

Bidirectional traffic between the primary and secondary HA nodes.

Required to ensure that the HA nodes are still active.

12500

Socat binary

TCP

Outbound from MH to the JSA Console

Port used for tunneling chrony udp requests over tcp when JSA Console or MH is encrypted

14433

traefik

TCP

Bidirectional between JSA components.

Required for app services discovery.

15432

Required to be open for internal communication between JSA Risk Manager and JSA.

15433

Postgres

TCP

Communication for the managed host that is used to access the local database instance.

Used for JSA Vulnerability Manager (QVM) configuration and storage. This port is only used when QVM is enabled.

20000-23000

SSH Tunnel

TCP

Bidirectional from the JSA Console to all other encrypted managed hosts.

Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management.

23111

SOAP web server

TCP

 

SOAP web server port for the Event Collection Service (ECS).

32000

Normalized flow forwarding

TCP

Bidirectional between JSA components.

Normalized flow data that is communicated from an off-site source or between JSA Processors.

32004

Normalized event forwarding

TCP

Bidirectional between JSA components.

Normalized event data that is communicated from an off-site source or between JSA Event Collectors.

32005

Data flow

TCP

Bidirectional between JSA components.

Data flow communication port between JSA Event Collectors when on separate managed hosts.

32006

Ariel queries

TCP

Bidirectional between JSA components.

Communication port between the Ariel proxy server and the Ariel query server.

32007

Offense data

TCP

Bidirectional between JSA components.

Events and flows contributing to an offense or involved in global correlation.

32009

Identity data

TCP

Bidirectional between JSA components.

Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS).

32010

Flow listening source port

TCP

Bidirectional between JSA components.

Flow listening port to collect data from JSA Flow Processor.

32011

Ariel listening port

TCP

Bidirectional between JSA components.

Ariel listening port for database searches, progress information, and other associated commands.

32000-33999

Data flow (flows, events, flow context)

TCP

Bidirectional between JSA components.

Data flows, such as events, flows, flow context, and event search queries.

40799

PCAP data

UDP

From Juniper Networks SRX Series appliances to JSA.

Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances.

Note:

The packet capture on your device can use a different port. For more information about configuring packet capture, see your Juniper Networks SRX Series appliance documentation.

ICMP

ICMP

 

Bidirectional traffic between the secondary host and primary host in an HA cluster.

Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP).