ON THIS PAGE
JSA Port Usage
Review the list of common ports that JSA services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the JSA console to communicate with remote event processors.
WinCollect Remote Polling
WinCollect agents that remotely poll other MicrosoftWindows operating systems might require additional port assignments.
For more information, see the Juniper Secure Analytics WinCollect User Guide.
JSA Listening Ports
The following table shows the JSA ports that are
open in a LISTEN
state. The LISTEN
ports are valid only when iptables is enabled
on your system. Unless otherwise noted, information about the assigned
port number applies to all JSA products.
Port |
Description |
Protocol |
Direction |
Requirement |
---|---|---|---|---|
22 |
SSH |
TCP |
Bidirectional from the JSA console to all other components. |
Remote management access. Adding a remote system as a managed host. Log source protocols to retrieve files from external devices, for example the log file protocol. Users who use the command-line interface to communicate from desktops to the Console. High-availability (HA). |
25 |
SMTP |
TCP |
From all managed hosts to the SMTP gateway. |
Emails from JSA to an SMTP gateway. Delivery of error and warning email messages to an administrative email contact. |
111 and random generated port |
Port mapper |
TCP/UDP |
Managed hosts (MH) that communicate with the JSA console. Users that connect to the JSA console. |
Remote Procedure Calls (RPC) for required services, such as Network File System (NFS). |
123 |
Network Time Protocol (NTP) |
UDP |
Outbound from the JSA Console to the NTP Server Outbound from the MH to the JSA Console |
Time synchronization via Chrony between:
|
135 and dynamically allocated ports above 1024 for RPC calls. |
DCOM |
TCP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Note:
DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation. |
137 |
Windows NetBIOS name service |
UDP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
138 |
Windows NetBIOS datagram service |
UDP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
139 |
Windows NetBIOS session service |
TCP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
162 |
NetSNMP |
UDP |
JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors. |
UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
199 |
NetSNMP |
TCP |
JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors. |
TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
443 |
Apache/HTTPS |
TCP |
Bidirectional traffic for secure communications from all products to the JSA console. Unidirectional traffic from the App Host to the JSA Console. |
Configuration downloads to managed hosts from the JSA console. JSA managed hosts that connect to the JSA console. Users to have log in access to JSA. JSA console that manage and provide configuration updates for WinCollect agents. Apps that require access to the JSA API. |
445 |
Microsoft Directory Service |
TCP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
514 |
Syslog |
UDP/TCP |
External network appliances that provide TCP syslog events use bidirectional traffic. External network appliances that provide UDP syslog events use uni-directional traffic. Internal syslog traffic from JSA hosts to the JSA console. |
External log sources to send event data to JSA components. Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to JSA. |
762 |
Network File System (NFS) mount daemon (mountd) |
TCP/UDP |
Connections between the JSA console and NFS server. |
The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location. |
1514 |
Syslog-ng |
TCP/UDP |
Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging. |
Internal logging port for syslog-ng. |
2049 |
NFS |
TCP |
Connections between the JSA console and NFS server. |
The Network File System (NFS) protocol to share files or data between components. |
2055 |
NetFlow data |
UDP |
From the management interface on the flow source (typically a router) to the JSA Flow Processor. |
NetFlow datagram from components, such as routers. |
2376 |
Docker command port |
TCP |
Internal communications. This port is not available externally. |
Used to manage JSA application framework resources. |
3389 |
Remote Desktop Protocol (RDP) and Ethernet over USB is enabled |
TCP/UDP |
If the MicrosoftWindows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open. |
|
4333 |
Redirect port |
TCP |
This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution. |
|
5000 |
Used to allow communication to the docker si-registry running on the Console. This allows all managed hosts to pull images from the Console that will be used to create local containers. |
TCP |
Unidirectional from the JSA managed host to the JSA Console. The port is only opened on the Console. Managed hosts must pull from the Console. |
Required for apps running on an App Host. |
5432 |
Postgres |
TCP |
Communication for the managed host that is used to access the local database instance. |
Required for provisioning managed hosts from the Admin tab. |
6514 |
Syslog |
TCP |
External network appliances that provide encrypted TCP syslog events use bidirectional traffic. |
External log sources to send encrypted event data to JSA components. |
7676, 7677, and four randomly bound ports above 32000. |
Messaging connections (IMQ) |
TCP |
Message queue communications between components on a managed host. |
Message queue broker for communications between components on a managed host. Note:
You must permit access to these ports from the JSA console to unencrypted hosts. Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports. For more information about finding randomly bound ports, see Viewing IMQ Port Associations. |
5791, 7700, 7777, 7778, 7779, 7780, 7781, 7782, 7783, 7787, 7788, 7790, 7791, 7792, 7793, 7794, 7795, 7799, 8989, and 8990. |
JMX server ports |
TCP |
Internal communications. These ports are not available externally. |
JMX server (Java Management Beans) monitoring for all internal JSA processes to expose supportability metrics. These ports are used by JSA support. |
7789 |
HA Distributed Replicated Block Device (DRBD) |
TCP/UDP |
Bidirectional between the secondary host and primary host in an HA cluster. |
Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations. |
7800 |
Apache Tomcat |
TCP |
From the Event Collector to the JSA console. |
Real-time (streaming) for events. |
7801 |
Apache Tomcat |
TCP |
From the Event Collector to the JSA console. |
Real-time (streaming) for flows. |
7803 |
Anomaly Detection Engine |
TCP |
From the Event Collector to the JSA console. |
Anomaly detection engine port. |
7804 |
QRM Arc builder |
TCP |
Internal control communications between JSA processes and ARC builder. |
This port is used for JSA Risk Manager only. It is not available externally. |
7805 |
Syslog tunnel communication |
TCP |
Bidirectional between the JSA Console and managed hosts |
Used for encrypted communication between the console and managed hosts. |
8000 |
Event Collection service (ECS) |
TCP |
From the Event Collector to the JSA console. |
Listening port for specific Event Collection Service (ECS). |
8001 |
SNMP daemon port |
TCP |
External SNMP systems that request SNMP trap information from the JSA console. |
Listening port for external SNMP data requests. |
8005 |
Apache Tomcat |
TCP |
Internal communications. Not available externally. |
Open to control tomcat. This port is bound and only accepts connections from the local host. |
8009 |
Apache Tomcat |
TCP |
From the HTTP daemon (HTTPd) process to Tomcat. |
Tomcat connector, where the request is used and proxied for the web service. |
8080 |
Apache Tomcat |
TCP |
From the HTTP daemon (HTTPd) process to Tomcat. |
Tomcat connector, where the request is used and proxied for the web service. |
8082 |
Secure tunnel for JSA Risk Manager |
TCP |
Bidirectional traffic between the JSA Console and JSA Risk Manager |
Required when encryption is used between JSARisk Manager and the JSA Console. |
8413 |
WinCollect agents |
TCP |
Bidirectional traffic between WinCollect agent and JSA console. |
This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode. |
8844 |
Apache Tomcat |
TCP |
Unidirectional from the JSA console to the appliance that is running the JSA Vulnerability Manager processor. |
Used by Apache Tomcat to read information from the host that is running the JSA Vulnerability Manager processor. |
9000 |
Conman |
TCP |
Unidirectional from the JSA Console to a JSA App Host. |
Used with an App Host. It allows the Console to deploy apps to an App Host and to manage those apps. |
9090 |
XForce IP Reputation database and server |
TCP |
Internal communications. Not available externally. |
Communications between JSA processes and the XForce Reputation IP database. |
9381 |
Certificate files download |
TCP |
Unidirectional from JSA managed host or external network to JSA Console |
Downloading JSA CA certificate and CRL files, which can be used to validate JSA generated certificates. |
9381 |
localca-server |
TCP |
Bidirectional between JSA components. |
Used to hold JSA local root and intermediate certificates, as well as associated CRLs. |
9393, 9394 |
vault-qrd |
TCP |
Internal communications. Not available externally. |
Used to hold secrets and allow secure access to them to services. |
9913 plus one dynamically assigned port |
Web application container |
TCP |
Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines |
When the web application is registered, one additional port is dynamically assigned. |
9995 |
NetFlow data |
UDP |
From the management interface on the flow source (typically a router) to the JSA flow processor. |
NetFlow datagram from components, such as routers. |
9999 |
JSA Vulnerability Manager processor |
TCP |
Unidirectional from the scanner to the appliance running the JSA Vulnerability Manager processor |
Used for JSA Vulnerability Manager (QVM) command information. The JSA console connects to this port on the host that is running the JSA Vulnerability Manager processor. This port is only used when QVM is enabled. |
10000 |
JSA web-based, system administration interface |
TCP/UDP |
User desktop systems to all JSA hosts. |
In JSA 2014.5 and earlier, this port is used for server changes, such as the hosts root password and firewall access. Port 10000 is disabled in 2014.6. |
10101, 10102 |
Heartbeat command |
TCP |
Bidirectional traffic between the primary and secondary HA nodes. |
Required to ensure that the HA nodes are still active. |
12500 |
Socat binary |
TCP |
Outbound from MH to the JSA Console |
Port used for tunneling chrony udp requests over tcp when JSA Console or MH is encrypted |
14433 |
traefik |
TCP |
Bidirectional between JSA components. |
Required for app services discovery. |
15432 |
Required to be open for internal communication between JSA Risk Manager and JSA. |
|||
15433 |
Postgres |
TCP |
Communication for the managed host that is used to access the local database instance. |
Used for JSA Vulnerability Manager (QVM) configuration and storage. This port is only used when QVM is enabled. |
20000-23000 |
SSH Tunnel |
TCP |
Bidirectional from the JSA Console to all other encrypted managed hosts. |
Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management. |
23111 |
SOAP web server |
TCP |
SOAP web server port for the Event Collection Service (ECS). |
|
26000 | traefik | TCP |
Bidirectional between JSA components. |
Used with an App Host that is encrypted. Required for app services discovery. |
26001 | Conman | TCP |
Unidirectional from the JSA Console to a JSA App Host. |
Used with an App Host that is encrypted. It allows the Consoleto deploy apps to an App Host and to manage those apps. |
32000 |
Normalized flow forwarding |
TCP |
Bidirectional between JSA components. |
Normalized flow data that is communicated from an off-site source or between JSA Processors. |
32004 |
Normalized event forwarding |
TCP |
Bidirectional between JSA components. |
Normalized event data that is communicated from an off-site source or between JSA Event Collectors. |
32005 |
Data flow |
TCP |
Bidirectional between JSA components. |
Data flow communication port between JSA Event Collectors when on separate managed hosts. |
32006 |
Ariel queries |
TCP |
Bidirectional between JSA components. |
Communication port between the Ariel proxy server and the Ariel query server. |
32007 |
Offense data |
TCP |
Bidirectional between JSA components. |
Events and flows contributing to an offense or involved in global correlation. |
32009 |
Identity data |
TCP |
Bidirectional between JSA components. |
Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS). |
32010 |
Flow listening source port |
TCP |
Bidirectional between JSA components. |
Flow listening port to collect data from JSA Flow Processor. |
32011 |
Ariel listening port |
TCP |
Bidirectional between JSA components. |
Ariel listening port for database searches, progress information, and other associated commands. |
32000-33999 |
Data flow (flows, events, flow context) |
TCP |
Bidirectional between JSA components. |
Data flows, such as events, flows, flow context, and event search queries. |
40799 |
PCAP data |
UDP |
From Juniper Networks SRX Series appliances to JSA. |
Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances. Note:
The packet capture on your device can use a different port. For more information about configuring packet capture, see your Juniper Networks SRX Series appliance documentation. |
ICMP |
ICMP |
Bidirectional traffic between the secondary host and primary host in an HA cluster. |
Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP). |