Common Ports and Servers Used by JSA
JSA requires that certain ports are ready to receive information from JSA components and external infrastructure. To ensure that JSA is using the most recent security information, it also requires access to public servers and RSS feeds.
SSH Communication on Port 22
All the ports that are used by the JSA console to communicate with managed hosts can be tunneled, by encryption, through port 22 over SSH.
The console connects to the managed hosts using an encrypted SSH session to communicate securely. These SSH sessions are initiated from the console to provide data to the managed host. For example, the JSA console can initiate multiple SSH sessions to the Event Processor appliances for secure communication. This communication can include tunneled ports over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. Flow Processors that use encryption can initiate SSH sessions to Flow Processor appliances that require data.
Open Ports That Are Not Required by JSA
You might find additional open ports in the following situations:
When you mount or export a network file share, you might see dynamically assigned ports that are required for RPC services, such as
rpc.mountdandrpc.rquotad.
JSA Port Usage
Review the list of common ports that JSA services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the JSA console to communicate with remote event processors.
WinCollect Remote Polling
WinCollect agents that remotely poll other Microsoft Windows operating systems might require additional port assignments.
For more information, see the Juniper Secure Analytics WinCollect User Guide.
JSA Listening Ports
The following table shows the JSA ports that are
open in a LISTEN state. The LISTEN ports are valid only when iptables is enabled
on your system. Unless otherwise noted, information about the assigned
port number applies to all JSA products.
Port |
Description |
Protocol |
Direction |
Requirement |
|---|---|---|---|---|
22 |
SSH |
TCP |
Bidirectional from the JSA console to all other components. |
Remote management access. Adding a remote system as a managed host. Log source protocols to retrieve files from external devices, for example the log file protocol. Users who use the command-line interface to communicate from desktops to the Console. High-availability (HA). |
25 |
SMTP |
TCP |
From all managed hosts to the SMTP gateway. |
Emails from JSA to an SMTP gateway. Delivery of error and warning email messages to an administrative email contact. |
111 and random generated port |
Port mapper |
TCP/UDP |
Managed hosts (MH) that communicate with the JSA Console. Users that connect to the JSA Console. |
Remote Procedure Calls (RPC) for required services, such as Network File System (NFS). |
123 |
Network Time Protocol (NTP) |
UDP |
Outbound from the JSA Console to the NTP Server Outbound from the MH to the JSA Console |
Time synchronization via Chrony between:
|
135 and dynamically allocated ports above 1024 for RPC calls. |
DCOM |
TCP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. Note:
DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation. |
137 |
Windows NetBIOS name service |
UDP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
138 |
Windows NetBIOS datagram service |
UDP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
139 |
Windows NetBIOS session service |
TCP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
162 |
NetSNMP |
UDP |
JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors. |
UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
199 |
NetSNMP |
TCP |
JSA managed hosts that connect to the JSA console. External log sources to JSA Event Collectors. |
TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
443 |
Apache/HTTPS |
TCP |
Bidirectional traffic for secure communications from all products to the JSA console. Unidirectional traffic from the App Host to th JSA Console. |
Configuration downloads to managed hosts from the JSA console. JSA managed hosts that connect to the JSA console. Users to have log in access to JSA. JSA console that manage and provide configuration updates for WinCollect agents. Apps that require access to the JSA API. |
445 |
Microsoft Directory Service |
TCP |
Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between JSA console components or JSA Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
514 |
Syslog |
UDP/TCP |
External network appliances that provide TCP syslog events use bidirectional traffic. External network appliances that provide UDP syslog events use uni-directional traffic. Internal syslog traffic from JSA hosts to the JSA console. |
External log sources to send event data to JSA components. Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to JSA. |
762 |
Network File System (NFS) mount daemon (mountd) |
TCP/UDP |
Connections between the JSA console and NFS server. |
The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location. |
1514 |
Syslog-ng |
TCP/UDP |
Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging. |
Internal logging port for syslog-ng. |
2049 |
NFS |
TCP |
Connections between the JSA console and NFS server. |
The Network File System (NFS) protocol to share files or data between components. |
2055 |
NetFlow data |
UDP |
From the management interface on the flow source (typically a router) to the JSA Flow Processor. |
NetFlow datagram from components, such as routers. |
2376 |
Docker command port |
TCP |
Internal communications. This port is not available externally. |
Used to manage JSA application framework resources. |
3389 |
Remote Desktop Protocol (RDP) and Ethernet over USB is enabled |
TCP/UDP |
If the Microsoft Windows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open. |
|
4333 |
Redirect port |
TCP |
This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA offense resolution. |
|
5000 |
Used to allow communication to the docker si-registry running on the Console. This allows all managed hosts to pull images from the Console that will be used to create local containers. |
TCP |
Unidirectional from the JSA managed host to the JSA Console. The port is only opened on the Console. Managed hosts must pull from the Console. |
Required for apps running on an App Host. |
5432 |
Postgres |
TCP |
Communication for the managed host that is used to access the local database instance. |
Required for provisioning managed hosts from the Admin tab. |
6514 |
Syslog |
TCP |
External network appliances that provide encrypted TCP syslog events use bidirectional traffic. |
External log sources to send encrypted event data to JSA components. |
7676, 7677, and four randomly bound ports above 32000. |
Messaging connections (IMQ) |
TCP |
Message queue communications between components on a managed host. |
Message queue broker for communications between components on a managed host. Note:
You must permit access to these ports from the JSA console to unencrypted hosts. Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports. For more information about finding randomly bound ports, see "Viewing IMQ Port Associations". |
5791, 7700, 7777, 7778, 7779, 7780, 7781, 7782, 7783, 7787, 7788, 7790, 7791, 7792, 7793, 7794, 7795, 7799, 8989, and 8990. |
JMX server ports |
TCP |
Internal communications. These ports are not available externally. |
JMX server (Java Management Beans) monitoring for all internal JSA processes to expose supportability metrics. These ports are used by JSA support. |
7789 |
HA Distributed Replicated Block Device (DRBD) |
TCP/UDP |
Bidirectional between the secondary host and primary host in an HA cluster. |
Distributed Replicated Block Device (DRBD) used to keep drives synchronized between the primary and secondary hosts in HA configurations. |
7800 |
Apache Tomcat |
TCP |
From the Event Collector to the JSA console. |
Real-time (streaming) for events. |
7801 |
Apache Tomcat |
TCP |
From the Event Collector to the JSA console. |
Real-time (streaming) for flows. |
7803 |
Anomaly Detection Engine |
TCP |
From the Event Collector to the JSA console. |
Anomaly detection engine port. |
7804 |
JSA Risk Manager Arc builder |
TCP |
Internal control communications between JSA processes and ARC builder. |
This port is used for JSA Risk Manager only. It is not available externally. |
7805 |
Syslog tunnel communication |
TCP |
Bidirectional between the JSA Console and managed hosts |
Used for encrypted communication between the console and managed hosts. |
8000 |
Event Collection service (ECS) |
TCP |
From the Event Collector to the JSA console. |
Listening port for specific Event Collection Service (ECS). |
8001 |
SNMP daemon port |
TCP |
External SNMP systems that request SNMP trap information from the JSA console. |
Listening port for external SNMP data requests. |
8005 |
Apache Tomcat |
TCP |
Internal communications. Not available externally. |
Open to control tomcat. This port is bound and only accepts connections from the local host. |
8009 |
Apache Tomcat |
TCP |
From the HTTP daemon (HTTPd) process to Tomcat. |
Tomcat connector, where the request is used and proxied for the web service. |
8080 |
Apache Tomcat |
TCP |
From the HTTP daemon (HTTPd) process to Tomcat. |
Tomcat connector, where the request is used and proxied for the web service. |
8082 |
Secure tunnel for JSA Risk Manager |
TCP |
Bidirectional traffic between the JSA Console and JSA Risk Manager |
Required when encryption is used between JSA Risk Manager and the JSA Console. |
8413 |
WinCollect agents |
TCP |
Bidirectional traffic between WinCollect agent and JSA console. |
This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode. |
8844 |
Apache Tomcat |
TCP |
Unidirectional from the JSA console to the appliance that is running the JSA Vulnerability Manager processor. |
Used by Apache Tomcat to read information from the host that is running the JSA Vulnerability Manager processor. |
9000 |
Conman |
Unidirectional from the JSA Console to a JSA App Host. |
Used with an App Host. It allows the Console to deploy apps to an App Host and to manage those apps. |
|
9090 |
XForce IP Reputation database and server |
TCP |
Internal communications. Not available externally. |
Communications between JSA processes and the XForce Reputation IP database. |
9381 |
Certificate files download |
TCP |
Unidirectional from JSA managed host or external network to JSA Console. |
Downloading JSA CA certificate and CRL files, which can be used to validate JSA generated certificates. |
9381 |
localca-server |
TCP |
Bidirectional between QRadar components. |
Used to hold QRadar local root and intermediate certificates, as well as associated CRLs. |
9393, 9394 |
vault-qrd |
TCP |
Internal communications. Not available externally. |
Used to hold secrets and allow secure access to them to services. |
9913 plus one dynamically assigned port |
Web application container |
TCP |
Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines |
When the web application is registered, one additional port is dynamically assigned. |
9995 |
NetFlow data |
UDP |
From the management interface on the flow source (typically a router) to the JSA flow processor. |
NetFlow datagram from components, such as routers. |
9999 |
JSA Vulnerability Manager processor |
TCP |
Unidirectional from the scanner to the appliance running the JSA Vulnerability Manager processor |
Used for JSA Vulnerability Manager command information. The JSA console connects to this port on the host that is running the JSA Vulnerability Manager processor. This port is only used when JSA Vulnerability Manager is enabled. |
10000 |
JSA web-based, system administration interface |
TCP/UDP |
User desktop systems to all JSA hosts. |
In JSA 2014.5 and earlier, this port is used for server changes, such as the hosts root password and firewall access. Port 10000 is disabled in 2014.6. |
10101, 10102 |
Heartbeat command |
TCP |
Bidirectional traffic between the primary and secondary HA nodes. |
Required to ensure that the HA nodes are still active. |
12500 |
Socat binary |
TCP |
Outbound from MH to the JSA Console |
Port used for tunneling chrony udp requests over tcp when JSA Console or MH is encrypted |
14433 |
traefik |
TCP |
Bidirectional between QRadar components. |
Required for app services discovery. |
15432 |
Required to be open for internal communication between JSA Risk Manager and JSA. |
|||
15433 |
Postgres |
TCP |
Communication for the managed host that is used to access the local database instance. |
Used for JSA Vulnerability Manager configuration and storage. This port is only used when JSA Vulnerability Manager is enabled. |
20000-23000 |
SSH Tunnel |
TCP |
Bidirectional from the JSA Console to all other encrypted managed hosts. |
Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management. |
23111 |
SOAP web server |
TCP |
SOAP web server port for the Event Collection Service (ECS). |
|
| 23333 | Emulex Fibre Channel | TCP | User desktop systems that connect to JSA appliances with a Fibre Channel card. | Emulex Fibre Channel HBAnywhere Remote Management service (elxmgmt). |
| 26000 | traefik | TCP |
Bidirectional between JSA components. |
Used with an App Host that is encrypted. Required for app services discovery. |
| 26001 | Conman | TCP | Unidirectional from the JSA Console to a JSA App Host. | Used with an App Host that is encrypted. It allows the Console to deploy apps to an App Host and to manage those apps. |
32000 |
Normalized flow forwarding |
TCP |
Bidirectional between JSA components. |
Normalized flow data that is communicated from an off-site source or between JSA Flow Processors. |
32004 |
Normalized event forwarding |
TCP |
Bidirectional between JSA components. |
Normalized event data that is communicated from an off-site source or between JSA Event Collectors. |
32005 |
Data flow |
TCP |
Bidirectional between JSA components. |
Data flow communication port between JSA Event Collectors when on separate managed hosts. |
32006 |
Ariel queries |
TCP |
Bidirectional between JSA components. |
Communication port between the Ariel proxy server and the Ariel query server. |
32007 |
Offense data |
TCP |
Bidirectional between JSA components. |
Events and flows contributing to an offense or involved in global correlation. |
32009 |
Identity data |
TCP |
Bidirectional between JSA components. |
Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS). |
32010 |
Flow listening source port |
TCP |
Bidirectional between JSA components. |
Flow listening port to collect data from JSA Flow Processor. |
32011 |
Ariel listening port |
TCP |
Bidirectional between JSA components. |
Ariel listening port for database searches, progress information, and other associated commands. |
32000-33999 |
Data flow (flows, events, flow context) |
TCP |
Bidirectional between JSA components. |
Data flows, such as events, flows, flow context, and event search queries. |
ICMP |
ICMP |
Bidirectional traffic between the secondary host and primary host in an HA cluster. |
Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP). |
Viewing IMQ Port Associations
Several ports that are used by JSA allocate extra random port numbers. For example, Message Queues (IMQ) open random ports for communication between components on a managed host. You can view the random port assignments for IMQ by using telnet to connect to the local host and doing a lookup on the port number.
Random port associations are not static port numbers. If a service is restarted, the ports that are generated for the service are reallocated and the service is provided with a new set of port numbers.
Using SSH, log in to the JSA console as the root user.
To display a list of associated ports for the IMQ messaging connection, type the following command:
telnet localhost 7676
The results from the telnet command might look similar to this output:
[root@domain ~]# telnet localhost 7676 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 101 imqbroker 4.4 Update 1 portmapper tcp PORTMAPPER 7676 [imqvarhome=/opt/openmq/mq/var,imqhome=/opt/openmq/mq,sessionid=<session_id>] cluster_discovery tcp CLUSTER_DISCOVERY 44913 jmxrmi rmi JMX 0 [url=service:jmx:rmi://domain.ibm.com/stub/<urlpath>] admin tcp ADMIN 43691 jms tcp NORMAL 7677 cluster tcp CLUSTER 36615
The telnet output shows 3 of the 4 random high-numbered TCP ports for IMQ. The fourth port, which is not shown, is a JMX Remote Method Invocation (RMI) port that is available over the JMX URL that is shown in the output.
If the telnet connection is refused, it means that IMQ is not currently running. It is probable that the system is either starting up or shutting down, or that services were shut down manually.
Searching for Ports in Use by JSA
Use the netstat command to determine which ports are in use on the JSA Console or managed host. Use the netstat command to view all listening and established ports on the system.
Using SSH, log in to your JSA console, as the root user.
To display all active connections and the TCP and UDP ports on which the computer is listening, type the following command:
netstat -nap
To search for specific information from the netstat port list, type the following command:
netstat -nap | grep port
To display all ports that match 199, type the following command:
netstat -nap | grep 199
To display information on all listening ports, type the following command:
netstat -nap | grep LISTEN
JSA Public Servers
To provide you with the most current security information, JSA requires access to a number of public servers.
Table 2 lists descriptions for the IP addresses or hostnames that JSA accesses.
Public Servers
IP address or hostname |
Description |
|---|---|
194.153.113.31 |
JSA Vulnerability Manager DMZ scanner |
194.153.113.32 |
JSA Vulnerability Manager DMZ scanner |
download.juniper.net |
JSA auto-update servers. |
update.xforce-security.com |
X-Force Threat Feed update server |
license.xforce-security.com |
X-Force Threat Feed licensing server |