Cisco Cisco FirePOWER Appliance 7020
E-3
FireSIGHT System User Guide
Appendix E Security, Internet Access, and Communication Ports
Communication Ports Requirements
•
secure remote connections to an appliance
•
certain features of the system to access the local or Internet resources they need to function correctly
In general, feature-related ports remain closed until you enable or configure the associated feature. For
example, until you connect the Defense Center to a User Agent, the agent communications port
(3306/tcp) remains closed. As another example, port 623/udp remains closed on Series 3 appliances until
you enable LOM.
example, until you connect the Defense Center to a User Agent, the agent communications port
(3306/tcp) remains closed. As another example, port 623/udp remains closed on Series 3 appliances until
you enable LOM.
Caution
Do not close an open port until you understand how this action will affect your deployment.
For example, closing port 25/tcp (SMTP) outbound on a manage device blocks the device from sending
email notifications for individual intrusion events (see
email notifications for individual intrusion events (see
). As another example, you can disable access to a physical managed device’s web
interface by closing port 443/tcp (HTTPS), but this also prevents the device from submitting suspected
malware files to the cloud for dynamic analysis.
malware files to the cloud for dynamic analysis.
Note that the system allows you to change some of its communication ports:
•
You can specify custom ports for LDAP and RADIUS authentication when you configure a
connection between the system and the authentication server; see
connection between the system and the authentication server; see
and
.
•
You can change the management port (8305/tcp); see
However, Cisco strongly recommends that you keep the default setting. If you change the
management port, you must change it for all appliances in your deployment that need to
communicate with each other.
management port, you must change it for all appliances in your deployment that need to
communicate with each other.
•
You can use port 32137/tcp to allow upgraded Defense Centers to communicate with the Cisco
cloud. However, Cisco recommends you switch to port 443, which is the default for fresh
installations of Version 5.3 and later. For more information, see
cloud. However, Cisco recommends you switch to port 443, which is the default for fresh
installations of Version 5.3 and later. For more information, see
The following table lists the open ports required by each appliance type so that you can take full
advantage of FireSIGHT System features.
advantage of FireSIGHT System features.
Table E-2
Default Communication Ports for FireSIGHT System Features and Operations
Port
Description
Direction
Is Open on...
To...
22/tcp
SSH/SSL
Bidirectional
Any
allow a secure remote connection to the
appliance.
appliance.
25/tcp
SMTP
Outbound
Any
send email notices and alerts from the
appliance.
appliance.
53/tcp
DNS
Outbound
Any
use DNS.
67/udp
68/udp
DHCP
Outbound
Any except X-Series
use DHCP.
Note
These ports are closed by default.
80/tcp
HTTP
Outbound
Any except virtual
devices and X-Series
devices and X-Series
allow the RSS Feed dashboard widget to
connect to a remote web server.
connect to a remote web server.
Bidirectional
Defense Center
update custom and third-party Security
Intelligence feeds via HTTP.
Intelligence feeds via HTTP.
download URL category and reputation
data (port 443 also required).
data (port 443 also required).