Juniper Secure Analytics

JSA Common Ports Lists

Release 2014.1

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net

Published: 2015-25-11 Copyright Notice Copyright © 2015 Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.

The following terms are trademarks or registered trademarks of other companies:

JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

JSA Common Ports Lists Release 2014.1

Copyright © 2015, Juniper Networks, Inc.

All rights reserved. Printed in USA.

Revision History

November 2015—JSA Common Ports Lists

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software:

As regards software accompanying the STRM products (the “Program”), such software contains software licensed by Q1 Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks.

2
For the convenience of Licensee, the Program may be accompanied by a third party operating system. The operating system is not part of the Program, and is licensed directly by the operating system provider (e.g., Red Hat Inc., Novell Inc., etc.) to Licensee. Neither Juniper Networks nor Q1 Labs is a party to the license between Licensee and the third party operating system provider, and the Program includes the third party operating system “AS IS”, without representation or warranty, express or implied, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement. For an installed Red Hat operating system, see the license file: /usr/share/doc/redhat-release-server-6Server/EULA.

By downloading, installing or using such software, you agree to the terms and conditions of that EULA as so modified.

3 4
CONTENTS

1 JSA COMMON PORTS JSA Common Ports ...... 7 Viewing Random Port Associations ...... 12 Searching for Ports on JSA ...... 13

1 JSA COMMON PORTS

This technical note provides a list of common ports used by Juniper Secure Analytics (JSA), services, and components.

The information provided in this document contains the assigned port number, descriptions, protocols, and the signaling direction for the port.

Unless otherwise noted, all references to JSA refer to JSA and Log Analytics. References to flows do not apply to Log Analytics.

JSA Common Ports The listening ports for JSA as listed in Table 1-1 are valid only when iptables is enabled on your JSA system.

c Table 1-1 Listening Ports Used by JSA, Services, and Components Port Description Protocol Direction Required for 22 SSH TCP JSA console to all other • Remote management components access • Adding a remote system as a managed host • Log source protocols to retrieve files from external devices, for example the Log File protocol • End-users who use the command line to communicate from desktops to the JSA console • High Availability (HA) communication 25 SMTP TCP From all managed hosts to • Allowing JSA to send your SMTP gateway e-mails to an SMTP gateway • Error and warning e-mail message delivery to an administrative e-mail contact

JSA Common Ports Lists 8 JSA COMMON PORTS

Table 1-1 Listening Ports Used by JSA, Services, and Components (continued) Port Description Protocol Direction Required for 37 Rdate (time) UDP/TCP • All systems to the JSA Time synchronization between console the JSA console and managed hosts • JSA Console to the NTP or RDATE server 80 Apache/https TCP • End users to the JSA • Communication and console downloads from the JSA console to end-user • End users to the JSA desktops Deployment Editor • Allowing the deployment editor application to download from the JSA console to end-user desktops 111 Port mapper TCP/UDP • JSA managed hosts Remote Procedure Calls connecting to the JSA (RPC) for required services, Console. such as Network File System (NFS) • End users connecting to the JSA Console 135 and DCOM TCP From Windows host providing DCOM communication and the dynamically events using Windows collection of Windows events allocated ports Management Instrumentation using WMI. Firewalls between above 1024 (WMI) to JSA Consoles or JSA and the target Microsoft for RPC calls. Event Collectors Windows host must be configured to allow DCOM communication. Note: DCOM typically uses a range of random ports, which can be configured to use a specific range. For more information, see your Microsoft Windows documentation. 161 SNMP agent UDP • JSA managed hosts UDP listening port for the connecting to the Juniper SNMP agent Secure Analytics (JSA) Console • External log sources to JSA Event Collectors 199 NetSNMP TCP • JSA managed hosts TCP port for the NetSNMP connecting to the JSA daemon listening for Console communications (v1, v2c, and v3) from external log sources • External log sources to JSA Event Collectors

JSA Common Ports Lists JSA Common Ports 9

Table 1-1 Listening Ports Used by JSA, Services, and Components (continued) Port Description Protocol Direction Required for 443 Apache/https TCP • JSA managed hosts • Configuration downloads to connecting to the JSA managed hosts from the Console JSA Console • End users connecting to the • End users to have log in Juniper Secure Analytics access to Juniper Secure (JSA) Console Analytics (JSA) 514 Syslog UDP External log sources to JSA External log sources to send Event Collectors event data to JSA components 762 Network File TCP/UDP Connections between the JSA The Network File System System mount Console and NFS server (NFS) mount daemon, which daemon (mountd) processes requests to mount a file system at a specified location 1514 Syslog-ng TCP/UDP Connection between the local Internal logging port for Event Collector component syslog-ng and local Event Processor component to the syslog-ng daemon for logging 2049 NFS TCP Connections between the JSA The Network File System Console and NFS server (NFS) protocol to share files or data between components 2055 NetFlow data UDP From the management NetFlow datagram from interface on the flow source components, such as routers (typically a router) to the Flow Processor 4333 Redirect port TCP This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in JSA Offense Resolution 5432 Postgres TCP Communication for the When provisioning managed managed host used to access hosts using the Admin tab the local database instance 6543 High Availability TCP/UDP Bi-directional between the Heartbeat ping from a heartbeat secondary host and primary secondary host to a primary host in an HA cluster host in an HA cluster to detect hardware or network failure

JSA Common Ports Lists 10 JSA COMMON PORTS

Table 1-1 Listening Ports Used by JSA, Services, and Components (continued) Port Description Protocol Direction Required for 7676, 7677, Messaging TCP Message queue Message queue broker for and four connections communications between communications between randomly (IMQ) components on a managed components on a managed bound ports host. host above 32000. Ports 7676 and 7677 are static TCP ports and four additional connections are created on random ports. For more information on randomly bound ports, see Viewing Random Port Associations. 7777 to 7782, JMX server ports TCP Internal communications, these JMX server (Mbean) 7790, 7791 ports are not available monitoring for ECS, externally hostcontext, Tomcat, VIS, reporting, ariel, and accumulator services. These ports are used by JSA support. 7789 HA Distributed TCP/UDP Bi-directional between the Distributed Replicated Block Replicated Block secondary host and primary Device (DRBD) used to keep Device (DRBD) host in an HA cluster discs synchronized between the primary and secondary hosts in HA configurations 7800 Apache Tomcat TCP From the Event Collector to the Real-time (streaming) for JSA Console events 7801 Apache Tomcat TCP From the Event Collector to the Real-time (streaming) for flows JSA Console 7803 Apache Tomcat TCP From the Event Collector to the Anomaly Detection Engine JSA Console listening port 8000 Event Collection TCP From the Event Collector to the Listening port for specific Event Service (ECS) JSA Console Collect Service (ECS) events 8005 Apache Tomcat TCP None This is a local port not used by JSA. 8009 Apache Tomcat TCP From the HTTP daemon Tomcat connector, where the (httpd) process to Tomcat request is used and proxied for the web service 8080 Apache Tomcat TCP From the HTTP daemon Tomcat connector, where the (httpd) process to Tomcat request is used and proxied for the web service. 9995 NetFlow data UDP From the management NetFlow datagram from interface on the flow source components, such as routers (typically a router) to the Flow Processor

JSA Common Ports Lists JSA Common Ports 11

Table 1-1 Listening Ports Used by JSA, Services, and Components (continued) Port Description Protocol Direction Required for 10000 Juniper Secure TCP/UDP End-user desktop to all JSA Server changes, such as root Analytics (JSA) hosts password and firewalls Web-Based System Administration Interface 23111 SOAP Webserver TCP SOAP Webserver listening port for the Event Collection Service (ECS) 23333 Emulex Fibre UDP End-user desktop to Juniper Emulex Fibre Channel Channel Secure Analytics (JSA) hosts HBAnywhere Remote containing a Fibre Channel Management service card (elxmgmt) 32004 Normalized Event TCP Bi-directional between JSA Normalized event data Forwarding components communicated from an off-site source or between Event Collectors 32005 Data flow TCP Bi-directional between JSA Data flow communication port components between Event Collectors when located on separate managed hosts 32006 Ariel queries TCP Bi-directional between JSA Communication port between components the Ariel Proxy server and the Ariel Query server 32009 Identity data TCP Bi-directional between JSA Identity data communicated components between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS) 32010 Flow source TCP Bi-directional between JSA Flow listening port to collect listening port components data from Flow Processors 32011 Ariel listening port TCP Bi-directional between JSA Ariel listening port for database components searches, progress information, and other associated commands 32000-33999 Data flow (flows, TCP Bi-directional between JSA Data flows, such as events, events, flow components flows, flow context, and event context) search queries

JSA Common Ports Lists 12 JSA COMMON PORTS

Table 1-1 Listening Ports Used by JSA, Services, and Components (continued) Port Description Protocol Direction Required for 40799 PCAP data UDP From Juniper Networks SRX Collecting incoming packet Series appliances to JSA capture (PCAP) data from Juniper Networks SRX Series appliances Note: The packet capture on your device can use an alternate port to 40799. For more information on configuring packet capture, see your Juniper Networks SRX Series appliance documentation. ICMP ICMP Bi-directional between the Testing the network connection secondary host and primary between the secondary host host in an HA cluster and primary host in an HA cluster using Internet Control Message Protocol (ICMP)

All the ports listed in Table 1-1 can be tunneled, by encryption, through port 22 over SSH.

Viewing Random Several ports allocate additional random port numbers for application services, for Port Associations example, Message Queues (IMQ).

About this task

You can view additional port numbers using telnet to connect to the localhost and look up the port number.

NOTE Random port associations are not static port numbers. If a service is restarted, the ports generated for a service are reallocated and the service is provided with a new set of port numbers.

Procedure Step 1 Using SSH, log in to your JSA Console, as the root user. Login: root Password: Step 2 Type the following command: telnet localhost 7676 Step 3 If no information is displayed, press Enter to terminate the connection.

JSA Common Ports Lists Searching for Ports on JSA 13

Searching for Ports Netstat is a command line tool used to determine which ports are in use on your on JSA JSA Console or managed host.

About this task

The netstat command allows you to view all listening and established ports on the system.

Procedure to use the netstat command Step 1 Using SSH log in to your JSA Console, as the root user. Login: root Password: Step 2 Type the following command: netstat -nap Step 3 To search for specific information from the netstat port list, type the following command: netstat -nap | grep Where is the port number or search term for the netstat search. For example: • netstat -nap | grep 199 - Displays all ports matching 199. • netstat -nap | grep postgres - Displays all postgres related ports. • netstat -nap | grep LISTEN - Displays information on all listening ports.

What to do next

For more information on using the netstat command, type netstat ? for a list of netstat options.

JSA Common Ports Lists