Communication Protocols
Previously, Security Manager used FMTP as its communication protocol. Because the applications are now browser-based, HTTPS is the communication protocol. Below are tables listing the various ports used for connecting and their function.
Secure Communication - CVE Updates - Web Browser
| 443 |
TCP |
HTTPS |
Used for secure communication between the Application Server and Data Collector, and from a web browser to the Application Server. Also for SSL access to .gov from the Application Server to download new CVE updates. |
| 9200 |
TCP |
HTTPS |
This port is used for ElasticSearch HTTP interface. |
| 9300 |
TCP |
HTTPS |
This port is used for ElasticSearch. |
| 55555 |
TCP |
HTTPS |
This port is used to access the FMOS Control Panel server. |
Log Processing and Configuration Retrievals
| 514 / 6514 |
UDP/TCP |
Syslog |
Required only if you are using a central syslog for the Data Collector to listen on for change and usage messages. |
| 1470 |
TCP |
Syslog |
Required only if you are using a central syslog Cisco device for the Data Collector to listen on for change and usage messages. |
| 22 |
TCP |
SSH |
Used to retrieve configuration information from the Data Collector to non-Check Point devices. |
| 18190 |
TCP |
CP CPMI
|
From the Data Collector to the management server. Default FireWall-1 port for CPMI communication. Used to retrieve policies from the management server. |
| 18184 |
TCP |
CP LEA |
Used to establish a LEA connection between the Data Collector and Check Point management server. Security Manager uses Log Export API (LEA) to connect to a Check Point log server. |
| 18210 |
TCP |
CP Certs |
Used to generate certificate used in encrypted communication between Data Collector and Check Point management server. |
| 443 |
TCP |
HTTPS |
From the browser to the Application Server, and from the Application Server to .gov websites. Used to export configurations from Security Manager over SSL. Also for SSL access to .gov from the Application Server to download new CVE updates. Also used to retrieve configuration information from the data collector to devices supporting HTTPS API. |
| 80 |
TCP |
HTTPS |
This port is listening on 0.0.0.0 and redirects to HTTPS listening on port 443. |
| 8080 |
TCP |
API |
Required for Fortinet FortiManager to access API. |
| 830 |
TCP |
Netconf |
Required for Juniper SRX automation. |
Application Server to Database Communication
| 5432 |
TCP |
PostgreSQLSQL |
This is the port number the PostgreSQL database server is listening on. |
| 2049 |
TCP |
NFS |
This is the port number the NFS server is listening on. This provides a shared file system for distributed deployments. Starting with v9.1, this open port is no longer needed for NFS. |
| 55555 |
TCP |
HTTPS |
This port is used to access the FMOS Control Panel server. |
| 500 |
UDP |
ISAKMP |
This port is used to authenticate and encrypt data packets. |
| 4500 |
UDP |
IPsec NAT-T |
This port is used to authenticate and encrypt data packets. |
| 50 |
IP protocol |
IPsec ESP |
This port is used to authenticate and encrypt data packets. Starting with v9.1, NFS traffic will use port 50 to pass traffic. |
Application Server to Application Server
| 5701 |
TCP |
Distr Cache |
This is the port number for the Security Manager distributed cache.
|
| 5702 |
TCP |
Distr Cache |
This is the port number for the Workflow (Policy Planner and Policy Optimizer) distributed cache.
|
| 61617 |
TCP |
Distr MSG Queue |
This is the port number for the Java Message Service (JMS) listener. JMS messaging allows application components to create, send, receive, and read messages. |
| 6155 |
UDP |
Cluster Discovery |
This is the port number for JMS cluster member discovery. |
| 54327 |
UDP |
Cluster Discovery |
This is the port number for distributed cache cluster member discovery.
|
Clustered Data Collector to Data Collector
| 5150 |
TCP |
SSL |
This port is used for clustered data collectors to communicate with each other. |
Notifications
| 25 |
TCP |
SMTP |
Used to send secure email notifications from the Application Server. |
Additional Ports
| 53 |
UDP |
DNS |
Used to validate FQDN. |
| 123 |
TCP |
NTP |
Used to sync with a timesaver. |