Guardium port requirements
Each Guardium® system must have ports available for several types of communication. This section lists these connections and the default port numbers that are assigned to them.
Open ports
Ports used in or by the Guardium system.
DB Server – Collector
- TCP 8443 - open from DB server to collector
- TCP 16016 – UNIX STAP, both directions, registration, heartbeat, and data (including IBM i S-TAP running in PASE)
- TCP 16017 – Windows/Unix CAS, both directions, templates and data
- TCP 16018 – UNIX S-TAP (TLS) and External S-TAP, both directions, registration, heartbeat, and data
- TCP 16019 – Windows/Unix CAS (TLS), both directions, templates and data
- TCP 16020 - From S-TAP agent Clear UNIX S-TAP connection pooling
- TLS 16021 - From S-TAP agent Encrypted UNIX S-TAP connection pooling
- TCP 8081 – Guardium Installation Manager, both directions, database server to collector/Central Manager
- TCP 9800 – Windows S-TAP using protocol 8, both directions, DB Server to Collector, S-TAP registration and data
- TCP 9801 – Encrypted (TLS) Windows S-TAP using protocol 8, both directions, DB Server to Collector, S-TAP registration and data
Collector – Aggregator (Secure Shell – SSL)
- TCP 22 – collector to aggregator, SCP data exports, both directions
Central Manager – Managed Devices
- TCP 22 – SSH/SCP data transfers, both directions
- TCP 8443 – SSL, both directions
- TCP 8444 – SSL, STAP to GIM file upload
- TCP 3306 – MySQL, opened to specific sources (for instance, the Central Manager is open to all managed units; a managed unit is open to the Central Manager)
- TLS 8447 - Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a Central Manager and conveniently distribute those settings to managed unit groups without altering the configuration of the Central Manager itself.
File Activity Monitoring (FAM), on the unit where it is installed. (Bidirectional means data can be sent or received in both directions once connection is established.)
- TCP/TLS 16022/16023: Universal Feed. 16022 (FAM monitoring, unencrypted) and 16023 (FAM monitoring, encrypted) both need to be open bidirectionally.
- 16016 to 16023: These ports must be open bidirectionally for the sniffer. The connection is made from the S-TAP to the sniffer (sniffer does not initiate the connection); listening ports are on the sniffer side only.
- 18087: Listener port for FAM on IBM Content Classification (ICM) server located on the same machine where FAM is installed.(serverSettings.icmURL=http://localhost:18087) Open bidirectionally.
Guardium Installation Manager (GIM)
- 8445 - GIM client listener, both directions. The GIM client is doing the listening. Any GIM server on either the Central Manager or the collector can reach out to it the GIM client.
- 8446 - GIM authenticated TLS, both directions. Use between the GIM client and the GIM server (on the Central Manager or collector). If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for example, TLS without verification).
- 8081 - TLS - To use 8081 for the GIM client to connect to the GIM server, there is a need to disable the GIM_USE_SSL parameter - it is ON by default. This parameter is part of the GIM common parameters in the GUI. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for example, TLS without verification).
Enterprise load balancer
- TLS 8443 - S-TAP load balancer - This is needed for UNIX/Linux S-TAPs to communicate instances to the collector. However this port is also used for the Central Manager load balancer. The S-TAP initiates a request to central manager (load balancer) on 8443 sending HTTPS message, if installation indicates to use Enterprise load balancer. Between the database server and central manager, there will be the capability to use a proxy server, if customer doesn't want an open port directly from database to central manager.
Quick Search for Enterprise
- TCP 8983 - SOLR - Incoming, SSL
- TCP 9983 - SOLR - Incoming, SSL
User Interface - Guardium System (standalone, aggregator, central manager)
- TCP 22 - user to system, CLI connectivity, both directions
- TCP 8443 - user to system, GUI connectivity (configurable), both directions, sending discovered instances to the UI
- 8445 - TLS. Bidirectional port to connect to a file server.
System – SMTP server
- TCP 25 – system to SMTP server, email alerts
System – SNMP server
- UDP 161 - SNMP client to system – SNMP Polling
- UDP 162 - system to SNMP server, SNMP traps
System – SYSLOG server
- UDP/TCP 514 – remote syslog message from/to other systems, typically SIEMNote: The local port is 514, but the remote port must be entered into the configuration. If encryption is used, the protocol must be TCP, not UDP.
System – NTP server
- TCP/UDP 123 – system to Network Time Protocol Server
System – DNS server
- TCP/UDP 53 – system to Domain Name Server
System – EMC Centera (backups)
- TCP 3218 – system to EMC Centera
System – Tivoli LDAP
- UDP 389 – system to/from Tivoli LDAP
System – Mainframe
- TCP 16022 – connects S-TAP to DB2 z/OS, S-TAP IMS, S-TAP VSAM (S-TAP Data Set)
- TCP 16023 - TLS connections, specifically IBM‘s Application Transparent Transport Layer Security (AT-TLS)
Outbound ports to monitor Azure streaming
The following ports must be open to support IPv4 connections to Azure services.
| Port | Protocol | Purpose |
|---|---|---|
| 443 | SSL | Azure Namespace |
| 5671, 5672 | AMQP | Azure Namespace |
| 443 | SSL | Azure Storage |
Outbound ports to monitor AWS streaming
The following ports must be open to support IPv4 connections to AWS.
| Port | Protocol | Purpose |
|---|---|---|
| 443 | SSL | AWS Kinesis, AWS DynamoDB, AWS CloudWatch, and AWS KMS |
Ports for connections to Windows database servers
| Port | Protocol | Purpose |
|---|---|---|
| 9500 | TCP | Clear Windows S-TAP |
| 9501 | TLS | Encrypted Windows S-TAP (optional) |
| 16017 | TCP | Clear Windows CAS |
| 16019 | TLS | Encrypted Windows CAS (optional) |
| 9800 | TCP | Windows S-TAP using protocol 8, both directions, DB Server to Collector, S-TAP registration and data |
| 9801 | TLS | Encrypted (TLS) Windows S-TAP using protocol 8, both directions, DB Server to Collector, S-TAP registration and data |
Default ports used for Guardium Application Access
| Port | Protocol | Purpose |
|---|---|---|
| 8443 | TCP | The port is used for:
Note: Change this port using the HTTPS Port setting available at
.
|
| 22 | TCP | SSH access from clients to manage the Guardium appliance |
| 3306 | TCP | Communication between central manager and managed units |
Ports for connections to z/OS database servers
| Port | Protocol | Purpose |
|---|---|---|
| 16022 | TCP | Connects to S-TAP for DB2 z/OS, S-TAP for IMS, S-TAP for Data Sets |
| 16023 | TCP | TLS connections, specifically IBM's Application Transport Layer Security (AT-TLS) |
| 41500 | TCP | Default starting port for internal message logging communications – LOG_PORT_SCAN_START |
| 39987 | TCP | Default agent-specific communications port between the agent and the agent secondary address spaces – ADS_LISTENER_PORT |
Default ports used for other features
| Port | Protocol | Purpose |
|---|---|---|
| 20, 21 | TCP | FTP Server for backups/archiving (optional) |
| 22 | TCP | SCP for backups/archiving, patch distributions, and file-transfers |
| 25 | TCP | SMTP (email server) for alerts and other notification |
| 53 | TCP | DNS Servers |
| 123 | TCP, UDP | NTP (Time Server) for time synchronization |
| 161 | TCP, UDP | SNMP Polling (optional) |
| 162 | TCP, UDP | SNMP Traps (optional) |
| 389 | TCP | LDAP, for example, Active Directory or Sun One Directory |
| 443 | TCP | Default outbound port from External S-TAP® GUI to Kubernetes API |
| 514 | TCP | Syslog Server (optional) |
| 636 | TCP | LDAP, for example, Active Directory or Sun One Directory over SSL (optional) |
| 1500 | TCP | Tivoli Storage Manager backup hosts (optional) |
| 3218 | TCP, UDP | EMC Centera backup hosts (optional) |
| user-defined | TCP | Database Server listener ports, for example, 1521 for Oracle or 1433 for MS-SQL, for Guardium datasource access (optional). Use this port for S-TAP verification and Discovery. |
| 16022/16023 | TCP/TLS | Universal Feed - File Activity Monitoring (FAM0 |
| 18027 | FAM using IBM Content Classification locally (serverSettings.icmURL=http://localhost:18087) | |
| 8445 | GIM client listener, both directions The GIM client is doing the listening. Any GIM server on either the central manager or the collector can reach out to it (the GIM client). |
|
| 8446 | TLS | GIM authenticated TLS, both directions Use between the GIM client and the GIM server (on the central manager or collector). If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444 BUT no certificate is passed (for example, TLS without verification). |
| 8447 | TLS | Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a central manager and conveniently distribute those settings to managed unit groups without altering the configuration of the central manager itself. |
| 8443 | TLS | Enterprise load balancer This is needed for UNIX/Linux S-TAPs to communicate instances to the collector. However this port is also used for the central manager load balancer. If the installation wants to use Enterprise load balancer, then the S-TAP initiates a request to the central manager on port 8443 by sending an HTTPS message. So between database server and central manager, there will be the capability to use a proxy server, if customer doesn't want an open port directly from database to central manager. |
| 8081 | TLS | To use 8081 for the GIM client to connect to the GIM server - need to disable the GIM_USE_SSL parameter - it is ON by default. This parameter is part of the GIM common parameters in the GUI. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444 BUT no certificate is passed (for example, TLS without verification). |
| 8983 | TCP | SOLR, incoming, SSL (Quick Search for Enterprise) |
| 9983 | TCP | SOLR, incoming, SSL (Quick Search for Enterprise) |