QRadar port usage

Review the list of common ports that IBM® QRadar® services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the QRadar Console to communicate with remote event processors.

WinCollect remote polling

WinCollect agents that remotely poll other Microsoft Windows operating systems might require additional port assignments.

For more information, see the IBM QRadar WinCollect User Guide.

QRadar listening ports

The following table shows the QRadar ports that are open in a LISTEN state. The LISTEN ports are valid only when iptables is enabled on your system. Unless otherwise noted, information about the assigned port number applies to all QRadar products.
Table 1. Listening ports that are used by QRadar services and components
Port Description Protocol Direction Requirement
22 SSH TCP Bidirectional from the QRadar Console to all other components. Remote management access.

Adding a remote system as a managed host.

Log source protocols to retrieve files from external devices, for example the log file protocol.

Users who use the command-line interface to communicate from desktops to the Console.

High-availability (HA).

25 SMTP TCP From all managed hosts to the SMTP gateway. Emails from QRadar to an SMTP gateway.

Delivery of error and warning email messages to an administrative email contact.

111 Port mapper TCP/UDP Managed hosts that communicate with the QRadar Console.

Users that connect to the QRadar Console.

Remote Procedure Calls (RPC) for required services, such as Network File System (NFS).
123 Network Time Protocol (NTP) TCP/UDP QRadar Console to the NTP server.

HA primary to secondary, and vice versa.

Time synchronization between QRadar HA pairs, and between the QRadar Console and the NTP server.
135 and dynamically allocated ports above 1024 for RPC calls. DCOM TCP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between QRadar Console components or IBM QRadar event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.
Note: DCOM typically allocates a random port range for communication. You can configure Microsoft Windows products to use a specific port. For more information, see your Microsoft Windows documentation.
137 Windows NetBIOS name service UDP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.
138 Windows NetBIOS datagram service UDP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.
139 Windows NetBIOS session service TCP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.
162 NetSNMP UDP QRadar managed hosts that connect to the QRadar Console.

External log sources to QRadar Event Collectors.

UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled.
199 NetSNMP TCP QRadar managed hosts that connect to the QRadar Console.

External log sources to QRadar Event Collectors.

TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled.
427 Service Location Protocol (SLP) UDP/TCP   The Integrated Management Module uses the port to find services on a LAN.
443 Apache/HTTPS TCP Bidirectional traffic for secure communications from all products to the QRadar Console. Configuration downloads to managed hosts from the QRadar Console.

QRadar managed hosts that connect to the QRadar Console.

Users to have log in access to QRadar.

QRadar Console that manage and provide configuration updates for WinCollect agents.

445 Microsoft Directory Service TCP Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events.

Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events.

Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events.

This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter.
514 Syslog UDP/TCP External network appliances that provide TCP syslog events use bidirectional traffic.

External network appliances that provide UDP syslog events use uni-directional traffic.

Internal syslog traffic from QRadar hosts to the QRadar Console.

External log sources to send event data to QRadar components.

Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to QRadar.

762 Network File System (NFS) mount daemon (mountd) TCP/UDP Connections between the QRadar Console and NFS server. The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location.
1514 Syslog-ng TCP/UDP Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging. Internal logging port for syslog-ng.
2049 NFS TCP Connections between the QRadar Console and NFS server. The Network File System (NFS) protocol to share files or data between components.
2055 NetFlow data UDP From the management interface on the flow source (typically a router) to the IBM QRadar QFlow Collector. NetFlow datagram from components, such as routers.
2375 Docker command port TCP Internal communications. This port is not available externally. Used to manage QRadar application framework resources.
3389 Remote Desktop Protocol (RDP) and Ethernet over USB is enabled TCP/UDP   If the Microsoft Windows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open.
3900 Integrated Management Module remote presence port TCP/UDP   Use this port to interact with the QRadar console through the Integrated Management Module.
4333 Redirect port TCP   This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in QRadar offense resolution.
5000 Used to allow communication to the docker si-registry running on the Console. This allows all managed hosts to pull images from the Console that will be used to create local containers. TCP Unidirectional from the QRadar managed host to the QRadar Console. The port is only opened on the Console. Managed hosts must pull from the Console. Required for apps running on an App Host.
5432 Postgres TCP Communication for the managed host that is used to access the local database instance. Required for provisioning managed hosts from the Admin tab.
6514 Syslog TCP External network appliances that provide encrypted TCP syslog events use bidirectional traffic. External log sources to send encrypted event data to QRadar components.
7676, 7677, and four randomly bound ports above 32000. Messaging connections (IMQ) TCP Message queue communications between components on a managed host. Message queue broker for communications between components on a managed host.
Note: You must permit access to these ports from the QRadar console to unencrypted hosts.

Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports.

For more information about finding randomly bound ports, see Viewing IMQ port associations.

7777, 7778, 7779, 7780, 7781, 7782, 7783, 7788, 7790, 7791, 7792, 7793, 7795, 7799, and 8989. JMX server ports TCP Internal communications. These ports are not available externally. JMX server (Java™ Management Beans) monitoring for all internal QRadar processes to expose supportability metrics.

These ports are used by QRadar support.

7789 HA Distributed Replicated Block Device TCP/UDP Bidirectional between the secondary host and primary host in an HA cluster. Distributed Replicated Block Device is used to keep drives synchronized between the primary and secondary hosts in HA configurations.
7800 Apache Tomcat TCP From the Event Processor to the QRadar Console. Real-time (streaming) for events.
7801 Apache Tomcat TCP From the Event Processor to the QRadar Console. Real-time (streaming) for flows.
7803 Anomaly Detection Engine TCP From the Event Processor to the QRadar Console. Anomaly detection engine port.
7804 QRM Arc builder TCP Internal control communications between QRadar processes and ARC builder. This port is used for QRadar Risk Manager only. It is not available externally.
7805 Syslog tunnel communication TCP Bidirectional between the QRadar Console and managed hosts Used for encrypted communication between the console and managed hosts.
8000 Event Collection service (ECS) TCP From the Event Collector to the QRadar Console. Listening port for specific Event Collection Service (ECS).
8001 SNMP daemon port TCP External SNMP systems that request SNMP trap information from the QRadar Console. Listening port for external SNMP data requests.
8005 Apache Tomcat TCP Internal communications. Not available externally. Open to control tomcat.

This port is bound and only accepts connections from the local host.

8009 Apache Tomcat TCP From the HTTP daemon (HTTPd) process to Tomcat. Tomcat connector, where the request is used and proxied for the web service.
8080 Apache Tomcat TCP From the HTTP daemon (HTTPd) process to Tomcat. Tomcat connector, where the request is used and proxied for the web service.
8082 Secure tunnel for QRadar Risk Manager TCP Bidirectional traffic between the QRadar Console and QRadar Risk Manager Required when encryption is used between QRadar Risk Manager and the QRadar Console.
8413 WinCollect agents TCP Bidirectional traffic between WinCollect agent and QRadar Console. This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode.
8844 Apache Tomcat TCP Unidirectional from the QRadar Console to the appliance that is running the QRadar Vulnerability Manager processor. Used by Apache Tomcat to read RSS feeds from the host that is running the QRadar Vulnerability Manager processor.
9000 Conman TCP Unidirectional from the QRadar Console to a QRadar App Host. Used with an App Host. It allows the Console to deploy apps to an App Host and to manage those apps.
9090 XForce IP Reputation database and server TCP Internal communications. Not available externally. Communications between QRadar processes and the XForce Reputation IP database.
9381 Certificate files download TCP Unidirectional from QRadar managed host or external network to QRadar Console Downloading QRadar CA certificate and CRL files, which can be used to validate QRadar generated certificates.
9913 plus one dynamically assigned port Web application container TCP Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines When the web application is registered, one additional port is dynamically assigned.
9995 NetFlow data UDP From the management interface on the flow source (typically a router) to the QRadar QFlow Collector. NetFlow datagram from components, such as routers.
9999 IBM QRadar Vulnerability Manager processor TCP Unidirectional from the scanner to the appliance running the QRadar Vulnerability Manager processor Used for QRadar Vulnerability Manager (QVM) command information. The QRadar Console connects to this port on the host that is running the QRadar Vulnerability Manager processor. This port is only used when QVM is enabled.
10000 QRadar web-based, system administration interface TCP/UDP User desktop systems to all QRadar hosts. In QRadar V7.2.5 and earlier, this port is used for server changes, such as the hosts root password and firewall access.

Port 10000 is disabled in V7.2.6.

10101, 10102 Heartbeat command TCP Bidirectional traffic between the primary and secondary HA nodes. Required to ensure that the HA nodes are still active.
15433 Postgres TCP Communication for the managed host that is used to access the local database instance. Used for QRadar Vulnerability Manager (QVM) configuration and storage. This port is only used when QVM is enabled.
20000-23000 SSH Tunnel TCP Bidirectional from the QRadar Console to all other encrypted managed hosts. Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management.
23111 SOAP web server TCP   SOAP web server port for the Event Collection Service (ECS).
23333 Emulex Fibre Channel TCP User desktop systems that connect to QRadar appliances with a Fibre Channel card. Emulex Fibre Channel HBAnywhere Remote Management service (elxmgmt).
32000 Normalized flow forwarding TCP Bidirectional between QRadar components. Normalized flow data that is communicated from an off-site source or between QRadar QFlow Collectors.
32004 Normalized event forwarding TCP Bidirectional between QRadar components. Normalized event data that is communicated from an off-site source or between QRadar Event Collectors.
32005 Data flow TCP Bidirectional between QRadar components. Data flow communication port between QRadar Event Collectors when on separate managed hosts.
32006 Ariel queries TCP Bidirectional between QRadar components. Communication port between the Ariel proxy server and the Ariel query server.
32007 Offense data TCP Bidirectional between QRadar components. Events and flows contributing to an offense or involved in global correlation.
32009 Identity data TCP Bidirectional between QRadar components. Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS).
32010 Flow listening source port TCP Bidirectional between QRadar components. Flow listening port to collect data from QRadar QFlow Collectors.
32011 Ariel listening port TCP Bidirectional between QRadar components. Ariel listening port for database searches, progress information, and other associated commands.
32000-33999 Data flow (flows, events, flow context) TCP Bidirectional between QRadar components. Data flows, such as events, flows, flow context, and event search queries.
40799 PCAP data UDP From Juniper Networks SRX Series appliances to QRadar.

Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances.

Note: The packet capture on your device can use a different port. For more information about configuring packet capture, see your Juniper Networks SRX Series appliance documentation.
ICMP ICMP   Bidirectional traffic between the secondary host and primary host in an HA cluster. Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP).