QRadar port usage
Review the list of common ports that IBM® QRadar® services and components use to communicate across the network. You can use the port list to determine which ports must be open in your network. For example, you can determine which ports must be open for the QRadar Console to communicate with remote event processors.
WinCollect remote polling
WinCollect agents that remotely poll other Microsoft Windows operating systems might require additional port assignments.
For more information, see the IBM QRadar WinCollect User Guide.
QRadar listening ports
LISTEN
state. The LISTEN
ports are valid only when iptables is
enabled on your system. Unless otherwise noted, information about the assigned port number applies
to all QRadar products.
Port | Description | Protocol | Direction | Requirement |
---|---|---|---|---|
22 | SSH | TCP | Bidirectional from the QRadar Console to all other components. | Remote management access. Adding a remote system as a managed host. Log source protocols to retrieve files from external devices, for example the log file protocol. Users who use the command-line interface to communicate from desktops to the Console. High-availability (HA). |
25 | SMTP | TCP | From all managed hosts to the SMTP gateway. | Emails from QRadar to
an SMTP gateway. Delivery of error and warning email messages to an administrative email contact. |
111 and random generated port | Port mapper | TCP/UDP | Managed hosts (MH) that communicate with the QRadar
Console. Users that connect to the QRadar Console. |
Remote Procedure Calls (RPC) for required services, such as Network File System (NFS). |
123 | Network Time Protocol (NTP) | UDP |
Outbound from the QRadar Console to the NTP Server Outbound from the MH to the QRadar Console |
Time synchronization via Chrony between:
|
135 and dynamically allocated ports above 1024 for RPC calls. | DCOM | TCP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between QRadar Console components or IBM QRadar event collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft
Security Event Log Protocol, or Adaptive Log Exporter. Note: DCOM typically allocates a random port
range for communication. You can configure Microsoft
Windows products to use a specific port. For more
information, see your Microsoft
Windows documentation.
|
137 | Windows NetBIOS name service | UDP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
138 | Windows NetBIOS datagram service | UDP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
139 | Windows NetBIOS session service | TCP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use either Microsoft Security Event Log Protocol or Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
162 | NetSNMP | UDP | QRadar managed hosts
that connect to the QRadar
Console. External log sources to QRadar Event Collectors. |
UDP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
199 | NetSNMP | TCP | QRadar managed hosts
that connect to the QRadar
Console. External log sources to QRadar Event Collectors. |
TCP port for the NetSNMP daemon that listens for communications (v1, v2c, and v3) from external log sources. The port is open only when the SNMP agent is enabled. |
427 | Service Location Protocol (SLP) | UDP/TCP | The Integrated Management Module uses the port to find services on a LAN. | |
443 | Apache/HTTPS | TCP | Bidirectional traffic for secure communications from all products to the QRadar
Console. Unidirectional traffic from the App Host to the QRadar Console. |
Configuration downloads to managed hosts from the QRadar
Console. QRadar managed hosts that connect to the QRadar Console. Users to have log in access to QRadar. QRadar Console that manage and provide configuration updates for WinCollect agents. Apps that require access to the QRadar API. |
445 | Microsoft Directory Service | TCP | Bidirectional traffic between WinCollect agents and Windows operating systems that are remotely polled for events. Bidirectional traffic between QRadar Console components or QRadar Event Collectors that use the Microsoft Security Event Log Protocol and Windows operating systems that are remotely polled for events. Bidirectional traffic between Adaptive Log Exporter agents and Windows operating systems that are remotely polled for events. |
This traffic is generated by WinCollect, Microsoft Security Event Log Protocol, or Adaptive Log Exporter. |
514 | Syslog | UDP/TCP | External network appliances that provide TCP syslog events use bidirectional traffic.
External network appliances that provide UDP syslog events use uni-directional traffic. Internal syslog traffic from QRadar hosts to the QRadar Console. |
External log sources to send event data to QRadar components. Syslog traffic includes WinCollect agents, event collectors, and Adaptive Log Exporter agents capable of sending either UDP or TCP events to QRadar. |
762 | Network File System (NFS) mount daemon (mountd) | TCP/UDP | Connections between the QRadar Console and NFS server. | The Network File System (NFS) mount daemon, which processes requests to mount a file system at a specified location. |
1514 | Syslog-ng | TCP/UDP | Connection between the local Event Collector component and local Event Processor component to the syslog-ng daemon for logging. | Internal logging port for syslog-ng. |
2049 | NFS | TCP | Connections between the QRadar Console and NFS server. | The Network File System (NFS) protocol to share files or data between components. |
2055 | NetFlow data | UDP | From the management interface on the flow source (typically a router) to the IBM QRadar QFlow Collector. | NetFlow datagram from components, such as routers. |
2376 | Docker command port | TCP | Internal communications. This port is not available externally. | Used to manage QRadar application framework resources. |
3389 | Remote Desktop Protocol (RDP) and Ethernet over USB is enabled | TCP/UDP | If the Microsoft Windows operating system is configured to support RDP and Ethernet over USB, a user can initiate a session to the server over the management network. This means the default port for RDP, 3389 must be open. | |
3900 | Integrated Management Module remote presence port | TCP/UDP | Use this port to interact with the QRadar console through the Integrated Management Module. | |
4333 | Redirect port | TCP | This port is assigned as a redirect port for Address Resolution Protocol (ARP) requests in QRadar offense resolution. | |
5000 | Used to allow communication to the docker si-registry running on the Console. This allows all managed hosts to pull images from the Console that will be used to create local containers. | TCP | Unidirectional from the QRadar managed host to the QRadar Console. The port is only opened on the Console. Managed hosts must pull from the Console. | Required for apps running on an App Host. |
5432 | Postgres | TCP | Communication for the managed host that is used to access the local database instance. | Required for provisioning managed hosts from the Admin tab. |
6514 | Syslog | TCP | External network appliances that provide encrypted TCP syslog events use bidirectional traffic. | External log sources to send encrypted event data to QRadar components. |
7676, 7677, and four randomly bound ports above 32000. | Messaging connections (IMQ) | TCP | Message queue communications between components on a managed host. | Message queue broker for communications between components on a managed host. Note: You must
permit access to these ports from the QRadar console to unencrypted
hosts.
Ports 7676 and 7677 are static TCP ports, and four extra connections are created on random ports. For more information about finding randomly bound ports, see Viewing IMQ port associations. |
5791, 7700, 7777, 7778, 7779, 7780, 7781, 7782, 7783, 7787, 7788, 7790, 7791, 7792, 7793, 7794, 7795, 7799, 8989, and 8990. | JMX server ports | TCP | Internal communications. These ports are not available externally. | JMX server (Java™ Management Beans) monitoring for all
internal QRadar processes to expose supportability metrics.
These ports are used by QRadar support. |
7789 | HA Distributed Replicated Block Device | TCP/UDP | Bidirectional between the secondary host and primary host in an HA cluster. | Distributed Replicated Block Device is used to keep drives synchronized between the primary and secondary hosts in HA configurations. |
7800 | Apache Tomcat | TCP | From the Event Processor to the QRadar Console. | Real-time (streaming) for events. |
7801 | Apache Tomcat | TCP | From the Event Processor to the QRadar Console. | Real-time (streaming) for flows. |
7803 | Anomaly Detection Engine | TCP | From the Event Processor to the QRadar Console. | Anomaly detection engine port. |
7804 | QRM Arc builder | TCP | Internal control communications between QRadar processes and ARC builder. | This port is used for QRadar Risk Manager only. It is not available externally. |
7805 | Syslog tunnel communication | TCP | Bidirectional between the QRadar Console and managed hosts | Used for encrypted communication between the console and managed hosts. |
8000 | Event Collection service (ECS) | TCP | From the Event Collector to the QRadar Console. | Listening port for specific Event Collection Service (ECS). |
8001 | SNMP daemon port | TCP | External SNMP systems that request SNMP trap information from the QRadar Console. | Listening port for external SNMP data requests. |
8005 | Apache Tomcat | TCP | Internal communications. Not available externally. | Open to control tomcat. This port is bound and only accepts connections from the local host. |
8009 | Apache Tomcat | TCP | From the HTTP daemon (HTTPd) process to Tomcat. | Tomcat connector, where the request is used and proxied for the web service. |
8080 | Apache Tomcat | TCP | From the HTTP daemon (HTTPd) process to Tomcat. | Tomcat connector, where the request is used and proxied for the web service. |
8082 | Secure tunnel for QRadar Risk Manager | TCP | Bidirectional traffic between the QRadar Console and QRadar Risk Manager | Required when encryption is used between QRadar Risk Manager and the QRadar Console. |
8413 | WinCollect agents | TCP | Bidirectional traffic between WinCollect agent and QRadar Console. | This traffic is generated by the WinCollect agent and communication is encrypted. It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode. |
8844 | Apache Tomcat | TCP | Unidirectional from the QRadar Console to the appliance that is running the QRadar Vulnerability Manager processor. | Used by Apache Tomcat to read information from the host that is running the QRadar Vulnerability Manager processor. |
9000 | Conman | TCP | Unidirectional from the QRadar Console to a QRadar App Host. | Used with an App Host. It allows the Console to deploy apps to an App Host and to manage those apps. |
9090 | XForce IP Reputation database and server | TCP | Internal communications. Not available externally. | Communications between QRadar processes and the XForce Reputation IP database. |
9381 | Certificate files download | TCP | Unidirectional from QRadar managed host or external network to QRadar Console | Downloading QRadar CA certificate and CRL files, which can be used to validate QRadar generated certificates. |
9381 | localca-server | TCP | Bidirectional between QRadar components. | Used to hold QRadar local root and intermediate certificates, as well as associated CRLs. |
9393, 9394 | vault-qrd | TCP | Internal communications. Not available externally. | Used to hold secrets and allow secure access to them to services. |
9913 plus one dynamically assigned port | Web application container | TCP | Bidirectional Java Remote Method Invocation (RMI) communication between Java Virtual Machines | When the web application is registered, one additional port is dynamically assigned. |
9995 | NetFlow data | UDP | From the management interface on the flow source (typically a router) to the QRadar QFlow Collector. | NetFlow datagram from components, such as routers. |
9999 | IBM QRadar Vulnerability Manager processor | TCP | Unidirectional from the scanner to the appliance running the QRadar Vulnerability Manager processor | Used for QRadar Vulnerability Manager (QVM) command information. The QRadar Console connects to this port on the host that is running the QRadar Vulnerability Manager processor. This port is only used when QVM is enabled. |
10000 | QRadar web-based, system administration interface | TCP/UDP | User desktop systems to all QRadar hosts. | In QRadar V7.2.5 and
earlier, this port is used for server changes, such as the hosts root password and firewall access.
Port 10000 is disabled in V7.2.6. |
10101, 10102 | Heartbeat command | TCP | Bidirectional traffic between the primary and secondary HA nodes. | Required to ensure that the HA nodes are still active. |
12500 | Socat binary | TCP | Outbound from MH to the QRadar Console | Port used for tunneling chrony udp requests over tcp when QRadar Console or MH is encrypted |
14433 | traefik | TCP | Bidirectional between QRadar components. | Required for app services discovery. |
15432 | Required to be open for internal communication between QRM and QRadar. | |||
15433 | Postgres | TCP | Communication for the managed host that is used to access the local database instance. | Used for QRadar Vulnerability Manager (QVM) configuration and storage. This port is only used when QVM is enabled. |
15434 |
Required to be open for internal communication between Forensics and QRadar. |
|||
20000-23000 | SSH Tunnel | TCP | Bidirectional from the QRadar Console to all other encrypted managed hosts. | Local listening point for SSH tunnels used for Java Message Service (JMS) communication with encrypted managed hosts. Used to perform long-running asynchronous tasks, such as updating networking configuration via System and License Management. |
23111 | SOAP web server | TCP | SOAP web server port for the Event Collection Service (ECS). | |
23333 | Emulex Fibre Channel | TCP | User desktop systems that connect to QRadar appliances with a Fibre Channel card. | Emulex Fibre Channel HBAnywhere Remote Management service (elxmgmt). |
26000 | traefik | TCP | Bidirectional between QRadar components. | Used with an App Host that is encrypted. Required for app services discovery. |
26001 | Conman | TCP | Unidirectional from the QRadar Console to a QRadar App Host. | Used with an App Host that is encrypted. It allows the Console to deploy apps to an App Host and to manage those apps. |
32000 | Normalized flow forwarding | TCP | Bidirectional between QRadar components. | Normalized flow data that is communicated from an off-site source or between QRadar QFlow Collectors. |
32004 | Normalized event forwarding | TCP | Bidirectional between QRadar components. | Normalized event data that is communicated from an off-site source or between QRadar Event Collectors. |
32005 | Data flow | TCP | Bidirectional between QRadar components. | Data flow communication port between QRadar Event Collectors when on separate managed hosts. |
32006 | Ariel queries | TCP | Bidirectional between QRadar components. | Communication port between the Ariel proxy server and the Ariel query server. |
32007 | Offense data | TCP | Bidirectional between QRadar components. | Events and flows contributing to an offense or involved in global correlation. |
32009 | Identity data | TCP | Bidirectional between QRadar components. | Identity data that is communicated between the passive Vulnerability Information Service (VIS) and the Event Collection Service (ECS). |
32010 | Flow listening source port | TCP | Bidirectional between QRadar components. | Flow listening port to collect data from QRadar QFlow Collectors. |
32011 | Ariel listening port | TCP | Bidirectional between QRadar components. | Ariel listening port for database searches, progress information, and other associated commands. |
32000-33999 | Data flow (flows, events, flow context) | TCP | Bidirectional between QRadar components. | Data flows, such as events, flows, flow context, event search queries, and Docker proxy. |
40799 | PCAP data | UDP | From Juniper Networks SRX Series appliances to QRadar. |
Collecting incoming packet capture (PCAP) data from Juniper Networks SRX Series appliances. Note: The packet capture on your device can use a different port. For more information about
configuring packet capture, see your Juniper Networks SRX Series appliance documentation.
|
ICMP | ICMP | Bidirectional traffic between the secondary host and primary host in an HA cluster. | Testing the network connection between the secondary host and primary host in an HA cluster by using Internet Control Message Protocol (ICMP). |