Common ports and servers used by QRadar

IBM QRadar requires that certain ports are ready to receive information from QRadar components and external infrastructure. To ensure that QRadar is using the most recent security information, it also requires access to public servers and RSS feeds.

Warning: If you change any common ports, your QRadar deployment might break.

SSH communication on port 22

All the ports that are used by the QRadar console to communicate with managed hosts can be tunneled, by encryption, through port 22 over SSH.

The console connects to the managed hosts by using an encrypted SSH session to communicate securely. These SSH sessions are initiated from the console to provide data to the managed host. For example, the QRadar Console can initiate multiple SSH sessions to the Event Processor appliances for secure communication. This communication can include tunneled ports over SSH, such as HTTPS data for port 443 and Ariel query data for port 32006. IBM QRadar Flow Collector that use encryption can initiate SSH sessions to Flow Processor appliances that require data.

Open ports that are not required by QRadar

You might find additional open ports in the following situations:
  • When you install QRadar on your own hardware, you might see open ports that are used by services, daemons, and programs included in Red Hat Enterprise Linux®.
  • When you mount or export a network file share, you might see dynamically assigned ports that are required for RPC services, such as rpc.mountd and rpc.rquotad.