TruView Firewall ports: Difference between revisions

From wiki.comcert.com
Jump to navigation Jump to search
No edit summary
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 2: Line 2:
== Introduction ==
== Introduction ==


Please remember that Pulse, Software nPoint and Hardware nPoint are communication the same way.
Distributed TruView is in almost all cases a single TVC (running the web portal) and one or more data sources (TVF and TVP).  Please note that TVP (TruView Packet) is a packet collector and has no Web UI.  TVF (TruView Flow) is equipped with a (depreciated) Web UI and can still be used for flow based network analysis.  However, customers are recommended to use TVC for flow as well as packet based network analysis.


In general, nPoint is contacting the nGeniusPULSE Server, not the other way around.
In case there are firewalls in between the appliances, this article will help you to create the necessary firewall policies.


Service Test are executed by the nPoint. Device monitoring is done by nGeniusPULSE server or a Collector.
Please note that all TruView appliances are running firewall deamon (linux: firewalld) to restrict access to undocumented ports.


Even when there's no Service Test running on the nPoint, the nPoint will contact nGeniusPULSE Server every minute to update its configuration.
 


== Solution ==
== Solution ==


TVC inbound
=== TVC inbound ports ===


{| border="1" cellpadding="1" cellspacing="1" style="width: 500px;"
{| border="1" cellpadding="1" cellspacing="1" style="width: 558px;"
|-
|-
| style="width: 126px;" | '''destination'''
| style="width: 156px;" | '''destination'''
| style="width: 134px;" | '''service'''
| style="width: 72px;" | '''service'''
| style="width: 224px;" | '''role'''
| style="width: 312px;" | '''role'''
|-
|-
| style="width: 126px;" | tcp/443
| style="width: 156px;" | tcp/443
| style="width: 134px;" | https
| style="width: 72px;" | https
| style="width: 224px;" | User Portal
| style="width: 312px;" | user portal
|-
|-
| style="width: 126px;" | tcp/22
| style="width: 156px;" | tcp/22
| style="width: 134px;" | ssh
| style="width: 72px;" | ssh
| style="width: 224px;" | Management CLI
| style="width: 312px;" | management cli
|}
|}


TVC outbound
=== TVC outbound ports ===


{| border="1" cellpadding="1" cellspacing="1" style="width: 500px;"
{| border="1" cellpadding="1" cellspacing="1" style="width: 556px;"
|-
|-
| '''destination'''
| style="width: 156px;" | '''destination'''
| '''service'''
| style="width: 70px;" | '''service'''
| '''role'''
| style="width: 312px;" | '''role'''
|-
|-
| udp/53
| style="width: 156px;" | udp/53
| dns
| style="width: 70px;" | dns
| domain name service
| style="width: 312px;" | domain name service
|-
|-
| tcp/389
| style="width: 156px;" | tcp/389
| ldap
| style="width: 70px;" | ldap
| remote authentication
| style="width: 312px;" | remote authentication
|-
|-
| tcp/636
| style="width: 156px;" | tcp/636
| sldap
| style="width: 70px;" | sldap
| secure remote authentication
| style="width: 312px;" | secure remote authentication
|-
|-
| udp/123
| style="width: 156px;" | udp/123
| ntp
| style="width: 70px;" | ntp
| network time synchronization
| style="width: 312px;" | network time synchronization
|-
|-
| tcp/25
| style="width: 156px;" | tcp/25
| smtp
| style="width: 70px;" | smtp
| mailrelay
| style="width: 312px;" | mailrelay (email external notification)
|-
|-
| udp/161
| style="width: 156px;" | udp/161
| snmp
| style="width: 70px;" | snmp
|  
| style="width: 312px;" | polling device health status of exporter
|}
|}


 
=== TVF inbound ports ===
 
{| border="1" cellpadding="1" cellspacing="1" style="width: 559px;"
|-
| style="width: 154px;" | '''destination'''
| style="width: 72px;" | '''service'''
| style="width: 315px;" | '''role'''
|-
| style="width: 154px;" | tcp/443
| style="width: 72px;" | https
| style="width: 315px;" | user portal (depreciated)
|-
| style="width: 154px;" | tcp/22
| style="width: 72px;" | ssh
| style="width: 315px;" | management cli
|-
| style="width: 154px;" | udp/2055,udp/6343,*
| style="width: 72px;" | netflow
| style="width: 315px;" | receiving netflow packets from exporter
|}
 
(*) inbound netflow services are depending on your configuration of the exporting device / listening port settings.


TVF inbound
=== TVF outbound ports ===


{| border="1" cellpadding="1" cellspacing="1" style="width: 500px;"
{| border="1" cellpadding="1" cellspacing="1" style="width: 561px;"
|-
|-
| '''destination'''
| style="width: 151px;" | '''destination'''
| style="width: 83px;" | '''service'''
| style="width: 76px;" | '''service'''
| style="width: 163px;" | '''role'''
| style="width: 316px;" | '''role'''
|-
|-
| tcp/443
| style="width: 151px;" | udp/53
| style="width: 83px;" | https
| style="width: 76px;" | dns
| style="width: 163px;" | User Portal
| style="width: 316px;" | domain name service
|-
|-
| tcp/22
| style="width: 151px;" | udp/123
| style="width: 83px;" | ssh
| style="width: 76px;" | ntp
| style="width: 163px;" | Management CLI
| style="width: 316px;" | network time synchronization
|-
|-
| udp/2055, udp/6343
| style="width: 151px;" | udp/161
| style="width: 83px;" | netflow
| style="width: 76px;" | snmp
| style="width: 163px;" |  
| style="width: 316px;" | polling interface utilization of exporter
|}
|}


TVF outbound
=== TVP inbound ports ===


{| border="1" cellpadding="1" cellspacing="1" style="width: 500px;"
{| border="1" cellpadding="1" cellspacing="1" style="width: 561px;"
|-
| style="width: 147px;" | '''destination'''
| style="width: 68px;" | '''service'''
| style="width: 328px;" | '''role'''
|-
|-
| '''destination'''
| style="width: 147px;" | tcp/22
| '''service'''
| style="width: 68px;" | ssh
| '''role'''
| style="width: 328px;" | management cli
|}
 
=== TVP outbound ports ===
 
{| border="1" cellpadding="1" cellspacing="1" style="width: 559px;"
|-
|-
| udp/53
| style="width: 143px;" | '''destination'''
| dns
| style="width: 73px;" | '''service'''
|  
| style="width: 325px;" | '''role'''
|-
|-
| udp/123
| style="width: 143px;" | udp/53
| ntp
| style="width: 73px;" | dns
| network time synchronization
| style="width: 325px;" | domain name service
|-
|-
| udp/161
| style="width: 143px;" | udp/123
| snmp
| style="width: 73px;" | ntp
|  
| style="width: 325px;" | network time synchronization
|}
|}


TruView internal communication
=== Distributed TruView internal communication ports ===


{| border="1" cellpadding="1" cellspacing="1" style="width: 500px;"
{| border="1" cellpadding="1" cellspacing="1" style="width: 557px;"
|-
|-
| style="width: 234px;" | destination
| style="width: 153px;" | '''destination'''
| style="width: 106px;" | service
| style="width: 65px;" | '''service'''
| style="width: 143px;" | role
| style="width: 321px;" | '''role'''
|-
|-
| style="width: 234px;" | tcp/443
| style="width: 153px;" | tcp/443
| style="width: 106px;" | https
| style="width: 65px;" | https
| style="width: 143px;" | TVC -> TVF
| style="width: 321px;" | TVC -> TVF/TVP
|-
|-
| style="width: 234px;" | tcp/443
| style="width: 153px;" | tcp/443
| style="width: 106px;" | https
| style="width: 65px;" | https
| style="width: 143px;" | TVF -> TVC
| style="width: 321px;" | TVF/TVP -> TVC
|}
|}



Latest revision as of 07:03, 19 August 2022

Introduction

Distributed TruView is in almost all cases a single TVC (running the web portal) and one or more data sources (TVF and TVP).  Please note that TVP (TruView Packet) is a packet collector and has no Web UI.  TVF (TruView Flow) is equipped with a (depreciated) Web UI and can still be used for flow based network analysis.  However, customers are recommended to use TVC for flow as well as packet based network analysis.

In case there are firewalls in between the appliances, this article will help you to create the necessary firewall policies.

Please note that all TruView appliances are running firewall deamon (linux: firewalld) to restrict access to undocumented ports.

 

Solution

TVC inbound ports

destination service role
tcp/443 https user portal
tcp/22 ssh management cli

TVC outbound ports

destination service role
udp/53 dns domain name service
tcp/389 ldap remote authentication
tcp/636 sldap secure remote authentication
udp/123 ntp network time synchronization
tcp/25 smtp mailrelay (email external notification)
udp/161 snmp polling device health status of exporter

TVF inbound ports

destination service role
tcp/443 https user portal (depreciated)
tcp/22 ssh management cli
udp/2055,udp/6343,* netflow receiving netflow packets from exporter

(*) inbound netflow services are depending on your configuration of the exporting device / listening port settings.

TVF outbound ports

destination service role
udp/53 dns domain name service
udp/123 ntp network time synchronization
udp/161 snmp polling interface utilization of exporter

TVP inbound ports

destination service role
tcp/22 ssh management cli

TVP outbound ports

destination service role
udp/53 dns domain name service
udp/123 ntp network time synchronization

Distributed TruView internal communication ports

destination service role
tcp/443 https TVC -> TVF/TVP
tcp/443 https TVF/TVP -> TVC