Guardium port requirements
Each Guardium system must have ports available for several types of communication. This table lists these connections and the default port numbers that are assigned to them.
Open ports
Ports used in/by the Guardium system.
DB Server – Collector
TCP 8443 - open from DB server to collector
TCP 16016 – Unix STAP, both directions, registration, heartbeat, and data (including IBM i S-TAP running in PASE)
TCP 16017 – Windows/Unix CAS, both directions, templates and data
TCP 16018 – Unix STAP (TLS), both directions, registration, heartbeat, and data
TCP 16019 – Windows/Unix CAS (TLS), both directions, templates and data
TCP 16020 - From STAP agent Clear UNIX STAP connection pooling
TLS 16021 - From STAP agent Encrypted UNIX STAP connection pooling
TCP 8081 – Guardium Installation Manager, both directions, database server to collector/Central Manager
TCP 9500 – Windows STAP, both directions, DB Server to Collector, STAP registration and data
TCP 9501 – Windows STAP (TLS), both directions, DB Server to Collector, STAP registration and data
Collector – Aggregator (Secure Shell – SSL)
TCP 22 – collector to aggregator, SCP data exports, both directions
Central Manager – Managed Devices
TCP 22 – SSH/SCP data transfers, both directions
TCP 8443 – SSL, both directions
TCP 8444 – SSL, STAP to GIM file upload
TCP 3306 – MySQL, opened to specific sources (for instance, the Central Manager is open to all managed units; a managed unit is open to the Central Manager)
TLS 8447 - Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a Central Manager and conveniently distribute those settings to managed unit groups without altering the configuration of the Central Manager itself.
File Activity Monitoring (FAM)
TCP/TLS 16022/16023 - Universal Feed. 16022 (FAM monitoring, unencrypted) and 16023 (FAM monitoring, encrypted) both need to be open bidirectionally. The sniffer needs the block from 16016 to 16023 open bidirectionally.
18087 - Listener port for FAM on IBM Content Classification (ICM) server located on the same machine where FAM is installed.(serverSettings.icmURL=http://localhost:18087) Open bidirectionally.
Guardium Installation Manager (GIM)
8445 - GIM client listener, both directions. The GIM client is doing the listening. Any GIM server on either the Central Manager or the collector can reach out to it (the GIM client).
8446 - GIM authenticated TLS, both directions. Use between the GIM client and the GIM server (on the Central Manager or collector). If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for example, TLS without verification).
8081 - TLS - To use 8081 for the GIM client to connect to the GIM server, there is a need to disable the GIM_USE_SSL parameter - it is ON by default. This parameter is part of the GIM common parameters in the GUI. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for example, TLS without verification).
Enterprise load balancer
TLS 8443 - S-TAP load balancer - This is needed for UNIX/Linux S-TAPs to communicate instances to the collector. However this port is also used for the Central Manager load balancer. The S-TAP initiates a request to Central Manager (load balancer) on 8443 sending HTTPS message, if installation indicates to use Enterprise load balancer. Between the database server and Central Manager, there will be the capability to use a proxy server, if customer doesn't want an open port directly from database to Central Manager.
Quick Search for Enterprise
TCP 8983 - SOLR - Incoming, SSL
TCP 9983 - SOLR - Incoming, SSL
User Interface – Guardium System (standalone, aggregator, Central Manager)
TCP 22 – user to system, CLI connectivity, both directions
TCP 8443 – user to system, GUI connectivity (configurable), both directions
System – SMTP server
TCP 25 – system to SMTP server, email alerts
System – SNMP server
UDP 161 - SNMP client to system – SNMP Polling
UDP 162 - system to SNMP server, SNMP traps
System – SYSLOG server
UDP/TCP 514 – remote syslog message from/to other systems, typically SIEMNote: The local port is 514, but the remote port must be entered into the configuration. If encryption is used, the protocol must be TCP, not UDP.
System – NTP server
TCP/UDP 123 – system to Network Time Protocol Server
System – DNS server
TCP/UDP 53 – system to Domain Name Server
System – EMC Centera (backups)
TCP 3218 – system to EMC Centera
System – Tivoli LDAP
UDP 389 – system to/from Tivoli LDAP
System – Mainframe
TCP 16022 – connects S-TAP to DB2 z/OS, S-TAP IMS, S-TAP VSAM (S-TAP Data Set)
TCP 16023 - TLS connections, specifically IBM‘s Application Transparent Transport Layer Security (AT-TLS)
Ports for connections to Windows database servers
| Port | Protocol | Purpose |
|---|---|---|
| 8075 | UDP | Windows S-TAP heartbeat signal (two-way traffic). Note: The UNIX S-TAP agent does not use UDP for heartbeat signals, so there is no corresponding UNIX port for this function. |
| 9500 | TCP | Clear Windows S-TAP |
| 9501 | TLS | Encrypted Windows S-TAP (optional) |
| 16017 | TCP | Clear Windows CAS |
| 16019 | TLS | Encrypted Windows CAS (optional) |
Default Ports Used for Guardium Application Access
| Port | Protocol | Purpose |
|---|---|---|
| 8443 | TCP | Web browser access (https) to the Guardium user interface. Note: This port can be changed by the Guardium administrator, and is also used to register a managed unit to the Central Manager. |
| 22 | TCP | SSH access from clients to manage the Guardium appliance |
| 3306 | TCP | Communication between central manager and managed units |
Ports for connections to z/OS database servers
| Port | Protocol | Purpose |
|---|---|---|
| 16022 | TCP | Connects to S-TAP for DB2 z/OS, S-TAP for IMS, S-TAP for Data Sets |
| 16023 | TCP | TLS connections, specifically IBM's Application Transport Layer Security (AT-TLS) |
| 41500 | TCP | Default starting port for internal message logging communications – LOG_PORT_SCAN_START |
| 39987 | TCP | Default agent-specific communications port between the agent and the agent secondary address spaces – ADS_LISTENER_PORT |
Default ports used for other features
| Port | Protocol | Purpose |
|---|---|---|
| 20, 21 | TCP | FTP Server for backups/archiving (optional) |
| 22 | TCP | SCP for backups/archiving, patch distributions, and file-transfers |
| 25 | TCP | SMTP (email server) for alerts and other notification |
| 53 | TCP | DNS Servers |
| 123 | TCP, UDP | NTP (Time Server) for time synchronization |
| 161 | TCP, UDP | SNMP Polling (optional) |
| 162 | TCP, UDP | SNMP Traps (optional) |
| 389 | TCP | LDAP, for example, Active Directory or Sun One Directory |
| 514 | TCP | Syslog Server (optional) |
| 636 | TCP | LDAP, for example, Active Directory or Sun One Directory over SSL (optional) |
| 1500 | TCP | Tivoli Storage Manager backup hosts (optional) |
| 3218 | TCP, UDP | EMC Centera backup hosts (optional) |
| user-defined | TCP | Database Server listener ports, for example, 1521 for Oracle or 1433 for MS-SQL, for Guardium datasource access (optional). Use this port for S-TAP verification and Discovery. |
| 16022/16023 | TCP/TLS | Universal Feed - File Activity Monitoring (FAM0 |
| 18027 | FAM using IBM Content Classification locally (serverSettings.icmURL=http://localhost:18087) | |
| 8445 | GIM client listener, both directions The GIM client is doing the listening. Any GIM server on either the Central Manager or the collector can reach out to it (the GIM client). |
|
| 8446 | TLS | GIM authenticated TLS, both directions Use between the GIM client and the GIM server (on the Central Manager or collector). If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444 BUT no certificate is passed (for example, TLS without verification). |
| 8447 | TLS | Used for remote messaging service infrastructure (and profile distribution infrastructure) for communication between Guardium systems in the federated environment / centrally-managed environment. Configuration profiles allow the definition of configuration and scheduling settings from a Central Manager and conveniently distribute those settings to managed unit groups without altering the configuration of the Central Manager itself. |
| 8443 | TLS | Enterprise load balancer This is needed for UNIX/Linux S-TAPs to communicate instances to the collector. However this port is also used for the Central Manager load balancer. If the installation wants to use Enterprise load balancer, then the S-TAP initiates a request to the Central Manager on port 8443 by sending an HTTPS message. So between database server and Central Manager, there will be the capability to use a proxy server, if customer doesn't want an open port directly from database to Central Manager. |
| 8081 | TLS | To use 8081 for the GIM client to connect to the GIM server - need to disable the GIM_USE_SSL parameter - it is ON by default. This parameter is part of the GIM common parameters in the GUI. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444 BUT no certificate is passed (for example, TLS without verification). |
| 8983 | TCP | SOLR, incoming, SSL (Quick Search for Enterprise) |
| 9983 | TCP | SOLR, incoming, SSL (Quick Search for Enterprise) |