Firewall/VPN Engine Ports

The illustrations below present an overview to the most important default ports used in communications between firewall/VPN engines and the SMC and between clustered firewall engines. See the table below for a complete list of default ports for the fully-featured firewall/VPN engines.

FIG_Ports_Firewall.png
FIG_FW_Ports_ExternalServices.png

The table below lists all default ports StoneGate Firewall/VPN uses internally and with external components. Many of these ports can be changed. The name of corresponding default Service elements are also included for your reference.

Listening Host

Port/Protocol

Contacting Hosts

Service Description

Service Element Name

Anti-virus signature server

80/TCP

Firewall

Anti-virus signature update service.

HTTP

Authentication Server

8925-8929/TCP

Firewall

User directory and authentication services.

LDAP (TCP), RADIUS (Authentication)

BrightCloud Server

2316/TCP

Firewall

BrightCloud web filtering update service.

BrightCloud update

DHCP server

67/UDP

Firewall

Relayed DHCP requests and requests from a firewall that uses dynamic IP address.

BOOTPS (UDP)

DNS server

53/UDP,
53/TCP

Firewall

Dynamic DNS updates.

DNS (TCP)

Firewall

67/UDP

Any

DHCP relay on firewall engine.

BOOTPS (UDP)

Firewall

68/UDP

DHCP server

Replies to DHCP requests.

BOOTPC (UDP)

Firewall

161/UDP

SNMP server

SNMP monitoring.

SNMP (UDP)

Firewall

500/UDP

VPN clients, VPN gateways

VPN negotiations, VPN traffic.

ISAKMP (UDP)

Firewall

636/TCP

Management Server

Internal user database replication.

LDAPS (TCP)

Firewall

2543/TCP

Any

User authentication (Telnet) for Access rules.

SG User Authentication

Firewall

2746/UDP

StoneGate VPN gateways

UDP encapsulated VPN traffic.

SG UDP Encapsulation

Firewall

3000-3001/UDP
3002-3003, 3010/TCP

FW/VPN engine

Heartbeat and state synchronization between clustered firewalls.

SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync

Firewall

4500/UDP

VPN client, VPN gateways

VPN traffic using NAT-traversal.

NAT-T

Firewall

4950/TCP

Management Server

Remote upgrade.

SG Remote Upgrade

Firewall

4987/TCP

Management Server

Management Server commands and policy upload.

SG Commands

Firewall

8888/TCP

Management Server

Connectivity monitoring; monitoring of blacklists, connections, and status for old engine versions.

SG Monitoring

Firewall

15000/TCP

Management Server, analyzer

Blacklist entries.

SG Blacklisting

LDAP server

389/TCP

Firewall

External LDAP queries, including StartTLS connections.

LDAP (TCP)

Log Server

3020/TCP

Firewall

Log and alert messages; monitoring of blacklists, connections, status, and statistics.

SG Log

Management Server

3021/TCP

Firewall

System communications certificate request/renewal (initial contact).

SG Initial Contact

Management Server

3023/TCP

Firewall

Monitoring (status) connection.

SG Reverse Monitoring

Management Server

8906/TCP

Firewall

Management connection for Single Firewalls with “node-initiated contact” selected.

SG Dynamic Control

RADIUS server

1812, 1645/UDP

Firewall

RADIUS authentication requests.

RADIUS (Authentication), RADIUS (Old)

RPC server

111/UDP, 111/TCP

Firewall

RPC number resolve.

SUNRPC (UDP), Sun RPC (TCP)

Server Pool Monitoring Agents

7777/UDP

Firewall

Polls to the servers’ Server Pool Monitoring Agents for availability and load information.

SG Server Pool Monitoring

SNMP server

162/UDP

Firewall

SNMP traps from the engine.

SNMP Trap (UDP)

TACACS+ server

49/TCP

Firewall

TACACS+ authentication requests.

TACACS (TCP)

User Agent

16661/TCP

Firewall

Queries for matching Users and User Groups with IP addresses.

SG Engine to User Agent

VPN gateways

500/UDP, 2746/UDP (StoneGate gateways only), or 4500 UDP.

Firewall

VPN traffic. Ports 2746 and 4500 may be used depending on encapsulation options.

ISAKMP (UDP)