Forcepoint NGFW Engine ports
The most important default ports used in communications to and from NGFW Engines and Master NGFW Engines are presented in the following illustrations.
See the table for a complete list of default ports for the engines.
Note: Master NGFW Engines use the same default ports as clustered NGFW Engines. Virtual NGFW Engines do not communicate directly with other system components.
This table lists the default ports for NGFW Engines and Master NGFW Engines. Many of these ports can be changed. The names of corresponding default Service elements are also included for your reference.
Listening host | Port/protocol | Contacting hosts | Service description | Service element name |
---|---|---|---|---|
Certificate Revocation List (CRL) server | 80/TCP | Firewall | Online certificate status protocol (OCSP) queries and fetching CRLs. | HTTP |
DHCP server | 67/UDP | Firewall | Relayed DHCP requests and requests from a firewall that uses dynamic IP address. | BOOTPS (UDP) |
DHCPv6 server | 547/UDP | Firewall | Requests from a firewall that uses dynamic IPv6 address. | N/A |
External DNS server | 53/UDP, 53/TCP | Firewall, Master NGFW Engine | DNS resolution and dynamic DNS updates. | DNS (TCP), DNS (UDP) |
File reputation server | 443/TCP | Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | GTI File Reputation Server | HTTPS |
Firewall | 67/UDP | Any | DHCP relay on firewall engine. | BOOTPS (UDP) |
Firewall | 68/UDP | DHCP server | Replies to DHCP requests. | BOOTPC (UDP) |
Firewall | 80/TCP | Clients that need to authenticate to the Firewall | Browser Based User Authentication | HTTP |
Firewall | 443/TCP | Clients that need to authenticate to the Firewall | Browser Based User Authentication | HTTPS |
Firewall | 443/TCP | VPN clients using SSL tunneling | VPN client SSL tunneling | TLS |
Firewall | 443/TCP | SSL Portal users | SSL VPN Portal | HTTPS |
Firewall | 546/UDP | DHCPv6 server | Replies to DHCPv6 requests. | N/A |
Firewall, Master NGFW Engine | 53/UDP, 53/TCP | Clients in the internal network | DNS relay | DNS (TCP), DNS (UDP) |
Firewall, Master NGFW Engine | 500/UDP | VPN clients, VPN gateways | VPN negotiations, VPN traffic. | ISAKMP (UDP) |
Firewall, Master NGFW Engine | 636/TCP | Management Server | Internal user database replication. | LDAPS (TCP) |
Firewall, Master NGFW Engine | 4500/UDP | VPN client, VPN gateways | VPN traffic using NAT-traversal. | NAT-T |
Firewall Cluster Node, Master NGFW Engine cluster node | 3000-3001/UDP, 3002–3003, 3010/TCP | Firewall Cluster Node, Master NGFW Engine cluster node | Heartbeat and state synchronization between clustered Firewalls. | SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync |
Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | 22/TCP | Terminal clients | SSH connections to the engine command line. Note: Do not use SSH in FIPS mode.
|
SSH |
Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | 4950/TCP | Management Server | Remote upgrade. | SG Remote Upgrade |
Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | 4987/TCP | Management Server | Management Server commands and policy upload. | SG Commands |
Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | 15000/TCP | Management Server, Log Server | Blacklist entries. | SG Blacklisting |
Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | 161/UDP | SNMP server | SNMP monitoring. | SNMP (UDP) |
Firewall, Layer 2 Firewall, IPS | 9111/TCP | Forcepoint Endpoint Context Agent (ECA) client | Endpoint information from the ECA client. | N/A |
Forcepoint User ID Service server | 5000/TCP | Firewall, Layer 2 Firewall, IPS | Information about user name and IP address mappings. | N/A |
IPS Cluster Node | 3000-3001/UDP, 3002–3003, 3010/TCP | IPS Cluster Node | Heartbeat and state synchronization between clustered IPS engines. | SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync |
LDAP server | 389/TCP | Firewall, Master NGFW Engine | External LDAP queries, including StartTLS connections. | LDAP (TCP) |
Layer 2 Firewall Cluster Node | 3000-3001/UDP, 3002–3003, 3010/TCP | Layer 2 Firewall Cluster Node | Heartbeat and state synchronization between clustered Layer 2 Firewalls. | SG State Sync (Multicast), SG State Sync (Unicast), SG Data Sync |
Log Server | 3020/TCP | Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | Log and alert messages; monitoring of blacklists, connections, status, and statistics. | SG Log |
Malware signature server | 80/TCP | Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | Malware signature update service. | HTTP |
Management Server | 3021/TCP | Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | System communications certificate request/renewal (initial contact). | SG Initial Contact |
Management Server | 8906/TCP | Firewall, Layer 2 Firewall, IPS | Management connection for engines with "Node-Initiated Contact to Management Server" selected. | SG Dynamic Control |
RADIUS server | 1812, 1645/UDP | Firewall, Master NGFW Engine | RADIUS authentication requests. | RADIUS (Authentication), RADIUS (Old) |
RPC server | 111/UDP, 111/TCP | Firewall, Master NGFW Engine | RPC number resolve. | SUNRPC (UDP), Sun RPC (TCP) |
Server Pool Monitoring Agents | 7777/UDP | Firewall, Master NGFW Engine | Polls to the servers' Server Pool Monitoring Agents for availability and load information. | SG Server Pool Monitoring |
SNMP server | 162/UDP | Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | SNMP traps from the engine. | SNMP Trap (UDP) |
TACACS+ server | 49/TCP | Firewall, Master NGFW Engine | TACACS+ authentication requests. | TACACS (TCP) |
ThreatSeeker Intelligence Cloud server | 443/TCP | Firewall, Layer 2 Firewall, IPS, Master NGFW Engine | ThreatSeeker Intelligence Cloud URL categorization service. | HTTPS |
VPN gateways | 500, 4500/UDP | Firewall, Master NGFW Engine | VPN traffic. Ports 443/TCP (or custom port) can also be used, depending on encapsulation options. | ISAKMP (UDP) |