Required ports, protocols, and services for the Content Analysis appliance
Article ID: 260075
Updated On:
Products
ISG Content Analysis
Issue/Introduction
Content Analysis requires specific services and ports while operating. Ensure that you allow these ports while setting up Content Analysis
Resolution
Inbound Connections to Content Analysis
Whether for administrative access or to accept incoming data to be scanned, this table details the connection points that are open on Content Analysis.
|
Service
|
Port
|
Protocol
|
Configurable?
|
Source
|
Description
|
|---|---|---|---|---|---|
|
ICAP
|
1344
|
TCP
|
Yes
|
ProxySG
|
Accept unencrypted Internet Content Adaptation Protocol (ICAP) traffic.
|
|
Secure ICAP
|
11344
|
TCP
|
Yes
|
ProxySG
|
Accept secured ICAP traffic.
|
|
HTTP
|
8081
|
TCP
|
Yes
|
user's client
|
Manage and configure Content Analysis with a web browser. Disabled by default. |
|
HTTPS
|
8082
|
TCP
|
Yes
|
user's client
|
Secure Content Analysis management and integration with other services |
|
SSH
|
22
|
TCP
|
No
|
user's client
|
Securely manage and configure Content Analysis with a command line interface. |
|
SNMP
|
161
|
UDP
|
No
|
SNMP analysis tools
|
Listen for queries from remote SNMP analysis tools (if SNMP is enabled).
|
|
RDP
|
3389
|
TCP
|
No
|
user's client
|
Remote desktop connection during IVM customization. The user may open these ports while IVMs are in customization mode using
ma-settings IVM customize
. |
|
SMB
|
139 445
|
TCP
|
No
|
user's client
|
Windows file sharing during IVM customization. The user may open these ports while IVMs are in customization mode using
ma-settings IVM customize
. |
|
VNC
|
5900
|
TCP
|
No
|
user's client
|
Virtual Network Computing (VNC) access during IVM customization. The user may open this port while IVMs are in customization mode by enabling VNC with ma-settings IVM customize servicesVNC enable. |
Outbound Connections from Content Analysis
Content Analysis connects to the services listed below. Note that many of these services are optional, and the ports don't need to be open on the firewall unless they are being used.
|
Service
|
Port
|
Protocol
|
Configurable?
|
Destination
|
Function
|
|---|---|---|---|---|---|
|
CounterTack Sentinel Endpoint Security
|
9090
|
TCP
|
No
|
CounterTack Sentinel server
|
Track scanning activity to be used for incident response, to determine if any clients in the network have been infected by malware.
|
|
Symantec Reporter
|
21 22
|
TCP
|
Yes
|
FTP server FTPS server
|
Upload sandboxing logs to a Symantec Reporter server. |
|
DNS
|
53
|
TCP/UDP
|
No
|
DNS server
|
Perform domain name resolution for URLs in data sent to Content Analysis for scanning, and resolving Internet addresses the appliance connects to. |
|
HTTPS
|
443
|
TCP
|
No
|
Depends on the service
|
Provides access to various HTTPS services. See the full list in the "Required URLs" section below.
|
|
LDAP
|
389 3268 3269
|
TCP TCP/UDP TCP/UDP
|
Yes
|
LDAP server
|
Communicate with LDAP servers to authenticate Content Analysis administrators. |
|
LDAPS
|
636
|
TCP
|
Yes
|
LDAP server
|
Communicate with LDAPS servers to securely authenticate Content Analysis administrators. |
|
RADIUS
|
1812 1813
|
TCP/UDP
|
Yes
|
RADIUS server
|
Communicate with RADIUS servers to authenticate Content Analysis administrators |
| Sandboxing – Symantec Malware Analysis |
443 (for standalone MA) 8082 (default port for external CA w/ on-box sandboxing)
|
HTTPS
|
Yes
|
External
Malware Analysis
sandbox |
Transmit data for sandbox analysis to either a standalone Symantec Malware Analysis appliance or aNother Content Analysis appliance dedicated to on-box sandboxing. |
|
Sandboxing – FireEye NX
|
None - physical access to an interface on the appliance.
|
N/A
|
N/A
|
N/A
|
Transmit data to a FireEye sandbox appliance for data analysis.
|
|
Sandboxing – FireEye AX
|
22
|
SSH
|
No
|
FireEye AX appliance
|
Transmit data to a FireEye sandbox appliance for data analysis.
|
|
SMTP
|
25
|
TCP
|
Yes
|
Mail gateway
|
Send alerts via email.
|
|
SNMP
|
162
|
UDP
|
No
|
Trap receiver
|
Send SNMP traps.
|
|
Symantec Endpoint Protection Manager
|
8446
|
TCP
|
No
|
SEPM server
|
Add malicious files to the Symantec Endpoint Protection Manager blacklist. |
|
Splunk Phantom
|
443
|
TCP
|
No
|
Splunk Phantom server
|
Send data for orchestration to a Splunk Phantom server
|
|
syslog
|
514 6514
|
UDP
|
Yes
|
syslog server
|
Report appliance health and statistical data to a syslog server on the internal network. Symantec recommends using secure syslog connections on port 6514 wherever possible. |
Required URLs
Under normal operation, Content Analysis requires access to several cloud-based resources. Ensure connectivity from Content Analysis to the following URLs.
|
Service
|
URL
|
Protocol
|
Port
|
Function
|
|---|---|---|---|---|
|
Content Analysis Documentation
|
support.symantec.com
|
HTTPS
|
443
|
Links to Content Analysis documentation within the Help Files. |
|
Firmware Update
|
Notifications of firmware updates.
|
|||
|
Symantec AV Heartbeat
|
shasta-clt-symantec.com
|
HTTPS
|
443
|
A heartbeat to check the status of antivirus engines.
|
|
Symantec Certificate Authority
|
abrca.bluecoat.com
|
HTTP
|
80
|
A Blue Coat/Symantec service that responds to CSR requests by returning a signed certificate in response. This is used when renewing or initially requesting a certificate.
|
|
ClamAV® 1
|
*.clamav.net
|
TCP
|
80
|
Requires only HTTP access to update the signature database. The analysis is performed locally on the appliance.
|
|
Symantec Cloud Sandboxing
|
api.us.dmas.symantec.com
api.eu.dmas.symantec.com
|
HTTPS
|
443
|
Sends files to Symantec's cloud-based service for malware scanning. |
|
Symantec Diagnostics Server
|
remote-support.bluecoat.com
|
HTTPS
|
8888
|
A backend Blue Coat/Symantec service is used for "remote debugging". This allows
Symantec personnel to log in to customer appliances and debug an issue by opening a shell on the box.
|
|
Symantec File Insight
|
ent-shasta-rrs.symantec.com
|
HTTPS
|
443
|
Symantec File Insight is the file-reputation component of Symantec
Endpoint Protection. |
|
Symantec GIN File Reputation Service
|
frs.es.bluecoat.com
|
HTTPS
|
443
|
This URL is used to perform file reputation (whitelisting) hash lookups, and when malware is discovered, report the source and file hash to Symantec Global Intelligence Network, provided the option is enabled in Settings > GIN . |
|
Symantec GIN Web Reputation Service
|
sp.cwfservice.net
|
HTTPS
|
443
|
This URL is used to perform website reputation services.
|
|
Symantec GIN (for MA)
|
contentanalysis-ma.es.bluecoat.com
|
HTTPS
|
443
|
When malware is discovered by a Malware Analysis appliance, Content Analysis contacts this URL to report it. |
|
Symantec Heartbeat Server
|
subscription.es.bluecoat.com/heartbeat/post
|
HTTPS
|
443
|
Content Analysis emits a heartbeat to the Blue Coat/Symantec heartbeat server on the following occasions: appliance bootup, daily, and after a system failure. Using the information contained in the heartbeat messages, Symantec is able to provide better, faster support to its users.
|
|
Symantec Live Updates
|
liveupdate.symantec.com
|
HTTP
|
80
|
AV pattern updates
Symantec
Advanced Machine Learning (AML) |
|
Symantec Network Protection (Blue Coat) Licensing
|
subscription.es.bluecoat.com
|
HTTPS
|
443
|
Manage the subscription-based services (antivirus, file reputation, sandboxing) associated with your Content Analysis serial number. |
|
Symantec Network Protection (Blue Coat) Licensing
|
device-services.es.bluecoat.com
|
HTTPS
|
443
|
URLs used by the appliance to manage the appliance license (applicable to licenses without birth certificates)
|
|
Symantec Network Protection (Blue Coat) Licensing
|
bto-services.es.bluecoat.com
|
HTTPS
|
443
|
URL for managing the virtual appliance license, and performing software image update checks for all versions of
Content Analysis
(applicable to licenses with birth certificates). |
|
Symantec Malware Analysis
|
maa-updates.es.bluecoat.com
|
HTTPS
|
443
|
Malware Analysis telemetry
|
|
Symantec "Phone Home" Server
|
validation.es.bluecoat.com
|
HTTPS
|
443
|
A backend Symantec service that validates VM installations by ensuring that the same serial number is not used on multiple machines. |
|
Symantec Support
|
upload.bluecoat.com mftbc.symantec.com
|
HTTPS
|
443
|
A web form for submitting files to Symantec Support. |
|
Symantec Telemetry
|
stnd-ipsg.crsi.symantec.com
|
HTTPS
|
443
|
System Telemetry — Anonymous Usage Data
|
|
Microsoft Windows activation and validation
|
activation-v2.sls.microsoft.com
|
HTTPS
|
443
|
Activate Windows in an IVM; required for Windows 10 version 1909 and later.
|
|
|
wpa.one.microsoft.com
|
HTTPS
|
443
|
Activate Windows in an IVM.
|
|
NTP
|
ntp.bluecoat.com, ntp2.bluecoat.com (
Content Analysis can also accept configuration of other NTP servers)
|
UDP
|
123
|
Synchronize the appliance clock with a verified time reference server.
|
|
On-box Sandboxing
|
cas-base-images.osl.bluecoat.com *.cloudfront.net
|
HTTPS
|
443
|
IVM base image download. The first address resolves to several servers in the *.cloudfront.net domain.
|
|
Sandboxing - Lastline
|
lastline.<mycompany.com> (replace <mycompany.com> for your specific Lastline cloud-based sandboxing URL)
|
HTTPS
|
443
|
Used to transmit data to a cloud-based Lastline sandbox service for data analysis.
|
|
Trust Package Updates
|
appliance.bluecoat.com
|
HTTP
|
80
|
Download trust packages (CA certificate update packages) from Symantec. |
|
VirusTotal lookups
|
virustotal.com/vtapi/v2/file/report
|
HTTPS
|
443
|
Sends files and URLs to the VirusTotal service for malware scanning. Only required when a VirusTotal API key is configured.
|
Additional Information
For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.
For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.
Feedback
Yes
No
Powered by
