How to protect access to the Solr service via web interface (port 8080/tcp) used by EDR?

• EDR Server: all versions

• EDR's SOLR service listens on port 8080/tcp. 
• By default, EDR implements firewall rules to protect the ports required for operations.
• For a standalone EDR, the localhost connects to port 8080 to process events, binaries and alerts. 
• For an EDR cluster, only the Primary and Minions connect to each other on port 8080 to process events, binaries and alerts. 
• Port 8080/tcp is closed to the rest of the network by the EDR firewalld configuration.  

1)  Nginx proxy does not forward any administrative or direct-requests to SOLR from outside.
2)  Sensors only communicate with EDR servers using the Nginx service on port 443/tcp.   
3)  An EDR cluster requires the Primary and Minion servers to use the Solr service on port 8080/tcp for inter-cluster communication.  By default, firewalld/iptables rules are automatically added to limit this communication to only to the IP addresses of the Primary and the Minions.

To check if the firewall is enabled and running. run:

systemctl status firewalld
ps -ef | grep firewalld

To confirm the firewall rules are properly set for EDR operations run:

Verify the list of firewall rules (-l) and apply (-a) all EDR required firewall rules:
 sudo /usr/share/cb/cbcheck firewall -l
 sudo /usr/share/cb/cbcheck firewall -a

It is good to check selinux at the same time:

sudo /usr/share/cb/cbcheck selinux -m
sudo /usr/share/cb/cbcheck selinux -a

• Occasionally, system admins may need to adjust the firewalls for other services running with the EDR servers.
• List of all Ports and Protocols used for EDR server inter-communications: