Add App, Port, Protocol to NTA "Uncommon Port" Detector Allow List
search cancel

Add App, Port, Protocol to NTA "Uncommon Port" Detector Allow List

book

Article ID: 429555

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

The Uncommon Port Detector raises NTA events when communication over known apps and protocols occurs over unusual or unexpected ports. In some environments, benign traffic can use non-standard ports causing the detector to raise false positive events.

Environment

SSP 5.1.1 and earlier

Cause

Events are raised by the Uncommon Port detector for ports that are expected or benign. By expanding the event row, you can see what port was detected, and what ports are expected given the app and protocol. For example:

If the discovered port is one that is expected for the given app and protocol in your environment, then proceed to the following steps.

Examples of expected ports and protocols can be found at:

https://ports.broadcom.com/home

https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid-integrated-edition/1-20/tkgi/ports-protocols-wo-nsx-t.html

https://knowledge.broadcom.com/external/article/313919/tcp-and-udp-ports-required-to-accessvmwa.html

Resolution

If the App, Port, Protocol is expected for only a few workloads in the environment, consider adding those VMs or Groups to the exclusion list of the Uncommon Port detector. For details on how to add computes to the exclusion list, please see the public documentation: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/security-services-platform/5-1/detecting-suspicious-network-traffic/managing-the-nsx-suspicious-traffic-detector-definitions.html#GUID-C5FEFCD5-7AB5-4CC9-BC5D-02238A755EAC-en

 

Additionally, L7 DFW rules can be added for these services, and the option to not raise events for flows with rules can be selected in the detector configuration page.

Instructions for adding the L7 DFW rule can be found here: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-0/administration-guide/security/layer-7-context-profile/layer-7-firewall-rule-workflow.html

Instructions for modifying the detector configuration can be found here: https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/vdefend/vdefend-atp/4-2/detecting-suspicious-network-traffic/managing-the-nsx-suspicious-traffic-detector-definitions.html#GUID-C5FEFCD5-7AB5-4CC9-BC5D-02238A755EAC-en

When modifying the settings, select the radio button to only raise events for flows lacking corresponding rules:

If the SSP version is >= 5.1.0 and the App, Port, Protocol is expected for all workloads in your environment, entries can be manually added into the configuration defining which App, Port, Protocols are considered standard. This will prevent events from being raised for these combinations in future without having to add exclusions for every offending VM or disabling the detector.

Powered by Wolken Software