Follow

Firewall requirements for Vectra appliances

Vectra appliances use several TCP/UDP ports for different communication purposes. This document describes their purpose and allows firewall administrators to ensure appropriate traffic flows are permitted in their infrastructure.

Important notes

Firewall/proxy SSL inspection

Please note that Vectra appliances validate SSL certificates for all HTTPS connections. For this reason, SSL/TLS inspection on firewall and proxy appliances must be disabled for these connections to work.

We have also identified that some firewall software transparently enables SSL inspection if certain filters (DNS hostname filtering) are enabled. This is not necessarily obvious to the administrator and should be investigated if connectivity issues are being observed.

Internet access from Cognito Detect brain

The Cognito Detect brain requires connectivity to the automatic update service for normal operation. This connectivity is used for automatic (including security) updates and to synchronize keys for cryptographic authentication of sensors.

The brain requires Internet DNS resolution to obtain the IP addresses for these requests. The customer may choose public/Internet DNS servers or internal DNS servers; however, Internet DNS entries must be resolvable by the brain. Please note that DNS is often considered to be a UDP-only protocol, however, TCP may be used depending on the type of DNS transaction. Both UDP and TCP use port 53 and should be permitted to all configured DNS servers.

Internet access to Cognito appliances

As with all security infrastructure Cognito appliances should be blocked from Internet access and access should only be granted from trusted workstations and/or authenticated sources.

Required connectivity

Source Destination Protocol/Port Comments
Administrator workstations

Brain

Sensors

TCP/22 (SSH) Command-line management of the brain and sensor appliances.
Administrator workstations

Brain

TCP/443 (HTTPS)

Web management of brain appliances.

Brain, Stream

update2.vectranetworks.com (54.200.156.238)

TCP/443
(HTTPS)

Automatic updates.

Pairing keys for physical sensors.

See note above regarding SSL keys.

Brain

api.vectranetworks.com (54.200.5.9)

TCP/443 (HTTPS)

Health monitoring, algorithm support, reverse lookups for external IPs, Vectra Threat Intelligence, additional detection content. See note above regarding SSL keys.
Brain

DNS servers (as configured)

TCP/53, UDP/53

Both TCP and UDP are required for normal operation. See note above regarding DNS resolution.
Brain

NTP servers (as configured)

UDP/123

Time synchronization.
Brain

SMTP servers (as configured)

TCP (as configured)

Email alerting.
Brain

Sensors, Stream

TCP/22 (SSH)

Remote management and troubleshooting.
Sensors, Stream

Brain

TCP/22 (SSH), TCP/443 (HTTPS)

Pairing, metadata transfer, and ongoing communication.
Stream

Data lake (as configured)

TCP (as configured)

Metadata stream to a data lake

Additional (feature dependent) connectivity

Source

Destination

Protocol/Port

Comments
Administrator workstations

*.wootric.com

TCP/443 (HTTPS)

Customer feedback links from within web interface.
Administrator workstations

Recall Kibana server

TCP/443 (HTTPS)

Recall IP addresses are provided during implementation and may be requested at any time from Vectra Support.
Brain

vpn.vectranetworks.com (74.201.86.229)

TCP/443 or UDP/9970

Remote Support VPN for remote troubleshooting. See note above regarding SSL interception.
Brain

metadata.vectra.ai

(100.20.236.31, 44.229.57.246, 44.228.37.60, 44.228.101.87)

TCP/443 (HTTPS)

Anonymized metadata sharing to contribute to future algorithm development.
Brain

Recall collector

TCP/443 (HTTPS)

Recall IP addresses are provided during implementation and may be requested at any time from Vectra Support.
Brain

Syslog (as configured)

TCP or UDP (as configured)

CEF or standard Syslog format.
Brain

Kafka (as configured)

TCP (as configured)

CEF or standard Syslog format.
Brain

Carbon Black Response (as configured)

TCP/443 (as configured)

Carbon Black integration (requires API key).
Brain

api.crowdstrike.com

TCP/443 (HTTPS)

Crowdstrike integration ().
Brain

vCenter (as configured)

TCP (as configured)

vCenter integration enables vSensor physical host view, augmented host identification, and vCenter alerts.
Brain

LDAP (as configured)

TCP/389, TCP/636

LDAP authentication.
Brain

Radius (as configured)

UDP/1812

Radius (PAP) authentication.
Brain

TACACS (as configured)

TCP/49

TACACS (PAP or CHAP) authentication.
Brain

Backup server (as configured)

TCP/22 (SSH)

Automated backup (SCP or SFTP).
Brain

Brain

TCP/22 (SSH), TCP/443 (HTTPS)

Automated backup (brain-to-brain). Connectivity is bidirectional.
Sensors

update2.vectranetworks.com (54.200.156.238)

TCP/443 (HTTPS)

Required for automatic pairing. Optional for manual (offline) pairing.
SIEM/CLM log management

Brain

TCP or UDP (as configured)

Log forwarding of DHCP/AD security events to augment host identification.
Brain

login.windows.net

api.securitycenter.windows.com

TCP/443 (HTTPS)

Required for ATP lockdown
Brain

global-api-mgmt.azure-api.net

TCP/443 (HTTPS)

Required for Cognito SaaS (Office 365) API connectivity

 

Was this article helpful?
3 out of 3 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.