Ports Used by InsightIDR
When preparing to deploy InsightIDR to your environment, please review and adhere the following:
Collector Ports
The Collector host will be using common and uncommon ports to poll and listen for log events. You will need to disable any local firewall, malware detection, and anti-virus software from blocking these ports. The specific ports used for log collection will depend on the devices that you are collecting log data from and the method used for collecting the logs. Ports are configured when event sources are added.
When sending logs to InsightIDR using the syslog protocol, which is configured by using the Listen on Network Port collection method, the Insight Collector requires each stream of logs to be sent to it on a unique TCP or UDP port. For each event source added to a Collector, you must configure devices that send logs using syslog to use a unique TCP or UDP port on that Collector. It is common to start sending the logs using port 10000 as this port range is typically not used for anything else, although you may use any open unique port.
If you have many event sources of the same type, then you may want to "stripe" Collector ports by reserving blocks for different types of event sources. For example, ports 20,000-20,009 reserved for firewalls and 20,010-20,019 for IDS.
Port usage on Collectors
A Collector cannot have more than one event source configured using the same UDP or TCP port with the Listen on Network Port data collection method.
Example of using the same Insight Collector for multiple event sources:
If you would like to use the same Insight Collector to collect logs from two firewalls, you must keep in mind that each syslog event source must be configured to use a different port on the Collector. This means that you can either:
- Add one event source for each firewall and configure both to use different ports, or
- Add one event source to collect logs from both firewalls and configure both firewalls to send logs over the same port.
There are benefits to choosing to use separate event sources for each device:
- If one of the devices stops sending logs, it is much easier to spot. Alternatively Inactivity Alerts can be created for each event source.
- Each event source shows up as a separate log in Log Search.
- As the time zone of the event source must match the time zone of the sending device, separate event sources allow for each device to be in different time zones.
Note that there is a maximum of ten devices that can send syslog to a single event source using TCP as the transport protocol.
Using the WMI protocol
For logs collected using the WMI protocol, access is required through an admin account and communication occurs over ports 135, 139 and 445. When strict networking rules do not permit communication over ephemeral ports, which are used by WMI, you may need to set up a fixed port. Read Microsoft's documentation to learn more: https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi
Other Ports
The table below outlines the necessary communication requirements for InsightIDR. Assess your environment and determine where firewall or access control changes will need to be made.
Source | Destination | Port |
---|---|---|
All deployed Collectors | data.insight.rapid7.com (US-1) | 443 |
All deployed Collectors | s3.amazonaws.com (US-1) | 443 |
All Insight Agents if not connecting through a Collector | endpoint.ingress.rapid7.com (US-1) | 443 |
All Insight Agents if not connecting through a Collector | US-1 | 443 |
All endpoints when using the Endpoint Monitor (Windows Only) | Collector | 135 or 445 (WMI), 5508, 20000-30000 |
All Insight Agents (connecting through a Collector) | Collector | 5508, 6608, 8037 |
Collector | Domain controller configured as LDAP source for LDAP event source | 636 or 389 |
Collector | All domain controllers | 135, 139, 445 |
Active Directory | WMI Collection Method | 135, 445 |
DNS/DHCP, sometimes Active Directory | Windows File Share | 139 |
Non-MS DHCP server | Collector | *UDP/TCP port above 1024 |
Firewall | Collector | *UDP/TCP port above 1024 |
Checkpoint Firewall | Collector | 18184 or other as specified |
VPN | Collector | *UDP/TCP port above 1024 |
AV Server (sending logs using syslog) | Collector | *UDP/TCP port above 1024 |
Nexpose/InsightVM | Collector | 3780 |
Metasploit | Collector | 3790 |
box.com logs | 443 |
*The port specified must be unique for the Collector that is collecting the logs