Ports Used by InsightIDR

When preparing to deploy InsightIDR to your environment, please review and adhere the following:

Collector Ports

The Collector host will be using common and uncommon ports to poll and listen for log events. Disabling the local firewall and A/V is recommended so you don't have to constantly update or review local firewall rules or deal with an endpoint protection solution interfering with log collection.

A Rapid7 collector requires each stream of syslog logs to be sent to it on a unique TCP or UDP port. You must configure devices that send logs using syslog to use a TCP or UDP port unique on that collector when sending logs. It is common to start sending the logs using port 10000, although you may use any open unique port. For Linux collectors, the ports used must be higher than 1024.

WMI requires access through an admin account and communication over ports 135, 139 and 445.

Note that the Collector is designed to only listen for one event log stream for each port. As such, we recommend starting at port 20,000 and working your way up one port at a time for each new event source.

If you have many event sources of the same type, then you may want to "stripe" Collector ports by reserving blocks for different types of event sources. For example, ports 20,000-20,009 reserved for firewalls and 20,010-20,019 for IDS.

Other Ports

The table below outlines the necessary communication requirements for InsightIDR. Assess your environment and determine where firewall or access control changes will need to be made.

You can only use a port once in a product

If you attempt to use a port more than once, you will encounter an error.

Source

Destination

Port

All deployed Collectors

https://data.insight.rapid7.com (US)

https://eu.data.insight.rapid7.com (EMEA)

https://ca.data.insight.rapid7.com (CA)

https://au.data.insight.rapid7.com (AU)

https://ap.data.insight.rapid7.com (AP)

443

All deployed Collectors

https://s3.amazonaws.com (US)

https://s3.eu-central-1.amazonaws.com (EMEA)

https://s3.ca-central-1.amazonaws.com (CA)

https://s3.ap-southeast-2.amazonaws.com (AU)

https://s3.ap-northeast-1.amazonaws.com (AP)

443

All Insight Agents if not connecting through a Collector

https://endpoint.ingress.rapid7.com (US)

https://eu.endpoint.ingress.rapid7.com (EMEA)

https://ca.endpoint.ingress.rapid7.com (CA)

https://au.endpoint.ingress.rapid7.com (AU)

https://ap.endpoint.ingress.rapid7.com (AP)

443

All Insight Agents if not connecting through a Collector

https://us.storage.endpoint.ingress.rapid7.com (US)

https://us.bootstrap.endpoint.ingress.rapid7.com (US)

https://eu.storage.endpoint.ingress.rapid7.com (EU)

https://eu.bootstrap.endpoint.ingress.rapid7.com (EU)

https://ca.storage.endpoint.ingress.rapid7.com (CA)

https://ca.bootstrap.endpoint.ingress.rapid7.com (CA)

https://au.storage.endpoint.ingress.rapid7.com (AU)

https://au.bootstrap.endpoint.ingress.rapid7.com (AU)

https://ap.storage.endpoint.ingress.rapid7.com (AP)

https://ap.bootstrap.endpoint.ingress.rapid7.com (AP)

443

All endpoints when using the Endpoint Monitor (Windows Only)

Collector

135 or 445 (WMI), 5508, 20000-30000

All Insight Agents (connecting through a Collector)

Collector

5508, 6608, 8037

Collector

Domain controller configured as LDAP source for LDAP event source

636 or 389

Collector

All domain controllers

135, 139, 445

Active Directory

WMI Collection Method

135, 445

DNS/DHCP, sometimes Active Directory

Windows File Share

139

Non-MS DHCP server

Collector

*UDP/TCP port above 1024

Firewall

Collector

*UDP/TCP port above 1024

Checkpoint Firewall

Collector

18184 or other as specified

VPN

Collector

*UDP/TCP port above 1024

AV Server (sending logs using syslog)

Collector

*UDP/TCP port above 1024

Nexpose/InsightVM

Collector

3780

Metasploit

Collector

3790

box.com logs

https://api.box.com

443

*The port specified must be unique for the Collector that is collecting the logs