Ports Used by InsightIDR
When preparing to deploy InsightIDR to your environment, please review and adhere the following:
Collector Ports
The Collector host will be using common and uncommon ports to poll and listen for log events. Disabling the local firewall and A/V is recommended so you don't have to constantly update or review local firewall rules or deal with an endpoint protection solution interfering with log collection.
A Rapid7 collector requires each stream of syslog logs to be sent to it on a unique TCP or UDP port. You must configure devices that send logs using syslog to use a TCP or UDP port unique on that collector when sending logs. It is common to start sending the logs using port 10000, although you may use any open unique port. For Linux collectors, the ports used must be higher than 1024.
WMI requires access through an admin account and communication over ports 135, 139 and 445.
Note that the Collector is designed to only listen for one event log stream for each port. As such, we recommend starting at port 20,000 and working your way up one port at a time for each new event source.
If you have many event sources of the same type, then you may want to "stripe" Collector ports by reserving blocks for different types of event sources. For example, ports 20,000-20,009 reserved for firewalls and 20,010-20,019 for IDS.
Other Ports
The table below outlines the necessary communication requirements for InsightIDR. Assess your environment and determine where firewall or access control changes will need to be made.
You can only use a port once in a product
If you attempt to use a port more than once, you will encounter an error.
Source | Destination | Port |
|---|---|---|
All deployed Collectors | https://data.insight.rapid7.com (US) | 443 |
All deployed Collectors | https://s3.amazonaws.com (US) | 443 |
All Insight Agents if not connecting through a Collector | https://endpoint.ingress.rapid7.com (US) | 443 |
All Insight Agents if not connecting through a Collector | https://us.storage.endpoint.ingress.rapid7.com (US) | 443 |
All endpoints when using the Endpoint Monitor (Windows Only) | Collector | 135 or 445 (WMI), 5508, 20000-30000 |
All Insight Agents (connecting through a Collector) | Collector | 5508, 6608, 8037 |
Collector | Domain controller configured as LDAP source for LDAP event source | 636 or 389 |
Collector | All domain controllers | 135, 139, 445 |
Active Directory | WMI Collection Method | 135, 445 |
DNS/DHCP, sometimes Active Directory | Windows File Share | 139 |
Non-MS DHCP server | Collector | *UDP/TCP port above 1024 |
Firewall | Collector | *UDP/TCP port above 1024 |
Checkpoint Firewall | Collector | 18184 or other as specified |
VPN | Collector | *UDP/TCP port above 1024 |
AV Server (sending logs using syslog) | Collector | *UDP/TCP port above 1024 |
Nexpose/InsightVM | Collector | 3780 |
Metasploit | Collector | 3790 |
box.com logs | 443 |
*The port specified must be unique for the Collector that is collecting the logs