Ports Used by InsightIDR

When preparing to deploy InsightIDR to your environment, please review and adhere the following:

Collector Ports

The Collector host will be using common and uncommon ports to poll and listen for log events. You will need to disable any local firewall, malware detection, and anti-virus software from blocking these ports. The specific ports used for log collection will depend on the devices that you are collecting log data from and the method used for collecting the logs. Ports are configured when event sources are added.

When sending logs to InsightIDR using the syslog protocol, which is configured by using the Listen on Network Port collection method, the Insight Collector requires each stream of logs to be sent to it on a unique TCP or UDP port. For each event source added to a Collector, you must configure devices that send logs using syslog to use a unique TCP or UDP port on that Collector. It is common to start sending the logs using port 10000 as this port range is typically not used for anything else, although you may use any open unique port.

If you have many event sources of the same type, then you may want to "stripe" Collector ports by reserving blocks for different types of event sources. For example, ports 20,000-20,009 reserved for firewalls and 20,010-20,019 for IDS.

Port usage on Collectors

A Collector cannot have more than one event source configured using the same UDP or TCP port with the Listen on Network Port data collection method.

Example of using the same Insight Collector for multiple event sources:

If you would like to use the same Insight Collector to collect logs from two firewalls, you must keep in mind that each syslog event source must be configured to use a different port on the Collector. This means that you can either:

  1. Add one event source for each firewall and configure both to use different ports, or
  2. Add one event source to collect logs from both firewalls and configure both firewalls to send logs over the same port.

There are benefits to choosing to use separate event sources for each device:

  • If one of the devices stops sending logs, it is much easier to spot. Alternatively Inactivity Alerts can be created for each event source.
  • Each event source shows up as a separate log in Log Search.
  • As the time zone of the event source must match the time zone of the sending device, separate event sources allow for each device to be in different time zones.

Note that there is a maximum of ten devices that can send syslog to a single event source using TCP as the transport protocol.

Using the WMI protocol

For logs collected using the WMI protocol, access is required through an admin account and communication occurs over ports 135, 139 and 445. When strict networking rules do not permit communication over ephemeral ports, which are used by WMI, you may need to set up a fixed port. Read Microsoft's documentation to learn more: https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-up-a-fixed-port-for-wmi

Other Ports

The table below outlines the necessary communication requirements for InsightIDR. Assess your environment and determine where firewall or access control changes will need to be made.

Source

Destination

Port

All deployed Collectors

data.insight.rapid7.com (US-1)

us2.data.insight.rapid7.com (US-2)

us3.data.insight.rapid7.com (US-3)

eu.data.insight.rapid7.com (EMEA)

ca.data.insight.rapid7.com (CA)

au.data.insight.rapid7.com (AU)

ap.data.insight.rapid7.com (AP)

443

All deployed Collectors

s3.amazonaws.com (US-1)

s3.us-east-2.amazonaws.com (US-2)

s3.us-west-2.amazonaws.com (US-3)

s3.eu-central-1.amazonaws.com (EMEA)

s3.ca-central-1.amazonaws.com (CA)

s3.ap-southeast-2.amazonaws.com (AU)

s3.ap-northeast-1.amazonaws.com (AP)

443

All Insight Agents if not connecting through a Collector

endpoint.ingress.rapid7.com (US-1)

us2.endpoint.ingress.rapid7.com (US-2)

us3.endpoint.ingress.rapid7.com (US-3)

eu.endpoint.ingress.rapid7.com (EMEA)

ca.endpoint.ingress.rapid7.com (CA)

au.endpoint.ingress.rapid7.com (AU)

ap.endpoint.ingress.rapid7.com (AP)

443

All Insight Agents if not connecting through a Collector

US-1

us.storage.endpoint.ingress.rapid7.com

us.bootstrap.endpoint.ingress.rapid7.com

US-2

us2.storage.endpoint.ingress.rapid7.com

us2.bootstrap.endpoint.ingress.rapid7.com

US-3

us3.storage.endpoint.ingress.rapid7.com

us3.bootstrap.endpoint.ingress.rapid7.com

EU

eu.storage.endpoint.ingress.rapid7.com

eu.bootstrap.endpoint.ingress.rapid7.com

CA

ca.storage.endpoint.ingress.rapid7.com

ca.bootstrap.endpoint.ingress.rapid7.com

AU

au.storage.endpoint.ingress.rapid7.com

au.bootstrap.endpoint.ingress.rapid7.com

AP

ap.storage.endpoint.ingress.rapid7.com

ap.bootstrap.endpoint.ingress.rapid7.com

443

All endpoints when using the Endpoint Monitor (Windows Only)

Collector

135 or 445 (WMI), 5508, 20000-30000

All Insight Agents (connecting through a Collector)

Collector

5508, 6608, 8037

Collector

Domain controller configured as LDAP source for LDAP event source

636 or 389

Collector

All domain controllers

135, 139, 445

Active Directory

WMI Collection Method

135, 445

DNS/DHCP, sometimes Active Directory

Windows File Share

139

Non-MS DHCP server

Collector

*UDP/TCP port above 1024

Firewall

Collector

*UDP/TCP port above 1024

Checkpoint Firewall

Collector

18184 or other as specified

VPN

Collector

*UDP/TCP port above 1024

AV Server (sending logs using syslog)

Collector

*UDP/TCP port above 1024

Nexpose/InsightVM

Collector

3780

Metasploit

Collector

3790

box.com logs

https://api.box.com

443

*The port specified must be unique for the Collector that is collecting the logs