Video Screencast Help

Firewall Ports for Network Monitor

Created: 19 Oct 2011 | 5 comments

What ports have to be opened on a firewall to let a Network Monitor communicate with it's Enforce Server?


Comments 5 CommentsJump to latest comment

xlloyd's picture

The default port for communication between all detection servers and the Enforce Server is TCP 8100

If this post has helped you, please vote up or mark as solution's picture

It should be your Firewall port i.e TCP and UDP (Depending upon the Port number which you have alloted to Firewall)

Denis Kattithara's picture

You need to open 8100 between the Enforce and Network Monitor. The remaining communication occurs in Promniscous mode and shall not require any TCP port, unless there is a Firewtall between the Network Monitor - Promniscous Network adapter and your SPAN / TAP.

Denis John Kattithara

Partner Assist Services

Symantec Corporation 

jgt10's picture

The TCP communications is established FROM the Enforce server TO the Network Monitor.  The source port on the Enforce is a random one above 1024.  The destination TCP port is 8100 by default, but can be changed. 

Most, if not all, firewalls, have an option to recognize and allow established TCP connections.  Any traffic coming back from an established TCP connection is allowed without having to define the inbound side.

Thus the fireawall or other filtering rules, must allow a connection from the Enforce server to the Network Monitor (or any detection server) with a destination TCP port of 8100 and established connections allowed by that rule.


John G. Thompson
JOAT(MON)'s picture

Source IP -  Enforcer Server

Destination IP - Detection Server

TCP Port - 8100

you do not need to open the port for both direction, Just open for above source and destinaion IP. Remember always that you can telnet to port 8100 from Enforcer to Detection server but not from Detection to Enforcer server.