Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SSIM Communication.

Created: 16 Mar 2012 • Updated: 18 Mar 2012 | 3 comments
robmoore's picture
This issue has been solved. See solution.

Greetings all

The communication port from Agent to SSIM is 443 (Agent -> SSIM). The communication from SSIM to Agent is 5998 (SSIM -> Agent) 

The SSIM sends a CIMON Packet via 5998 telling the Agent that there is a new configuration file ready, the Agent then communicates to the SSIM and colects the Config file.

The solution that we are working on will not allow the outbound communication (initiation) from the SSIM Server.

Does anyone have any knowledge or experience of the implications/work around of not opening port 5998 ?

Kind regards

 

Rob

Comments 3 CommentsJump to latest comment

olaf's picture

Well, if you update the configuration the agent won't get the configuration immediately.

The manager will try anyway if you make a configuration change and this behaviour can't be changed as far as I know.

To get the configuarttion you will have to tell the agent manually to re-load the configuration, that can be done by running option 3 in the agentmgmt.bat.

Also the agent will periodically check with the manager if a new configuration is available. The default is 480 min (8hours). This can be configured in System->Product Configurations->SSIM Agent and Manager->Agent Configurations.

When you create a new configuration and assign it to an agent, and the go to e Configuration tab, you will find asetting for the Config poll time.

Is there any reason why you want to prvent the SSIM manager to tell the agent that a new configuration is available?

 

SOLUTION
Avkash K's picture

Hi Rob,

 

Thumps up to the Olaf's advice.yes

first of all why you wanted to block the 5998, is any other application working on the same port.

if so, you can configure to change Agent port listening on.

How to change the port the Symantec Security Information Manager (SSIM) Agent is listening on:

http://www.symantec.com/docs/TECH167789

 

Following is the list of ports which is being used by SSIM & other helpfull links.

What ports are used by SSIM:

http://www.symantec.com/docs/TECH90210

 

What are the open ports on the Symantec Security Information Manager v4.6:

http://www.symantec.com/docs/TECH89827

 

What ports does the Event Agent when installed off-box use:

http://www.symantec.com/docs/TECH131123

Regards,

Avkash K

robmoore's picture

Hi Guys

many thanks for your replies...After I posted the questions I had a thought around the agent bat file and its great that you also had the same thoughts, so thanks again.

This is a high security deployment. The SSIM sits in a ultra-secure zone and the stipulation/cpndtion of ....,'Nothing from within this zone will communicate via outbound ports with anything outside the zone'...meaning no outbound ports will be opened...5998 is an outbound port, that is from the SSIM to the Agents (some of which are outside this Zone).

There isn't a huge number of off-box Agents so adding/amending a configuration and then running the agenmgmt.bat option 3 isn't a masive overhead ;-)

Thanks again guys for your help.

Kind regards

 

Rob