Installation guide
154
Appendix B Default Communication Ports
The table below lists all default ports the Security Engines use internally and with external
components. Many of these ports can be changed. The name of corresponding default Service
elements are also included for your reference.
Table B.2 Security Engine and Master Engine Default Ports
Listening
Host
Port/Protocol
Contacting
Hosts
Service Description
Service Element
Name
Anti-virus
signature server
80/TCP Firewall Anti-virus signature update service. HTTP
Authentication
Server
8925-8929/
TCP
Firewall,
Master Engine
User directory and authentication
services.
LDAP (TCP),
RADIUS
(Authentication)
BrightCloud
Server
2316/TCP
Firewall, Layer
2 Firewall, IPS,
Master Engine
BrightCloud URL filtering update
service.
BrightCloud
update
DHCP server 67/UDP Firewall
Relayed DHCP requests and
requests from a firewall that uses
dynamic IP address.
BOOTPS (UDP)
DNS server
53/UDP,
53/TCP
Firewall,
Master Engine
Dynamic DNS updates. DNS (TCP)
Firewall 67/UDP Any DHCP relay on firewall engine. BOOTPS (UDP)
Firewall 68/UDP DHCP server Replies to DHCP requests. BOOTPC (UDP)
Firewall, Master
Engine
500/UDP
VPN clients,
VPN gateways
VPN negotiations, VPN traffic. ISAKMP (UDP)
Firewall, Master
Engine
636/TCP
Management
Server
Internal user database replication. LDAPS (TCP)
Firewall, Master
Engine
2543/TCP Any
User authentication (Telnet) for
Access rules.
SG User
Authentication
Firewall 2746/UDP
McAfee VPN
gateways
UDP encapsulated VPN traffic
(engine versions 5.1 and lower).
SG UDP
Encapsulation
Firewall, Master
Engine
4500/UDP
VPN client,
VPN gateways
VPN traffic using NAT-traversal. NAT-T
Firewall Cluster
Node, Master
Engine cluster
node
3000-3001/
UDP
3002-3003,
3010/TCP
Firewall
Cluster Node,
Master Engine
cluster node
Heartbeat and state
synchronization between clustered
Firewalls.
SG State Sync
(Multicast), SG
State Sync
(Unicast), SG Data
Sync
Firewall, Layer 2
Firewall, IPS,
Master Engine
4950/TCP
Management
Server
Remote upgrade.
SG Remote
Upgrade