CB ThreatHunter: What Ports must be opened on the Firewall and Proxy Servers?

CB ThreatHunter: What Ports must be opened on the Firewall and Proxy Servers?

Environment

  • CB ThreatHunter Web Console: All Versions
  • CB ThreatHunter Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Question

What ports must be opened on the Firewall or Proxy servers to allow the CB ThreatHunter sensor to communicate with the various CB ThreatHunter services?

Answer

Configure the firewall or proxy to allow outgoing connections to the following Service URL/Hostnames, Protocols, and Ports as determined by your Dashboard URL and configuration:
Dashboard URLService URL/HostnameDescriptionProtocol and Port
Carbon Black Clouddevices.confer.netDevice ServicesTCP/443 (default port), TCP/54443 (backup port)
Carbon Black Clouddev5.conferdeploy.netDevice ServicesTCP/443 (default port), TCP/54443 (backup port)
Carbon Black Clouddev-prod06.conferdeploy.netDevice ServicesTCP/443 (default port), TCP/54443 (backup port)
Carbon Black Clouddev-prod05.conferdeploy.netDevice ServicesTCP/443 (default port), TCP/54443 (backup port)
Carbon Black Clouddev-prodnrt.conferdeploy.netDevice ServicesTCP/443 (default port), TCP/54443 (backup port)
N/Aupdates2.cdc.carbonblack.io/Default Definition Update Server for the Local Scanner (if enabled)TCP/80
N/Aocsp.godaddy.comOnline Certificate Status Protocol (OCSP)TCP/80
N/Acrl.godaddy.comCertificate Revocation List (CRL)TCP/80

Additional Notes

  • The Device Services allows the sensor to upload the latest events from the endpoint, look up a reputation of a new file or receive a configuration change from the CB ThreatHunter Backend.
  • If the sensor cannot establish connectivity to the Device Services URL over the standard SSL port TCP/443, it will failover to the alternate port: TCP/54443
  • The current implementation of the CB ThreatHunter cloud service uses dynamically managed load balancer(s) in order to provide the best possible levels of scalability, reliability, and performance, so the CB ThreatHunter Device Services Hostname could resolve to many possible IP addresses(s) which will likewise change dynamically. See CB Defense: What’s the static IP address or hostname used by CB Defense? for details.
  • The CB ThreatHunter Sensor relies on the Operating System for dynamic proxy detection. If proxy authentication is required, the user may be prompted for credentials if proxy exceptions are not made for the CB ThreatHunter Services.
  • If "Submit unknown binaries for analysis" is enabled, all traffic goes through CB ThreatHunter Device Services before it is routed to Predictive Security Cloud (PSC). The PSC only uses third-party vendor, Avira Operations GmbH & Co. KG (“Avira”), as a subprocessor to assist with the threat analysis. The sensor will never directly communicate with Avira, so there are no additional network changes required.
  • To determine whether the agent is "onsite" or "offsite" the sensor sends a ICMP echo to see if the each DNS suffix address is reachable. In this case you may observe outbound connections to your Domain Controllers from the Sensor Service (RepMgr).
  • Some third party products (e.g. McAfee EPO Gateway) may attempt to validate the CB ThreatHunter server certificate and terminate the connection due to a name mismatch between the certificate issued to the CB ThreatHunter Login URL and Service that the CB ThreatHunter Sensor is connected to. In this event of this situation, the third party must be configured to not validate the domain certificate.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
5128
Contributors