This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Is it not possible to validate v11 ports 443, 4505, 4506, 15671, & 27017 if we are currently on v10.6.6.0?

DwayneFryer1
Contributor
Contributor

‎2019-04-03 11:34 AM

We are currently on v10.6.6.0 and in preparation for v11 upgrade. Our firewall team validated that all FW ports are open from SA Head to downstream servers. However, during telnet testing the ports are still failing (One IP allowed 15671 port in test). A RSA Support engineer said that these ports cannot be validated while on v10.6.6 and we would need to be on v11 in order to validate these specific ports. I just wanted to make sure this statement is true and valid before upgrade. Thanks. 

0 Likes
5 REPLIES 5

DavidPoirier
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2019-04-03 11:38 AM

Hi Dwayne,

 

This link will provide all the ports required for the 11.x system

 

https://community.rsa.com/docs/DOC-83050

 

Thank you

 

David

 

David C. Poirier

Principal Engineer Technical Support

RSA the Security Division of EMC

(781) 515-7757

Fax: 781-515-7710

David.Poirier@rsa.com<mailto:David.Poirier@rsa.com>

 

 

 

Preview file
1 KB
Preview file
14 KB
0 Likes

DwayneFryer1
Contributor
Contributor
In response to DavidPoirier

‎2019-04-03 11:43 AM

Hi David,

I appreciate the response. However, I have this document and I have the list of ports for v11 but my question is can these ports be validated if we are on v10.6.6? I was told by RSA that there is no way to validate these ports while still on v10.6.6. So I'm basically left to believe the firewall team has implemented the correct rules and polices but I did not want to be in the middle of an upgrade and then determine the ports are actually not working. Thanks. 

0 Likes

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-04-03 11:50 AM

Dwayne,

 

I shared with your Webex recordings during our engagement on how to use the listener python script to listen on those new ports so you can test your FW rules. Let me know if you need some pointers on how to use that script I provided.

 

Sent from my iPhone

0 Likes

KeithLane
Employee
Employee
In response to DwayneFryer1

‎2019-04-03 11:51 AM

Hey Dwayne,

 

This KB article I think has what you are looking for to test if the ports are open and listening 

0 Likes

AaronMartin2
Employee
Employee

‎2019-04-03 11:51 AM

I have a suggestion. It's not ideal, but you can at least tell if communication is going there in the first place.

Firewall rules exist on the box that do not allow for all of those ports, simply because most of the services are not there yet or we have conflicting firewall rules presently. So a curl will come back as a fail.

However, if you run a tcpdump at the same time on the device you are trying to connect to, you should still see something hit it, ideally.

Take the below output. The top capture is from the Head. The bottom is from a Concentrator in the same subnet.

[root@S4S-SA ~]# curl -v telnet://X.X.X.X:4505
* About to connect() to X.X.X.X port 4505 (#0)
* Trying X.X.X.X... No route to host
* couldn't connect to host
* Closing connection #0
curl: (7) couldn't connect to host

 

[root@S4S-CON ~]# tcpdump -i any port 4505
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
15:40:04.157660 IP puppetmaster.local.40158 > S4S-CON.4505: Flags , seq 2013550665, win 14600, options [mss 1460,sackOK,TS val 3016162374 ecr 0,nop,wscale 7], length 0

 

Regretfully, this will not help you in the circumstance that your firewall is blocking certain types of traffic. For instance, I had someone yesterday that was allowing only certain parts of traffic on the SSL port. They probably had their firewall set to not accept SSL traffic over unusual ports like 56001 or something.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.