Documentation Center
AlienVault® USM Appliance™

Firewall Permissions

Applies to Product: USM Appliance™ AlienVault OSSIM®

USM Appliance components must use particular URLs, protocols, and ports to function correctly.

Note: If deploying USM Appliance All-in-One, you only need to open the ports associated with the monitored assets, because All-in-One includes both USM Appliance Server and USM Appliance Sensor, therefore the communication between them becomes internal.

If your company operates in a highly secure environment, you must change some permissions on your firewall(s) for USM Appliance to gain access.

External URLs and port numbers used by USM Appliance features

Server URL

Port Number

AlienVault Features in Use

Applicable Release

data.alienvault.com

80

AlienVault product and feed update

All

maps-api-ssl.google.com

maps.googleapis.com

443

AssetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. Location

All

maps.google.com

maps.gstatic.com

80

Asset Location

All

messages.alienvault.com

443

Message CenterInbox in the USM Appliance web UI which lists messages publicizing availability of various AlienVault product updates plus other messages such as system errors and warnings.

All

otx.alienvault.com

443

Open Threat Exchange

5.1+

reputation.alienvault.com

443

AlienVault IP Reputation

All

telemetry.alienvault.com

443

Telemetry Data Collection

All

tractorbeam.alienvault.com

22, 443

Remote SupportSecure, encrypted connection to the AlienVault Support Server through the USM Appliance web UI or the console, allowing AlienVault Support staff to access, diagnose, and resolve any problems occurring in a USM Appliance instance.

All

www.google.com1The AlienVault API tries to access www.google.com every five minutes to ensure that the system has an Internet connection.

80

AlienVault API

All

cdn.walkme.com2In v5.4.3, AlienVault added a service called WalkMe in USM Appliance to run surveys and gather product feedback from our customers. In order to view the content, you need to whitelist these domains in your firewall rules.

playerserver.walkme.com

ec.walkme.com

rapi.walkme.com

papi.walkme.com

None

AlienVault Product Management

5.4.3+

The following diagram shows the port numbers used by the USM Appliance components to communicate with each other and with the monitored assets. The direction of the arrows indicate the direction of the network traffic.

Port numbers used between components.

Port numbers used between USM Appliance components

Important: Ports labeled with * are optional.

  • On the hosts you plan to deploy AlienVault HIDS agents on, you must open TCP port 139 and TCP port 445 (inbound) to allow for initial deployment, and UDP port 1514 (outbound) for ongoing communication between the HIDS agent and the USM Appliance Sensor. For assistance on deployment, see Deploy AlienVault HIDS Agents.
  • To use SNMP in USM Appliance, you need to open UDP port 161 on the SNMP agent and UDP port 162 on the USM Appliance Sensor. For more details, see SNMP Configuration in USM Appliance.

About the Use of VPN

Port 33800 shown in the diagram is a default and only used when VPN is enabled. You may use a different port for VPN, if desired.

Note: When enabling the VPN, you do not need to open the other ports between the USM Appliance Sensor and the USM Appliance Server, because all communication goes through the VPN tunnel.

If you enable VPN, in addition to having port 33800/TCP open for the VPN tunnel, you also need to allow TLS transport for that port in case you use a firewall/security device that can perform inspection or interception of TLS traffic.