Depending on your deployment and configuration choices, the Ethernet ports on the NIOS appliance perform different functions. The Ethernet ports that handle traffic on the NIOS appliance are as follows:
...
VLANs and VLAN tagging are supported on both IPv4 and IPv6 transports. This feature is currently supported on the following Infoblox appliances: Trinzic 1410, 1415, 1420, 1425, 2210, 2215, 2220, 2225, Infoblox-4010, Infoblox-4030-Rev1, Infoblox-4030-Rev2, Infoblox-4030-10G, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, PT-4000-10GE, TE-1410, TE-1420, TE-1415, and TE-1425. VLAN tagging is not supported on TE-100, TE-810, TE-815, TE-820, and TE-825. For more information about VLAN support for an Infoblox-4030 appliance, refer to the DNS Cache Acceleration Application Guide. For information about these appliances, refer to the respective installation guides on the Infoblox Support web site at http://www.infoblox.com/support.
Currently, only the DNS service can listen on specific VLAN interfaces. The DHCP service listens only on the primary VLAN interface (tagged or untagged). You can also specify VLANs as the source port for sending DNS queries and notify messages. For information about how to configure these, see Specifying Port Settings for DNS.
Additional VLAN support is available exclusively for discovery on the following Network Insight appliances: ND-1400, ND-1405, ND-2200, ND-2205, ND-4000, ND-V1400, ND-V1405, ND-V2200, and ND-V2205. Binding other services on
the VLAN interfaces of the Network Insight appliances is not supported.
...
- From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then click the Edit icon.
- In the Network tab -> Basic tab of the Grid Member Properties editor, complete the following:
- DSCP Value: Click Override, and then enter a value from 0 to 63. The default is 0 and it represents the lowest priority.
- Save the configuration.
You can override the Grid and member DSCP value at the interface level. For more information, see the following:
...
This section provides tables that detail the port usage and source and destination ports for different services, depending on your Grid configuration.
The table below displays the type of traffic per port for both Grid and independent deployments. For a more detailed list of the different types of traffic, see the Sources and Destinations for Services table.
Table 8.3 Appliance Roles and Configuration, Communication Types, and Port Usage
...
To see the service port numbers and the source and destination locations for traffic that can go to and from a NIOS appliance, see the Sources and Destinations for Services table. This information is particularly useful for firewall administrators so that they can set policies to allow traffic to pass through the firewall as required.
...
Service | SRC IP | DST IP | Protocol | SRC | DST Port | Notes |
---|---|---|---|---|---|---|
Key Exchange (Member Connection) | LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) VIP on HA Grid Master Candidate, or LAN1 on single Grid Master Candidate | VIP on HA Grid Master, or LAN1 on single Grid Master VIP on HA Grid Master Candidate, or LAN1 on single Grid Master Candidate | 17 UDP | 2114 | 2114 | Initial key exchange for establishing VPN tunnels Required for Grid |
Key Exchange (Grid Master Candidate Promotion) | VIP on HA Grid Master, or LAN1 on single Grid Master | LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) | 17 UDP | 2114 | 2114 | |
Accounting | LAN1 or MGMT on Grid member | VIP on HA Grid Master, or LAN1 on single Grid Master VIP on HA Grid Master Candidate, or LAN1 on single Grid Master Candidate | 17 UDP | 1194 or 5002, or 1024 -> 63999 | 1194 or 5002, or 1024 -> 63999 | Default VPN port 1194 for Grids with new DNSone 3.2 installations and 5002 for Grids upgraded to DNSone 3.2; the port number is configurable Required for Grid |
Network Insight VPN | LAN1 or LAN2 on Probes | LAN1 or LAN2 on Consolidator | UDP | 1194 | 1194 | All default VPN tunnels for Network Insight |
Discovery | LAN1 or LAN2 on Probes | UDP | 161 | SNMP | ||
Discovery | LAN1 or LAN2 on Probes | UDP | 260 | SNMP - Needed for full discovery of some older Check Point models | ||
Discovery | LAN1 or LAN2 on Probes | ICMP | n/a | Ping Sweep | ||
Discovery | LAN1 or LAN2 on Probes | UDP, TCP | 53 | DNS | ||
Discovery | LAN1 or LAN2 on Probes | ICMP | Path Collection, for IPv4 addresses | |||
Discovery | LAN1 or LAN2 on Probes | UDP | 33434+1 | Path Collection. Standard traceroute, for IPv6 addresses | ||
Discovery | LAN1 or LAN2 | ICMP, UDP, TCP | Port scan - all configured by us | |||
Discovery | LAN1 or LAN2 on Probes | UDP | 137 | NetBIOS | ||
Discovery | LAN1 or LAN2 on Probes | UDP | 40125 | NMAP, UDP Ping, and credential checking | ||
Discovery | LAN1 or LAN2 | TCP | 23 | Telnet can be used based on Network Insight configuration for Network Discovery. | ||
Discovery | LAN1 or LAN2 | TCP | 22 | SSH can be used based on Network Insight configuration for Network Discovery. | ||
DHCP | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 68 | 67 | Required for IPv4 DHCP service |
DHCP | LAN1, LAN2 or VIP on NIOS appliance | Client | 17 UDP | 67 | 68 | Required for IPv4 DHCP service |
DHCP | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 546 | 547 | Required for IPv6 DHCP service |
DHCP | LAN1, LAN2 or VIP on NIOS appliance | Client | 17 UDP | 547 | 546 | Required for IPv6 DHCP service |
DHCP Failover | LAN1, LAN2 or VIP on Infoblox DHCP failover peer | LAN1, LAN2 or VIP on Infoblox DHCP failover peer | 6 TCP | 1024 → 65535 | 519, or 647 | Required for DHCP failover |
DHCP Failover | VIP on HA Grid Master or LAN1 or LAN2 on single master | LAN1, LAN2 or VIP on Grid member in a DHCP failover pair | 6 TCP | 1024 -> | 7911 | Informs functioning Grid member in a DHCP failover pair that its partner is down Required for DHCP failover |
DDNS Updates | LAN1, LAN2, or VIP | LAN1, LAN2, or VIP | 17 UDP | 1024 → 65535 | 53 | Required for DHCP to send DNS dynamic updates |
DNS Transfers | LAN1, LAN2, VIP, or MGMT, or client | LAN1, LAN2, VIP, or MGMT | 6 TCP | 53, or | 53 | For DNS zone transfers, large client queries, and for Grid members to communicate with external name servers Required for DNS |
DNS Queries | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 53, or 1024 → 65535 | 53 | For DNS queries Required for DNS |
DNS Queries | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 6 TCP | 53, or 1024 → 65535 | 53 | For DNS queries Required for DNS |
NTP | NTP client | LAN1, LAN2, VIP, or MGMT | 17 UDP | 1024 -> | 123 | Required if the NIOS appliance is an NTP server |
NTP | NTP client | LAN1, LAN2, VIP, or MGMT | 17 UDP | 1024 -> | 123 | Required if the NIOS appliance is an NTP server. On an HA member, the NTP service runs on the active node. If there is an HA failover, the NTP service is automatically launched after the passive node becomes active and the NTP traffic uses the LAN2, VIP, or MGMT port on one of the nodes from an HA pair, instead of the LAN1 port. During another HA failover, the currently passive node becomes active again and the NTP traffic uses the LAN1 port, and the NTP is back in synchronization. |
RADIUS Authentication | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1812 | For proxying RADIUS Authentication-Requests. The default destination port number is 1812, and can be changed to 1024 – 63997. When configuring an HA pair, ensure that you provision both LAN IP addresses on the RADIUS server. |
RADIUS Accounting | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1813 | For proxying RADIUS Accounting-Requests. The default destination port number is 1813, and can be changed to 1024 – 63998. |
RADIUS Proxy | LAN1 or VIP | RADIUS home server | 17 UDP | 1814 | 1024 -> | Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. |
ICMP Dst Port Unreachable | VIP, LAN1, LAN2, or MGMT, | LAN1, LAN2, or | 1 ICMP | – | – | Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached |
ICMP Echo Reply | VIP, LAN1, LAN2, or MGMT, or client | VIP, LAN1, LAN2, or MGMT, or client | 1 ICMP Type 0 | – | – | Required for response from ICMP echo request (ping) |
ICMP Echo Request | VIP, LAN1, LAN2, or MGMT, | VIP, LAN1, LAN2, or | 1 ICMP | – | – | Required to send pings and respond to the Windows- |
ICMP TTL | Gateway device (router or firewall) | Windows client | 1 ICMP | – | – | Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path |
NTP | LAN1 on active node of Grid Master or LAN1 of independent appliance | NTP server | 17 UDP | 1024 -> | 123 | Required to synchronize Grid, TSIG authentication, and DHCP failover Optional for synchronizing logs among multiple appliances |
SMTP | LAN1, LAN2, or VIP | Mail server | 6 TCP | 1024 → 65535 | 25 | Required if SMTP alerts are enabled |
SNMP | NMS (network management system) server | VIP, LAN1, LAN2, or MGMT | 17 UDP | 1024 → 65535 | 161 | Required for SNMP management |
SNMP Traps | MGMT or LAN1 on Grid Master or HA pair, or LAN1 on independent appliance | NMS server | 17 UDP | 1024 -> 65535 | 162 | Required for SNMP trap management. |
SSHv2 | Client | LAN1, LAN2, VIP, or MGMT on NIOS | 6 TCP | 1024 -> | 22 | Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or MGMT port Optional for management |
Syslog | LAN1, LAN2, or MGMT of NIOS appliance | syslog server | 17 UDP | 1024 → 65535 | 514 | Required for remote syslog logging |
Traceroute | LAN1, LAN2, or UNIX-based appliance | VIP, LAN1, LAN2, or MGMT, or client | 17 UDP | 1024 → 65535 | 33000 → 65535 | NIOS appliance responds with ICMP type code 3 (port unreachable) |
TFTP Data | LAN1 or MGMT | TFTP server | 17 UDP | 1024 → 65535 | 69, then 1024 → 63999 | For contacting a TFTP server during database and configuration backup and restore operations |
VRRP | HA IP on the active node of HA pair | Multicast address 224.0.0.18 | 112 | 802 | For periodic announcements of the availability of the HA node that is linked to the VIP. The nodes in the HA pair must be in the same subnet. | |
HTTP | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 -> | 80 | Required if the HTTP-redirect option is set on the Grid properties security page |
HTTPS/SSL | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 → 65535 | 443 | Required for administration through the GUI |
Reporting | Reporting Forwarders | LAN1, LAN2, or MGMT on the indexer | 6 TCP | 1024 - | 9997 | Required for the reporting service. Communication is single directional from forwarders to the indexer. For example, a forwarder detects events and forwards them to the indexer. |
Reporting - Peer Replication | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 7887 | Splunk cluster peer replication (traffic among reporting members) |
Distributed Search | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 7089 | Distributed searches from Search Head to Reporting Members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 8089 | Grid Master to reporting members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP – IPv4 | 1024 - 65535 | 8000 | Grid Master to reporting members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP – IPv6 | 1024 - 65535 | 8000 | Grid Master to reporting members |
Threat Protection | VIP on HA Grid Master or MGMT on single appliance (with threat protection service running) | N/A (using FQDN = https://ts.infoblox.cocom) | HTTPS | N/A | 443 | For threat protection rule updates. |
Threat Insight | Client | N/A (using FQDN = https://ts.infoblox.cocom) | HTTPS | N/A | 443 | For downloading module set and whitelist updates. |
Microsoft Management | Managing Member | Microsoft Server | TCP | 1024 - 65535 | 135, 445 Dynamic Port Range 49152-65535 (Windows Server 2008) | Note that TCP ports 135 and 445 must be open on the Microsoft server, in addition to the dynamic port range. Ports 135 and 445 are used by the port mapper interface, which is a service on the Microsoft server that provides information to clients on which port to use to connect to a specific service, such as the service that allows the management of the DNS service. |
DNS Forwarding to BloxOne Threat Defense Cloud: Cloud Services Portal | NIOS Appliance | BloxOne Threat Defense Cloud | TCP | 443 | 443 | |
DNS Forwarding to BloxOne Threat Defense Cloud: Platform Management | NIOS Appliance | BloxOne Threat Defense Cloud | TCP | 443 | 443 | |
DNS Forwarding to BloxOne Threat Defense Cloud: Application Management | NIOS Appliance | BloxOne Threat Defense Cloud | TCP | 443 | 443 | |
DNS Forwarding to BloxOne Threat Defense Cloud: NTP Server (Only if time sync with EXSi is disabled) | NIOS Appliance | BloxOne Threat Defense Cloud | UDP | 123 | 123 | |
DNS Forwarding to BloxOne Threat Defense Cloud: NTP Server (Only if time sync with EXSi is disabled) | NIOS Appliance | BloxOne Threat Defense Cloud | UDP | 123 | 123 | |
DNS Forwarding to BloxOne Threat Defense Cloud: BloxOne Threat Defense Cloud DNS server | NIOS Appliance | BloxOne Threat Defense Cloud | UDP | 123 | 123 | 52.119.40.100 |
...