Firewall Considerations
In setting up your OT Security system, it is important to map out the open ports to allow the Tenable system to operate correctly. The following tables indicate the ports to reserve for use with the OT Security ICP and OT Security Sensors as well as those needed for running Active Queries and for integration with Tenable Vulnerability Management and Tenable Security Center.
OT Security Core Platform
The following ports should remain open for communication with the OT Security Core Platform.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Inbound | TCP 443 and TCP 28304 | OT Sensor | Sensor authentication, pairing, and receiving sensor information. |
| Inbound | TCP 8000 | Web interface for Tenable Core | Browser access to Tenable Core |
| Inbound | TCP 28304 | ICP/ OT Security | Sensor Communication |
| Inbound | TCP 22 | Appliance for SSH Access | Command line access to OS or appliance |
| Outbound | TCP 443 | Tenable Security Center | Sends data for integration |
| Outbound* | TCP 443 | cloud.tenable.com | Sends data for integration |
| Outbound* | Various Industrial protocols | PLCs/controllers | Active query |
| Outbound* | TCP 25 or 587 | Email server for alerts | SMTP (alert emails, reports) |
| Outbound* | UDP 514 | Syslog server | Sends policy event alerts and syslog messages |
| Outbound* | UDP 53 | DNS server | Name Resolution |
| Outbound* | UDP 123 | NTP server | Time service |
| Outbound* | TCP 389 or 636 | AD server | AD LDAP authentication |
| Outbound* | TCP 443 | SAML Provider | Single Sign On |
| Outbound* | UDP 161 | SNMP Server | SNMP monitoring to Tenable Core |
| Outbound* | TCP 443 |
*.tenable.com *.nessus.org |
Automatic Plugin, Application, and OS Updates** |
| Outbound |
TCP 10146 (secure port)
|
IoT Connector | Connects ICP to IoT connector agent |
*Optional services
**Offline procedure available
OT Security Sensors
The following ports should remain open for communication with OT Security Sensors.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Inbound | TCP 8000 | Web interface | Browser access to user GUI |
| Inbound | TCP 22 | Appliance for SSH Access | Command line access to OS or appliance |
| Outbound* | TCP 25 | Email server for alerts | SMTP (alert emails, reports) |
| Outbound* | UDP 53 | DNS server | Name Resolution |
| Outbound* | UDP 123 | NTP server | Time service |
| Outbound* | UDP 161 | SNMP Server | SNMP monitoring to Tenable Core |
| Outbound | TCP 28303 | ICP/ OT Security Sends communication from sensor, receives on ICP/ OT Security |
Unauthenticated / passive only sensor connection |
| Outbound | TCP 443 and TCP 28304 | ICP/ OT Security Sends communication from sensor, receives on ICP/ OT Security |
Authenticated / secure tunnel between sensor and ICP |
*Optional services
Active Query
The following ports should remain open in order to use the Active Queries.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Outbound | TCP 80 | OT Devices | HTTP fingerprinting |
| Outbound | TCP 102 | OT Devices | S7/S7+ protocol |
| Outbound | TCP 443 | OT Devices | HTTPS fingerprinting |
| Outbound | TCP 445 | OT Devices | WMI queries |
| Outbound | TCP 502 | OT Devices | Modbus protocol |
| Outbound | TCP 5432 | OT Devices | PostgreSQL queries |
| Outbound | UDP/TCP 44818 | OT Devices |
CIP protocol |
| Outbound | TCP/UDP 53 | OT Devices | DNS |
| Outbound | ICMP | OT Devices | Asset Discovery |
| Outbound | UDP 161 | OT Devices | SNMP queries |
| Outbound | UDP 137 | OT Devices | NBNS queries |
| Outbound | UDP 138 | OT Devices | NetBIOS queries |
OT Security Integrations
The following ports should remain open for communication with the Tenable Vulnerability Management and Tenable Security Center Integrations.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Outbound | TCP 443 | cloud.tenable.com | Tenable Vulnerability Management Integration |
| Outbound | TCP 443 | Tenable Security Center | Tenable Security Center Integration |
Identification and Details Query
You can use the following ports for Identification and Details queries:
| Port | Port Name |
|---|---|
|
21 |
FTP |
|
80 |
HTTP |
|
102 |
Step-7 / S7+ |
|
111 |
Emerson OVATION |
|
135 |
WMI |
| 161 | SNMP |
|
443 |
HTTPS |
|
502 |
MODBUS / MMS |
|
1911 |
Niagara FOX |
|
2001 |
Profibus |
|
2222 |
PCCC_AB-ETH |
|
2404 |
IEC 60870-5 |
|
3500 |
Bachmann |
|
4000 |
Emerson ROC |
|
4911 |
Niagara FOX TLS |
|
5002 |
Mitsubishi MELSEC |
|
5007 |
Mitsubishi MELSEC |
|
5432 |
PSQL / SEL |
|
18245 |
SRTP |
|
20000 |
DNP3 |
|
20256 |
PCOM |
|
44818 |
EthernetIP / CIP |
| 47808 | BACNET (udp) |
|
48898 |
ADS |
|
55553 |
Honeywell CEE |
| 55565 | Honeywell FTE |