Firewall Considerations
In setting up your OT Security system, it is important to map out the open ports to allow the Tenable system to operate correctly. The following tables indicate the ports to reserve for use with the OT Security ICP and OT Security Sensors as well as those needed for running Active Queries and for integration with Tenable Vulnerability Management and Tenable Security Center.
Note: For information about the list of Tenable websites and domains that you must allow through the firewall, see the Knowledge Base article.
OT Security Core Platform
The following ports should remain open for communication with the OT Security Core Platform.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Inbound | TCP 443 | Web interface for OT Security Appliance | Browser access to OT Security |
| Inbound | TCP 8000 | Web interface for Tenable Core | Browser access to Tenable Core |
| Inbound | TCP 443 and TCP 28304 | OT Sensor | Sensor authentication, pairing, and receiving sensor information. |
| Outbound | TCP 443 and TCP 28305 | OT Security EM | ICP and EM pairing |
| Inbound | TCP 22 | Appliance for SSH Access | Command line access to OS or appliance |
| Outbound | TCP 443 | Tenable Security Center | Sends data for integration |
| Outbound* | TCP 443 | cloud.tenable.com | Sends data for integration |
| Outbound* | Various Industrial protocols | PLCs/controllers | Active query |
| Outbound* | TCP 25 or 587 | Email server for alerts | SMTP (alert emails, reports) |
| Outbound* | UDP 514 | Syslog server | Sends policy event alerts and syslog messages |
| Outbound* | UDP 53 | DNS server | Name Resolution |
| Outbound* | UDP 123 | NTP server | Time service |
| Outbound* | TCP 389 or 636 | AD server | AD LDAP authentication |
| Outbound* | TCP 443 | SAML Provider | Single Sign On |
| Outbound* | UDP 161 | SNMP Server | SNMP monitoring to Tenable Core |
| Outbound* | TCP 443 |
*.tenable.com *.nessus.org |
Automatic Plugin, Application, and OS Updates** |
| Outbound |
TCP 10146 (secure port)
|
IoT Connector | Connects ICP to IoT connector agent |
*Optional services
**Offline procedure available
OT Security Sensors
The following ports should remain open for communication with OT Security Sensors.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Inbound | TCP 8000 | Web interface | Browser access to user GUI |
| Inbound | TCP 22 | Appliance for SSH Access | Command line access to OS or appliance |
| Outbound* | TCP 25 | Email server for alerts | SMTP (alert emails, reports) |
| Outbound* | UDP 53 | DNS server | Name Resolution |
| Outbound* | UDP 123 | NTP server | Time service |
| Outbound* | UDP 161 | SNMP Server | SNMP monitoring to Tenable Core |
| Outbound | TCP 28303 | ICP/ OT Security Sends communication from sensor, receives on ICP/ OT Security |
Unauthenticated / passive only sensor connection |
| Outbound | TCP 443 and TCP 28304 | ICP/ OT Security Sends communication from sensor, receives on ICP/ OT Security |
Authenticated / secure tunnel between sensor and ICP |
*Optional services
Active Query
The following ports must remain open in order to use the Active Queries.
Note: OT Security supports queries across these protocols, but not all of them may apply to your environment. For optimal results, ensure that you open as many of the listed ports as possible between OT Security (or the OT Security sensors) and the nearby remote devices. This action enables accurate identification and querying.
| Protocol | Port | Communicates With | Purpose |
|---|---|---|---|
| ICMP | Generic / Various | Network-level asset discovery / ping | |
| TCP | 21 | Generic / Various | FTP file transfer |
| TCP / UDP | 53 | DNS Servers | Domain Name System (DNS) resolution queries |
| TCP | 80 | Generic / Various | HTTP fingerprinting and web interface access |
| TCP | 102 | Siemens Devices | Manufacturing Message Specification (MMS), overlaps IEC 61850 |
| TCP | 102 | Siemens Devices | IEC 61850 / MMS for substation and SCADA devices |
| TCP | 102 | Siemens Devices | S7/S7+ / MMS communication for automation devices |
| UDP | 111 | Emerson Ovation Devices | RPC service registration / discovery for Ovation |
| TCP | 135 | Windows Devices | WMI queries for system and network management |
| UDP | 137 | Generic / Various | NetBIOS Name Service (NBNS) for Windows network discovery |
| UDP | 138 | Generic / Various | NetBIOS Datagram Service (NBT) for Windows file / printer sharing |
| UDP | 161 | Generic / Various | SNMP polling and trap communication |
| TCP | 443 | Generic / Various | HTTPS fingerprinting and secure web services |
| TCP | 445 | Windows Devices | WMI / SMB queries for system management (replaces 135 for some cases) |
| TCP | 502 | OT Devices | Modbus TCP communication with PLCs and meters |
| UDP | 1069 | Cognex Cameras | Cognex Vision system discovery protocol |
| TCP | 1911 | BMS Controllers | Niagara FOX unencrypted protocol |
| TCP | 1962 | Phoenix Contact Devices | PC Worx engineering and control communication |
| TCP / UDP | 2001 | Profinet Devices | Profinet device communication for controllers and I/O modules |
| TCP | 2001 | Siemens Devices | SICAM / PROFINET (legacy and substation devices) |
| TCP | 2222 | Rockwell Devices | PCCC protocol for ControlLogix/PLC communications |
| TCP | 2404 | SCADA Devices | IEC 60870-5-104 for RTU and substation communications |
| TCP | 3389 | Windows Devices | RDP (Remote Desktop Protocol) |
| TCP | 3500 | Bachmann M1 Devices | Bachmann M1 controller communication |
| TCP | 4000 | Emerson Devices | Emerson ROC 4000 controller data/control |
| TCP | 4444 | Schneider Electric | SmartX controllers (EcoStruxure Building Operation) |
| UDP | 4800 | Moxa Devices | Moxa Device Discovery protocol |
| TCP | 4911 | BMS Controllers | Niagara FOX secure (TLS/SSL) protocol |
| TCP | 5001 | Bosch Devices | Bosch PSI (Programmable System Interface) |
| TCP | 5002 | Mitsubishi Devices | MELSEC PLC MC Protocol over TCP |
| TCP | 5007 | Mitsubishi Devices | MELSEC PLC additional communication port |
| UDP | 5009 | Mitsubishi Devices | MELSEC Finder broadcast (device discovery) |
| TCP | 5033 | Siemens Devices | P2 protocol (used in legacy Siemens automation systems) |
| TCP | 5050 | Saia-Burgess Devices | Saia PCD controller communication |
| TCP | 5094 | HART-IP | HART-IP over TCP for smart instrumentation |
| TCP | 5313 | Yokogawa DCS | CENTUM DCS engineering interface |
| TCP | 5432 | SEL (Schweitzer) Devices | PostgreSQL database access for energy devices |
| TCP | 6626 | WAGO Devices | WAGO I/O communication and programming |
| TCP | 7700 | Schneider Electric | ION power meters and energy management systems |
| TCP | 8000, 8008, 8080, 8443, 8800 | Generic / Various | Common HTTP/HTTPS alternative ports |
| TCP | 9940 | Yokogawa DCS | CENTUM status and diagnostics |
| UDP | 12321 | Honeywell Devices | Honeywell FTE UDP discovery / redundancy |
| TCP | 18245 | Schneider Devices | SRTP (Schneider Real-Time Protocol) for M340/M580 PLCs |
| TCP | 18507 | Emerson Devices | Emerson ROC / Flow Computer (FACE protocol) |
| TCP | 18508 | Emerson Devices | Emerson firmware upgrade service (UPGD) |
| TCP | 20256 | GE Devices | PCOM protocol for Proficy iFIX / CIMPLICITY SCADA |
| TCP | 20547 | Procon | PROCON OS remote management interface |
| TCP | 24576 | ABB Devices | ABB Network Control (ABB_NC) protocol for substation automation |
| TCP | 34964 | Siemens Devices | PROFINET Connection Management (PROFINET CM) |
| TCP | 39329 | Emerson Devices | Ovation / VME-based control systems |
| TCP/ UDP | 44818 | OT Devices | CIP (Common Industrial Protocol) for Rockwell devices |
| UDP | 47808 | BMS Controllers | BACnet/IP communication for building automation devices |
| TCP/ UDP | 48898 | Beckhoff Devices | ADS/TwinCAT protocol for controller and engineering communications |
| UDP | 48899 | Beckhoff Devices | ADS/AMS Discovery (TwinCAT/Beckhoff IPCs) |
| TCP | 50000 | Siemens Devices | SIPROTEC 4 relay communication |
| TCP | 51966 | Honeywell Devices | Honeywell FTE (Fault Tolerant Ethernet) communications |
| TCP | 55553 | Honeywell Devices | CEE (Control Execution Environment) communications in Experion PKS |
| TCP | 55565 | Honeywell Devices | FTE (Fault Tolerant Ethernet) communications for redundancy in Experion PKS |
OT Security Integrations
The following ports should remain open for communication with the Tenable Vulnerability Management and Tenable Security Center Integrations.
| Flow Direction | Port | Communicates With | Purpose |
|---|---|---|---|
| Outbound | TCP 443 | cloud.tenable.com | Tenable Vulnerability Management Integration |
| Outbound | TCP 443 | Tenable Security Center | Tenable Security Center Integration |