Splunk Phantom required ports and end points
These tables list the ports which must be open to inbound traffic in order to use Splunk Phantom. Use these tables to design your firewall rules for your installation.
Some Splunk Phantom apps might require additional ports. Consult the individual app descriptions for additional information.
Required end points for all Splunk Phantom deployments
This table shows a non-comprehensive list of the internet end points that a Splunk Phantom deployment uses.
End Point | Purpose |
---|---|
*.phantom.us | Required for RPM upgrades and automatic app upgrades. |
Splunk Cloud |
|
*.pool.ntp.org | Used for system clock synchronization. |
CentOS and RHEL mirrors | Required to run YUM updates for operating system components and installed software packages. If your organization prefers, you can use a satellite server instead. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)? |
github.com | Used to access the community playbook repository. |
Google Maps embed API | Used by the MaxMind app to add visualizations for ip address geolocation results. |
pypi.org | Used by some apps to update or install their PIP dependencies. |
App specific endpoints | Some apps may need to reach specific end points in order to provide their functions. Consult the app's documentation for details. |
Required ports for a standalone Splunk Phantom instance
On a single instance of Splunk Phantom, where all services are contained on the same host, open these ports.
Port | Purpose |
---|---|
TCP 22 | Used for administering the operating system. |
TCP 80 | Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS. |
TCP 443 | HTTPS port for the web interface and REST API. This port must be exposed to access Splunk Phantom services. |
Required ports for all Splunk Phantom cluster nodes
In a Splunk Phantom cluster, open these ports on each node of the cluster.
Port | Purpose |
---|---|
TCP 22 | Used for administering the Operating System. |
TCP 80 | Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS. |
TCP 443 | HTTPS interface for the web interface and REST API. This port must be exposed to access Splunk Phantom services. |
TCP 4369 | RabbitMQ / Erlang port mapper. All cluster nodes must be able to communicate with each other on this port. |
TCP 5671 | RabbitMQ service. All cluster nodes must be able to communicate with each other on this port. |
TCP 8300 | Consul RPC services. All cluster nodes must be able to communicate with each other on this port. |
TCP 8301 | Consul internode communication. All cluster nodes must be able to communicate with each other on this port. |
TCP 8302 | Consul internode communication. All cluster nodes must be able to communicate with each other on this port. |
TCP 8888 | WebSocket server. |
TCP 15672 | RabbitMQ admin UI and HTTP API service. UI is disabled by default. All cluster nodes must be able to communicate with each other on this port. |
TCP 25672 | RabbitMQ internode communications. All cluster nodes must be able to communicate with each other on this port. |
Clustered environments require each of these services.
If you are running Splunk Phantom with external services, such as the PostgreSQL database, file shares, or Splunk Enterprise, you must open the following required ports on both the service's server and Splunk Phantom.
Required ports for all Splunk Phantom nodes
Open these ports on each Splunk Phantom node in a cluster using shared services.
Port | Purpose |
---|---|
TCP 22 | Used for administering the Operating System. SSHD for GlusterFS in clustered environments. |
TCP 80 | Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS. |
TCP 443 | HTTPS and REST port for HAProxy load balancer for Splunk Phantom. This port must be exposed to access Splunk Phantom services. |
TCP 5100 - TCP 5120 | Daemon IPC ports. |
Required ports for internode communications
Open these ports on each Splunk Phantom node in a cluster for internode communication.
Port | Purpose |
---|---|
TCP 4369 | RabbitMQ / Erlang port mapper. All cluster nodes must be able to communicate with each other on this port. |
TCP 5671 | RabbitMQ service. All cluster nodes must be able to communicate with each other on this port. |
TCP 8300 | Consul RPC services. All cluster nodes must be able to communicate with each other on this port. |
TCP 8301 | Consul internode communication. All cluster nodes must be able to communicate with each other on this port. |
TCP 8302 | Consul internode communication. All cluster nodes must be able to communicate with each other on this port. |
TCP 15672 | RabbitMQ admin UI and HTTP API service. UI is disabled by default. All cluster nodes must be able to communicate with each other on this port. |
TCP 25672 | RabbitMQ internode communications. All cluster nodes must be able to communicate with each other on this port. |
Open these ports on each Splunk Phantom node and on each member of the GlusterFS server cluster.
Port | Purpose |
---|---|
TCP 445 | CIFS protocol |
UDP 111 | RPC portmapper service for GlusterFS and NFS |
TCP 111 | RPC portmapper service for GlusterFS and NFS |
TCP 2049 | GlusterFS and NFS for NFS exports. Used by the nfsd process. |
TCP 38465 | NFS mount protocol |
TCP 38466 | NFS mount protocol |
TCP 38468 | NFS Lock Manager, NLM |
TCP 38469 | NFS ACL support |
TCP 24007 | glusterd management port |
TCP 24008 | glusterd management port |
TCP 49152+ | For GlusterFS brick mounts. The total number of ports required to be open depends on the total number of bricks exported on the server. In the 4.2 and later releases, 10 bricks is sufficient. You might need to open additional ports later if you add additional bricks. |
Required ports for embedded Splunk Enterprise
Open these ports on each Splunk Phantom node for embedded Splunk cluster configuration.
Port | Purpose |
---|---|
TCP 5121 | Splunk Enterprise server HTTP Event Collector (HEC) service. Can be blocked on the Shared Services server if using an alternate Splunk Enterprise server. |
TCP 5122 | Splunk Enterprise server REST port. Can be blocked on the Shared Services server if using an alternate Splunk Enterprise server. |
Required ports for non-embedded Splunk Enterprise
If you are using the non-embedded version of Splunk Enterprise, open these ports on each Splunk Phantom node.
Port | Purpose |
---|---|
TCP 8088 | Used as the HTTP Event Collecter (HEC) and provides searching capabilities. |
TCP 8089 | Used for the REST endpoint to send information to the Splunk instances. |
TCP 9996-9997 | Used for the universal forwarder to either forward or direct the indexers. |
Required ports for PostgreSQL services
These ports must be open on each Splunk Phantom node and any hosts running the PostgreSQL service.
Port | Purpose |
---|---|
TCP 5432 | PostgreSQL Service. Can be blocked on the Shared Services server if using an alternate database server. |
TCP 6432 | Used by PgBouncer to interact with PostgreSQL database. |
Required ports for mobile device registration
These ports must be open on each Splunk Phantom node to enable mobile app registration.
Port | Purpose |
---|---|
TCP 15505 | Open for outbound traffic. When the Enable Mobile App toggle is in the ON position, ProxyD connects to the Spacebridge / Automation Broker automatically at grpc.prod1-cloudgateway.spl.mobi to send the interprocess communication from Phantom to the proxy.
|
TCP 443 | The outbound port from Splunk Phantom to Spacebridge. Also the inbound port from ProxyD to Phantom's REST endpoints.
|
Others | See Prerequisites in the Install and Administer Splunk Cloud Gateway guide. |
System requirements for production use | Install Splunk Phantom using the Amazon Marketplace Image |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8
Feedback submitted, thanks!