Splunk® Phantom

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk Phantom required ports and end points

These tables list the ports which must be open to inbound traffic in order to use Splunk Phantom. Use these tables to design your firewall rules for your installation.

Some Splunk Phantom apps might require additional ports. Consult the individual app descriptions for additional information.

Required end points for all Splunk Phantom deployments

This table shows a non-comprehensive list of the internet end points that a Splunk Phantom deployment uses.

End Point Purpose
*.phantom.us Required for RPM upgrades and automatic app upgrades.
Splunk Cloud
  • Your deployment may use a Splunk Cloud deployment instead of the embedded Splunk Enterprise. If so, Phantom must be able to reach your Splunk Cloud deployment.
  • grpc.prod1-cloudgateway.spl.mobi - Required to use the mobile feature.
  • https://e1345286.api.splkmobile.com/1.0/e1345286 - Destination for Splunk Phantom telemetry.
*.pool.ntp.org Used for system clock synchronization.
CentOS and RHEL mirrors Required to run YUM updates for operating system components and installed software packages. If your organization prefers, you can use a satellite server instead. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?
github.com Used to access the community playbook repository.
Google Maps embed API Used by the MaxMind app to add visualizations for ip address geolocation results.
pypi.org Used by some apps to update or install their PIP dependencies.
App specific endpoints Some apps may need to reach specific end points in order to provide their functions. Consult the app's documentation for details.

Required ports for a standalone Splunk Phantom instance

On a single instance of Splunk Phantom, where all services are contained on the same host, open these ports.

Port Purpose
TCP 22 Used for administering the operating system.
TCP 80 Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS.
TCP 443 HTTPS port for the web interface and REST API. This port must be exposed to access Splunk Phantom services.

Required ports for all Splunk Phantom cluster nodes

In a Splunk Phantom cluster, open these ports on each node of the cluster.

Port Purpose
TCP 22 Used for administering the Operating System.
TCP 80 Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS.
TCP 443 HTTPS interface for the web interface and REST API. This port must be exposed to access Splunk Phantom services.
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to communicate with each other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to communicate with each other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to communicate with each other on this port.
TCP 8301 Consul internode communication. All cluster nodes must be able to communicate with each other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to communicate with each other on this port.
TCP 8888 WebSocket server.
TCP 15672 RabbitMQ admin UI and HTTP API service. UI is disabled by default. All cluster nodes must be able to communicate with each other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to communicate with each other on this port.

Required ports for shared services in a clustered environment

Clustered environments require each of these services.

If you are running Splunk Phantom with external services, such as the PostgreSQL database, file shares, or Splunk Enterprise, you must open the following required ports on both the service's server and Splunk Phantom.

Required ports for all Splunk Phantom nodes

Open these ports on each Splunk Phantom node in a cluster using shared services.

Port Purpose
TCP 22 Used for administering the Operating System. SSHD for GlusterFS in clustered environments.
TCP 80 Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS.
TCP 443 HTTPS and REST port for HAProxy load balancer for Splunk Phantom. This port must be exposed to access Splunk Phantom services.
TCP 5100 - TCP 5120 Daemon IPC ports.

Required ports for internode communications

Open these ports on each Splunk Phantom node in a cluster for internode communication.

Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to communicate with each other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to communicate with each other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to communicate with each other on this port.
TCP 8301 Consul internode communication. All cluster nodes must be able to communicate with each other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to communicate with each other on this port.
TCP 15672 RabbitMQ admin UI and HTTP API service. UI is disabled by default. All cluster nodes must be able to communicate with each other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to communicate with each other on this port.

Required ports for file share

Open these ports on each Splunk Phantom node and on each member of the GlusterFS server cluster.

Port Purpose
TCP 445 CIFS protocol
UDP 111 RPC portmapper service for GlusterFS and NFS
TCP 111 RPC portmapper service for GlusterFS and NFS
TCP 2049 GlusterFS and NFS for NFS exports. Used by the nfsd process.
TCP 38465 NFS mount protocol
TCP 38466 NFS mount protocol
TCP 38468 NFS Lock Manager, NLM
TCP 38469 NFS ACL support
TCP 24007 glusterd management port
TCP 24008 glusterd management port
TCP 49152+ For GlusterFS brick mounts. The total number of ports required to be open depends on the total number of bricks exported on the server. In the 4.2 and later releases, 10 bricks is sufficient. You might need to open additional ports later if you add additional bricks.

Required ports for embedded Splunk Enterprise

Open these ports on each Splunk Phantom node for embedded Splunk cluster configuration.

Port Purpose
TCP 5121 Splunk Enterprise server HTTP Event Collector (HEC) service. Can be blocked on the Shared Services server if using an alternate Splunk Enterprise server.
TCP 5122 Splunk Enterprise server REST port. Can be blocked on the Shared Services server if using an alternate Splunk Enterprise server.

Required ports for non-embedded Splunk Enterprise

If you are using the non-embedded version of Splunk Enterprise, open these ports on each Splunk Phantom node.

Port Purpose
TCP 8088 Used as the HTTP Event Collecter (HEC) and provides searching capabilities.
TCP 8089 Used for the REST endpoint to send information to the Splunk instances.
TCP 9996-9997 Used for the universal forwarder to either forward or direct the indexers.

Required ports for PostgreSQL services

These ports must be open on each Splunk Phantom node and any hosts running the PostgreSQL service.

Port Purpose
TCP 5432 PostgreSQL Service. Can be blocked on the Shared Services server if using an alternate database server.
TCP 6432 Used by PgBouncer to interact with PostgreSQL database.

Required ports for mobile device registration

These ports must be open on each Splunk Phantom node to enable mobile app registration.

Port Purpose
TCP 15505 Open for outbound traffic. When the Enable Mobile App toggle is in the ON position, ProxyD connects to the Spacebridge / Automation Broker automatically at grpc.prod1-cloudgateway.spl.mobi to send the interprocess communication from Phantom to the proxy.
TCP 443 The outbound port from Splunk Phantom to Spacebridge. Also the inbound port from ProxyD to Phantom's REST endpoints.
Others See Prerequisites in the Install and Administer Splunk Cloud Gateway guide.
Last modified on 08 January, 2021
PREVIOUS
System requirements for production use
  NEXT
Install Splunk Phantom using the Amazon Marketplace Image

This documentation applies to the following versions of Splunk® Phantom: 4.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters