Splunk Phantom ports and endpoints
These tables list the ports which must be open to inbound traffic and internet endpoints which must be accessible to use Splunk Phantom. Use these tables to design the firewall rules for your deployment.
Endpoints for all Splunk Phantom deployments
This table shows a list of the internet endpoints that a Splunk Phantom deployment uses. This list is not exhaustive.
Endpoint | Required? | Description |
---|---|---|
*.phantom.us | Required | Required for RPM upgrades and automatic app upgrades. |
Splunk Cloud | Conditional | If your deployment uses a Splunk Cloud deployment instead of the embedded Splunk Enterprise instance, Splunk Phantom must be able to reach your Splunk Cloud deployment. |
grpc.prod1-cloudgateway.spl.mobi | Conditional | If you use Splunk Mobile to access Splunk Phantom on mobile devices, your Splunk Phantom deployment must be able to reach grpc.prod1-cloudgateway.spl.mobi |
https://e1345286.api.splkmobile.com/1.0/e1345286 | Required | Splunk Phantom telemetry |
*.pool.ntp.org | Required | Used for system clock synchronization. |
CentOS and RHEL mirrors | Required | Required to run YUM updates for operating system components and installed software packages. If your organization prefers, you can use a satellite server instead. See the Red Hat Knowledgebase article https://access.redhat.com/solutions/29269. |
github.com | Required | Used to access the community playbook repository. |
Other source control system | Conditional | Access is required if your deployment uses an alternative repository for playbooks. |
Google Maps embed API | Required | Used by the MaxMind app to add visualizations for IP address geolocation results. |
pypi.org | Required | Used by some apps to update or install their PIP dependencies. |
App specific endpoints | Conditional | Apps might need to reach specific endpoints in order to provide their functions. Consult the app's documentation for details. |
Ports for a standalone Splunk Phantom deployment
On a single instance on-premises deployment of Splunk Phantom where all services are contained on the same host, open these ports in addition to allowing the Endpoints for all Splunk Phantom deployments.
Port | Required? | Description |
---|---|---|
TCP 22 | Required | SSH port. Used for administering the operating system. |
TCP 80 | Required | Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS. |
TCP 443 | Required | HTTPS port for the web interface and REST API. This port must be exposed to access Splunk Phantom services. In an unprivileged Splunk Phantom deployment the HTTPS port is specified when you install Splunk Phantom and is a port greater than 1023. In an unprivileged virtual machine image or AMI-based deployment, the HTTPS port is set to 9999. |
Ports for externalized services
If you opt to deploy services such as Splunk Enterprise or Splunk Cloud, PostgreSQL, or a file share separately from your Splunk Phantom deployment, you need to make sure that Splunk Phantom can reach those services on your network.
In a clustered deployment, all services are external to Splunk Phantom, and an added load balancer. See Example: Splunk Phantom cluster for a diagram of a Splunk Phantom cluster.
Required ports for embedded Splunk Enterprise
Open these ports on each Splunk Phantom node for embedded Splunk cluster configuration.
Port | Purpose |
---|---|
TCP 5121 | Splunk Enterprise server HTTP Event Collector (HEC) service. Can be blocked on the Shared Services server if using an alternate Splunk Enterprise server. |
TCP 5122 | Splunk Enterprise server REST port. Can be blocked on the Shared Services server if using an alternate Splunk Enterprise server. |
Required ports for non-embedded Splunk Enterprise
If you are using the non-embedded version of Splunk Enterprise, open these ports on each Splunk Phantom node.
Port | Purpose |
---|---|
TCP 8088 | Used as the HTTP Event Collecter (HEC) and provides searching capabilities. |
TCP 8089 | Used for the REST endpoint to send information to the Splunk instances. |
TCP 9996-9997 | Used for the universal forwarder to either forward or direct the indexers. |
PostgreSQL database
A single instance, on-premises deployment of Splunk Phantom uses a local instance of a PostgreSQL database. If you choose to use an external PostgreSQL database instead, you must make sure that Splunk Phantom can reach the database on your network.
In a clustered Splunk Phantom deployment, each Splunk Phantom node must be able to reach the PostgreSQL database. See About Splunk Phantom clusters in Install and Upgrade Splunk Phantom.
Port | Description |
---|---|
TCP 5432 | PostgreSQL service. This port is also used by warm standby configurations for PostgreSQL streaming replication. |
TCP 6432 | Used by PgBouncer to interact with the PostgreSQL database. |
A single instance, on-premises deployment of Splunk Phantom uses the local file system to store files for the vault. You can choose to expand storage capacity by using an external file share.
You can use any file system that meets your organization's security and performance requirements for your external file shares. You need to configure any required mounts and permissions. See Supported file systems and required directories.
These following tables uses NFS and GlusterFS as an example for file shares. In a clustered Splunk Phantom deployment, these ports must be opened on each Splunk Phantom node, and in the case of GlusterFS, on each member of the GlusterFS server cluster.
Port | Description |
---|---|
TCP 445 | CIFS protocol. |
UDP 111 | RPC portmapper service for GlusterFS and NFS. |
TCP 111 | RPC portmapper service for GlusterFS and NFS. |
TCP 2049 | GlusterFS and NFS for NFS exports. Used by the nfsd process. |
TCP 38465 | NFS mount protocol. |
TCP 38466 | NFS mount protocol. |
TCP 38468 | NFS Lock Manager, NLM. |
TCP 38469 | NFS ACL support. |
TCP 24007 | glusterd management port. |
TCP 24008 | glusterd management port. |
TCP 49152+ | For GlusterFS brick mounts. The total number of ports required to be open depends on the total number of bricks exported on the server. In most cases, 10 bricks is sufficient. You might need to open additional ports later if you add additional bricks. |
Ports for connecting mobile devices to Splunk Phantom using Splunk Connected Experience apps
Open these ports to enable registration of mobile apps, such as Splunk Mobile for iOS or Splunk Mobile for Android. In a clustered deployment, these ports must be opened on each Splunk Phantom node.
When the Enable Mobile App toggle is in the ON position, Splunk Phantom launches a new daemon, ProxyD. ProxyD connects to the Splunk Cloud Gateway automatically at grpc.prod1-cloudgateway.spl.mobi, on port 443 using the gRPC protocol.
Splunk Phantom uses the gRPC protocol to communicate to mobile apps through the Splunk Cloud Gateway.
For more information on Splunk Cloud Gateway, its encryption, and the data that is sent and received, see About the Splunk Cloud Gateway security process in Install and Administer Splunk Cloud Gateway.
Port | Description |
---|---|
TCP 15505 | Port 15505 is used by ProxyD to listen for inter-process communication from other Splunk Phantom daemons on the same instance. |
TCP 443 | Port 443 is the inbound port to Splunk Phantom's REST endpoints from ProxyD. REST requests from connected mobile devices received from Splunk Cloud Gateway are sent to and received from other Splunk Phantom daemons by ProxyD on port 443. |
For other ports you might need to open, see Prerequisites and Requirements in the Install and Administer Splunk Cloud Gateway manual.
Ports for clustered deployments of Splunk Phantom
Splunk Phantom can be deployed as a cluster of nodes connected to a server or set of servers providing a PostgreSQL database, file shares, a Splunk platform deployment, and a load balancer. A cluster can be deployed on-premises or in Amazon Web Services. See About Splunk Phantom clusters in Install and Upgrade Splunk Phantom.
This table lists the ports required by Splunk Phantom nodes for inter-node communication and access to Splunk Phantom services on the cluster.
Port | Description |
---|---|
TCP 22 | SSH port. Used for administering the operating system of the cluster node. Also used by SSHD for GlusterFS. |
TCP 80 | Port for requests sent over HTTP. Splunk Phantom redirects all HTTP requests to HTTPS. |
TCP 443 | HTTPS interface for the web interface, load balancer, and the REST API. This port must be exposed to access Splunk Phantom services. In an unprivileged Splunk Phantom deployment, the HTTPS port is specified when you install Splunk Phantom and is a port greater than 1023. In an unprivileged virtual machine image or AMI-based deployment, the HTTPS port is set to 9999. |
TCP 4369 | RabbitMQ port mapper. All cluster nodes must be able to communicate with each other on this port. |
TCP 5100 - TCP 5120 | Daemon inter-process communication ports. |
TCP 5671 | RabbitMQ service. All cluster nodes must be able to communicate with each other on this port. |
TCP 8300 | Consul RPC services. All cluster nodes must be able to communicate with each other on this port. |
TCP 8301 | Consul internode communication. All cluster nodes must be able to communicate with each other on this port. |
TCP 8302 | Consul internode communication. All cluster nodes must be able to communicate with each other on this port. |
TCP 8888 | WebSocket server. |
TCP 15672 | RabbitMQ admin UI and HTTP API service.
The RabbitMQ admin UI is disabled by default. Unless you want to use the admin UI, you can block this port. If you choose to activate the RabbitMQ HTTP API and web UI, all cluster nodes must be able to communicate with each other on this port. |
TCP 25672 | RabbitMQ internode communications. All cluster nodes must be able to communicate with each other on this port. |
For information on RabbitMQ ports, see "Networking" on the RabbitMQ documentation. For more information on Consul's required ports, see "Ports" in the Consul documentation on the HashiCorp website.
Example: Default firewalld settings for an unprivileged cluster
Here is an example of the default settings for firewalld when Splunk Phantom is deployed as an unprivileged cluster. Splunk Connected experiences apps access is not enabled in this example.
[phantom@phantom ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: dhcpv6-client http https ssh ports: 9999/tcp 27100-27200/tcp 5121/tcp 5122/tcp 8300/tcp 8301/tcp 8302/tcp 4369/tcp 5671/tcp 25672/tcp 15672/tcp 443/tcp protocols: masquerade: no forward-ports: port=443:proto=tcp:toport=9999:toaddr= source-ports: icmp-blocks: rich rules:
Example: Splunk Phantom cluster
A Splunk Phantom cluster consists of a load balancer, three or more Splunk Phantom nodes, a PostgreSQL database, file shares, and either a Splunk Enterprise or Splunk Cloud deployment.
This diagram shows an example of a Splunk Phantom cluster, with the connections marked.
System requirements for production use | Install Splunk Phantom using the Amazon Marketplace Image |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!