Secure Splunk Enterprise on your network

Under certain conditions, Splunk Enterprise network ports, services, and APIs can become susceptible to attacks over the network. You can prevent those potential attacks by shielding your Splunk Enterprise configuration from the Internet.

Make the following considerations to reduce the network attack surface of your Splunk Enterprise deployment:

• Where possible, use a firewall to restrict access to Splunk Web, management, and data ingestion ports. Keep Splunk Enterprise components inside that network firewall.
• Where possible, have any remote Splunk Enterprise users access the deployment through a virtual private network.

You also can protect Splunk Enterprise from physical and network attacks in the following ways:

• Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
• Unless necessary, do not allow access to forwarders on any network port. Additionally, you can enable enhanced forwarder management network port protection. See Configure universal forwarder management security.
• Where applicable, enable TLS certificate host name validation between individual machines in a Splunk Enterprise deployment. See Configure TLS certificate host name validation for secured connections between Splunk software components.
• Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access.
• Limit network port accessibility to only necessary connections. See the following table for the list:

  Client instance	Server instance	Default ports
  Your browser	Splunk Web	TCP 8000
  Search heads	Search peers (indexers)	TCP 8089
  Forwarders	Receivers (indexers)	TCP 8089
  The Splunk CLI	Any Splunk platform instance	TCP 8089
  Search head cluster members	The App Key Value Store service on other SHC members	TCP 8191
  Search heads that run Splunk Assist from the Monitoring Console	*.scs.splunk.com	TCP 443