Skip to main content

Firewall Rules

Proper firewall configuration is essential for UTMStack v11 security and functionality. This guide details all required ports and provides security recommendations for different deployment scenarios.
Security First: Always follow the principle of least privilege. Only open ports that are necessary and restrict access to trusted networks or IP addresses.

Core System Ports

These ports are required for basic UTMStack operation:

Administrative Access

Purpose: Remote server administration and managementRequired for:
  • System administration
  • Installation and updates
  • Troubleshooting
Security Recommendations:
# Restrict to admin IPs only
sudo ufw allow from ADMIN_IP to any port 22 proto tcp
Never expose SSH to the public internet. Use VPN or IP whitelisting.
Purpose: Redirects HTTP traffic to HTTPSRequired for:
  • Automatic HTTPS redirect
  • Let’s Encrypt certificate validation (temporarily)
Security Recommendations:
# Allow from analyst networks
sudo ufw allow from ANALYST_NETWORK to any port 80 proto tcp
This port can be blocked after SSL certificate setup if not using auto-renewal.
Purpose: UTMStack web-based graphical user interface (primary access)Required for:
  • Web interface access
  • API connections
  • User authentication
Security Recommendations:
# Restrict to security team networks
sudo ufw allow from SOC_NETWORK to any port 443 proto tcp
This is the primary access point. Always use HTTPS, never HTTP.
Purpose: Web-based server management interfaceRequired for:
  • System monitoring
  • Container management
  • Resource utilization viewing
Security Recommendations:
# Restrict to system administrators only
sudo ufw allow from ADMIN_IP to any port 9090 proto tcp
Highly sensitive. Restrict to administrators’ IPs only.

Agent Communication Ports

These ports are required for communication between UTMStack agents and the server:

Port 9000/TCP

Agent-to-Manager CommunicationRequired for UTMStack agents to communicate with the manager server. This port handles agent registration and heartbeat traffic.
# Allow from agent networks
sudo ufw allow from AGENT_NETWORK to any port 9000 proto tcp

Port 9001/TCP

Agent Data TransferUsed for transferring log data and telemetry from agents to the manager server.
# Allow from agent networks
sudo ufw allow from AGENT_NETWORK to any port 9001 proto tcp

Port 50051/TCP

gRPC Agent CommunicationHigh-performance gRPC protocol for agent communication, including file transfers and advanced features.
# Allow from agent networks
sudo ufw allow from AGENT_NETWORK to any port 50051 proto tcp
New in v11: Agent communication has been optimized for better performance and security with enhanced TLS encryption.

Integration and Data Collection Ports

Additional ports are required based on your configured integrations:

Syslog Receivers

Port 514/UDP: Standard Syslog
sudo ufw allow from SOURCE_NETWORK to any port 514 proto udp
Port 514/TCP: Syslog over TCP
sudo ufw allow from SOURCE_NETWORK to any port 514 proto tcp
Port 6514/TCP: Syslog over TLS (Recommended)
sudo ufw allow from SOURCE_NETWORK to any port 6514 proto tcp

NetFlow/IPFIX

Port 2055/UDP: NetFlow v5/v9
sudo ufw allow from NETWORK_DEVICES to any port 2055 proto udp
Port 4739/UDP: IPFIX
sudo ufw allow from NETWORK_DEVICES to any port 4739 proto udp

Cloud Integrations

Cloud integrations (AWS, Azure, GCP, Office 365) typically use outbound HTTPS (443) connections only. No inbound ports required.

Multi-Node Deployment Ports

For deployments with multiple nodes (manager + workers):

Manager-to-Worker Communication

Port 2377/TCP: Cluster management
Port 7946/TCP+UDP: Container network discovery
Port 4789/UDP: Overlay network traffic

# On all nodes, allow from other cluster nodes
sudo ufw allow from CLUSTER_NODE_IP to any port 2377 proto tcp
sudo ufw allow from CLUSTER_NODE_IP to any port 7946
sudo ufw allow from CLUSTER_NODE_IP to any port 4789 proto udp

Elasticsearch Cluster (if distributed)

Port 9200/TCP: Elasticsearch HTTP API
Port 9300/TCP: Elasticsearch transport

# Between cluster nodes only
sudo ufw allow from CLUSTER_NODE_IP to any port 9200 proto tcp
sudo ufw allow from CLUSTER_NODE_IP to any port 9300 proto tcp

Federated Deployment Ports

For MSP deployments with central federation server: 
Port 443/TCP: API communication with central server
Port 50052/TCP: Federation gRPC communication

# Allow to central server
sudo ufw allow out to CENTRAL_SERVER_IP port 443 proto tcp
sudo ufw allow out to CENTRAL_SERVER_IP port 50052 proto tcp

UFW Configuration Examples

Basic Single-Node Deployment

#!/bin/bash
# Basic UTMStack v11 firewall configuration

# Reset UFW
sudo ufw --force reset

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# SSH (from admin IP only)
sudo ufw allow from 192.168.1.100 to any port 22 proto tcp

# Web interface (from SOC network)
sudo ufw allow from 192.168.1.0/24 to any port 443 proto tcp
sudo ufw allow from 192.168.1.0/24 to any port 80 proto tcp

# Cockpit (admin only)
sudo ufw allow from 192.168.1.100 to any port 9090 proto tcp

# Agent communication (from agent network)
sudo ufw allow from 10.0.0.0/8 to any port 9000 proto tcp
sudo ufw allow from 10.0.0.0/8 to any port 9001 proto tcp
sudo ufw allow from 10.0.0.0/8 to any port 50051 proto tcp

# Syslog (from network devices)
sudo ufw allow from 10.0.0.0/8 to any port 514 proto udp
sudo ufw allow from 10.0.0.0/8 to any port 6514 proto tcp

# Enable firewall
sudo ufw enable
sudo ufw status verbose

Multi-Node Deployment

#!/bin/bash
# Multi-node UTMStack v11 firewall configuration

# Include basic rules above, then add:

# Cluster communication (between all nodes)
CLUSTER_NODES=("10.10.10.11" "10.10.10.12" "10.10.10.13")

for NODE in "${CLUSTER_NODES[@]}"; do
  sudo ufw allow from $NODE to any port 2377 proto tcp
  sudo ufw allow from $NODE to any port 7946
  sudo ufw allow from $NODE to any port 4789 proto udp
  sudo ufw allow from $NODE to any port 9200 proto tcp
  sudo ufw allow from $NODE to any port 9300 proto tcp
done

sudo ufw enable

Cloud Provider Specific Configurations

AWS Security Groups

{
  "SecurityGroupIngress": [
    {
      "IpProtocol": "tcp",
      "FromPort": 443,
      "ToPort": 443,
      "CidrIp": "0.0.0.0/0",
      "Description": "HTTPS access"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 22,
      "ToPort": 22,
      "CidrIp": "ADMIN_IP/32",
      "Description": "SSH admin access"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 9000,
      "ToPort": 9001,
      "CidrIp": "10.0.0.0/8",
      "Description": "Agent communication"
    }
  ]
}

Azure Network Security Groups

# Create NSG rule for HTTPS
az network nsg rule create \
  --resource-group UTMStack-RG \
  --nsg-name UTMStack-NSG \
  --name Allow-HTTPS \
  --priority 100 \
  --source-address-prefixes "ANALYST_IP" \
  --destination-port-ranges 443 \
  --protocol Tcp \
  --access Allow

Security Best Practices

Principle of Least Privilege

  • Only open required ports
  • Restrict source IPs when possible
  • Use network segmentation
  • Regular security audits

Network Segmentation

  • Separate management network
  • Isolated agent network
  • DMZ for log collectors
  • Internal-only cluster communication

Monitor Access

  • Log all connection attempts
  • Alert on unauthorized access
  • Regular review of firewall logs
  • Use intrusion detection

Keep Updated

  • Apply security patches
  • Update firewall rules
  • Review access requirements
  • Document changes

Testing Connectivity

Test Open Ports

# From remote machine
nmap -p 22,80,443,9000,9001,50051 UTMSTACK_IP

# Test specific port
telnet UTMSTACK_IP 443
nc -zv UTMSTACK_IP 443

# Check listening ports on server
sudo netstat -tlnp | grep LISTEN
sudo ss -tlnp

Verify Agent Connectivity

# Test from agent machine
curl -k https://UTMSTACK_IP:9000
telnet UTMSTACK_IP 9000

Troubleshooting

Check:
# Verify port 443 is listening
sudo netstat -tlnp | grep 443

# Check firewall rules
sudo ufw status numbered

# Test from server
curl -k https://localhost
Check:
# Verify agent ports are open
sudo netstat -tlnp | grep -E '9000|9001|50051'

# Check firewall allows agent network
sudo ufw status | grep -E '9000|9001|50051'

# Test connectivity from agent
telnet MANAGER_IP 9000
Check:
# Verify syslog port is listening
sudo netstat -ulnp | grep 514

# Test syslog reception
logger -n UTMSTACK_IP -P 514 "Test message"

# Check firewall rules
sudo ufw status | grep 514

Integration-Specific Port Requirements

Additional ports may be required for specific integrations. Refer to each integration’s documentation for detailed port requirements and security recommendations.
Common integration ports:
  • Windows agents: 9000-9001/TCP, 50051/TCP
  • Linux agents: 9000-9001/TCP, 50051/TCP
  • Network devices: 514/UDP (Syslog), 2055/UDP (NetFlow)
  • Firewalls: 514/TCP (Syslog-TLS recommended)
  • Custom collectors: Varies by integration

Next Steps

SSL Certificate Setup

Secure your installation

Agent Installation

Integrations