HOW TO: Understand UTM Port Usage

Every time a UTM feature is enabled, a port is opened on one or more addresses or interfaces.   Sometimes, the port may be opened for more interfaces than the system administrator would wish.  Unfortunately, UTM does not provide a simple way to understand which ports are open on which addresses or interfaces.   This document is a compilation of how I believe UTM behaves.   I am hoping that Sophos partners or other knowledgeable people will confirm or correct the information presented here, so that a complete and correct master list can be available to everyone.

General

Some UTM services listen on one or more IP Addresses.  Examples are User Portal and Webserver Protection/WAF.  Some UTM services listen to traffic as it arrives at one or more interfaces, intercepting traffic for certain destination ports, such as Transparent Web.   If a particular service does not have a configuration option in WebAdmin, the administrator should assume that the service will be active everywhere – either all UTM Addresses for an address-dependent service, or all Interfaces for an interface-dependent service.

Many services also have an Allowed Networks list which filters incoming traffic based on source IP.   Any packet with a source address outside the Allowed Networks list will be ignored by that service, and traffic which is not processed by other services will be processed by the Firewall Rules.  In the absence of source address spoofing, an Allowed Networks list can have the effect of limiting incoming traffic to specific interfaces for purposes of that service.   Firewall Rules have an option for spoof protection for packets that hit that layer.

The recommended way to globally block unwanted traffic is to use a DNAT rule to direct traffic to a dead-end destination.   This KB article explains how to ensure that port 3400 is only available to known RED device IP Addresses.

https://community.sophos.com/kb/en-us/126989

Rule #2 in this how-to document is also helpful for configuring DNAT rules.

https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

The Port Usage Matrices

This is my compendium of UTM services and the ports that they use.   Please reply with your feedback.  Some of the information comes from the WebAdmin interface, some from the WebAdmin help, some from web searches to identify the industry-standard behavior that UTM implements, and some from conversations with Sophos Support.   Perhaps someday, Sophos will provide a GUI tool to display and manipulate which ports are enabled on which entry points, so that the system administrator will not need to guess from a user-developed document like this one.    I hope other users find this helpful.

An Interface Group object can be used to group multiple Interface Addresses into one object, and can probably be used anywhere that an Interface Address is requested.  An Interface Group, or a Network Group of Interface and Additional Addresses, may be usable wherever a Target Address is requested.  Consequently, in the table below I use the term "One Interface Object" to represent an Interface Address or Interface Group.  Similarly, I use the term "One Address Object" to represent an Additional Address, Interface Address, Interface Group, or Network Group.

User Portal and SSL VPN documentation indicate that the default is "Any".   I have not used this setting, so I am unclear whether this should be configured by leaving the address blank or by configuring the "Any" object into the GUI; most likely, either will work.   I expect that "Any" will include both Additional Addresses and Interface Addresses.   The documentation notes that using Any may create port conflicts with WAF.  To avoid ambiguity, I suggest using an Interface Group or Network Group, instead of blank or Any, to choose a list of interfaces for those services.

Address-dependent services and Standard Mode proxies

 

 

 

Function

Target Port

Target Address(es)

Allowed Networks Filter

Cisco VPN Client

UDP 500

All Interface Addresses

Use DNAT

DNS

UDP 53

All Interface Addresses

Yes

NTP

UDP 123

All Interface Addresses

Yes

Remote Access L2TP over IPSEC

UDP 500

All Interface Addresses

Use Firewall Rules or DNAT

Remote Access PPTP

TCP 1723

All Interface Addresses

Use Firewall Rules or DNAT

Remote Access SSL

TCP/UDP 443*

One Interface Object

Use Firewall Rules or DNAT

Site-To-Site Amazon VPC

Amazon controlled

All Interface Addresses

Specified Peer

Site-To-Site IPSEC

UDP 500

One Interface Object (each)

Specified Peer

Site-To-Site SSL

TCP/UDP 443*

One Interface Object

Specified Peer

SMTP (Authenticated Outbound)

TCP 465,587

All Interface Addresses

Use DNAT to prevent specific source address from connecting to UTM on this port.  Recommend disabling authenticated relay completely, as your mail server should be used for this purpose instead of UTM.

SMTP (Outbound Relay)

TCP 25

All Interface Addresses

Use Trusted Relay list to limit which internal hosts can send through UTM.  Use Firewall Rules to control whether internal hosts can bypass UTM to send mail. 

SMTP (Inbound Relay)

TCP 25

All Interface Addresses

Use DNAT to block non-MX addresses from receiving traffic

Standard FTP

TCP 2121

All Interface Addresses

Yes

Standard Web

TCP 8080*

All Interface Addresses

Yes

Web Admin

TCP 4444*

All Interface Addresses

Yes

User Portal

TCP 443*

One Address Object

Yes

WAF Virtual Server

One TCP port or 80+443

One Address Object (each)

Configured on Site Path Routing object, with Access Control checkbox enabled.

Client Authentication

<TBD>

Fake address 1.2.3.4

No

Wireless Access Point Management

<TBD>

Fake address 1.2.3.4

No

Reserved to SUM

TCP 4422

All Addresses

No

Reserved Other

UDP 10443

All Addresses

No

 

Interface Groups are a way of representing multiple interfaces with one object.   In the list below, most services are not configurable to an interface.  For the ones that are configurable, I don't think an Interface Group would make sense, but their use may be possible.

Interface-dependent services and Transparent Mode Proxies

 

 

 

Function

Target Port

Target Interface(s)

Allowed Networks Filter

Advanced Threat Protection

All ports

All Interfaces

Source IP skip list

Country Blocking

All ports

All Interfaces

Public IP Destinations only

DHCP

<not applicable>

One Interface (each)

N/A

DNAT

All ports

All Interfaces

No

Firewall

All ports

All Interfaces

No

Generic Proxy

TCP/UDP Configured Port

One Interface (each)

No

IDENT Reverse Proxy

TCP 113

All Interfaces

No

Intrusion Protection System

All ports

All Interfaces

Internal network, less exceptions

SMTP (Authenticated Outbound)

TCP 465,587

All Interface Addresses

I don't think this applies in Transparent Mode.  If you enable authenticated relay, it probably behaves like the Standard Mode Proxy if you use a UTM destination address, and uses Firewall Rules if you use any other address.  Not tested.

SMTP (Outbound Relay)

TCP 25

All Interfaces

Use Transparent Mode Skiplist to exclude hosts from using SMTP Proxy to send mail, then use firewall rules to control block them from using port 25 at all.  I do not think the Trusted Relay List applies for Transparent Mode, but needs to be tested.

SMTP (Inbound Relay)

TCP 25

All Interface Addresses

Use DNAT to block non-MX addresses from receiving traffic

NAT Masquerading

All ports

One Interface

No

SNAT

All ports

All Interfaces

No

SOCKS4 Proxy

TCP 1080

All Interfaces

Yes

SOCKS5 Proxy

TCP 1080

All Interfaces

Yes

Transparent FTP

TCP 21

All Interfaces

Yes, less exclude list

Transparent SSO/NTLM Authentication

TCP 80, 443

Configured Interfaces

No

Transparent Web

TCP 80, 443

All Interfaces

Yes, less exclude list

VOIP H.323

TCP 1720 + secondary channel

All Interfaces

Client & Server networks

VOIP SIP

TCP/UDP 5060

All Interfaces

Client & Gatekeeper networks

 

 

FQDN-dependent service

 

 

 

Function

Target FQDN

Target Interface(s)

Allowed Networks Filter

Web Filter Block/Warn Pages

DNS fw.passthru-notify.net or fw.passthrough-notify.net

All Interfaces

No

 

Sophos Cloud-Dependent Services

 

 

 

Function

Incoming Port

Target Addresse(s)

Allowed Networks Filter

RED

TCP 3040

All Public IP interface addresses

Use DNAT

Endpoint Protection

<TBD>

All Public IP interface addresses

No

  • Correction#1 -- Edited the original post to indicate that Allowed Networks Filter for WAF is implemented using the Site Path Routing object.

  • Thanks for this, Doug!

    The SSL VPN (S2S & RA share the same settings) can function either on one interface address or it can function on "Any" of them.

    The S2S IPsec Connection can also be defined with an Interface Group, but only the active interface should have open ports (my guess).

    Like the SSL VPN, the User Portal can be a single address or "Any" interface address.

    The SUM GUI can indeed be reached on 4422, but SUM and UTM communicate on 4433.

    Masquerading can be one interface address, the primary addresses of an Interface Group or the primary addresses of "Uplink Interfaces."

    Intrusion Prevention protects all networks in 'Local Networks'.

    Cheers - Bob

  • In reply to BAlfson:

    I mentioned port 4422 only because of a help page that says it is reserved for something related to UTM.   Do we need to add an entry that 4433 is reserved as well?   I don't have SUM so I have not read that documentation.

    I have revised the original to integrate your helpful comments.   Perhaps when this is stable it could be moved to the WiKi.

  • In reply to DouglasFoster:

    Yes, from the Help in 'UTM Manager' in WebAdmin: "Note – The communication between the gateway and SUM takes place on port 4433, whereas the Sophos UTM Manager can be accessed through a browser via the HTTPS protocol on port 4444 for the WebAdmin and on port 4422 for the Gateway Manager interface."

    Cheers - Bob

  • 7/1/2018 - Edited the original draft to add detail about the SMTP proxy, both Standard and Transparent.