Every time a UTM feature is enabled, a port is opened on one or more addresses or interfaces. Sometimes, the port may be opened for more interfaces than the system administrator would wish. Unfortunately, UTM does not provide a simple way to understand which ports are open on which addresses or interfaces. This document is a compilation of how I believe UTM behaves. I am hoping that Sophos partners or other knowledgeable people will confirm or correct the information presented here, so that a complete and correct master list can be available to everyone.
General
Some UTM services listen on one or more IP Addresses. Examples are User Portal and Webserver Protection/WAF. Some UTM services listen to traffic as it arrives at one or more interfaces, intercepting traffic for certain destination ports, such as Transparent Web. If a particular service does not have a configuration option in WebAdmin, the administrator should assume that the service will be active everywhere – either all UTM Addresses for an address-dependent service, or all Interfaces for an interface-dependent service.
Many services also have an Allowed Networks list which filters incoming traffic based on source IP. Any packet with a source address outside the Allowed Networks list will be ignored by that service, and traffic which is not processed by other services will be processed by the Firewall Rules. In the absence of source address spoofing, an Allowed Networks list can have the effect of limiting incoming traffic to specific interfaces for purposes of that service. Firewall Rules have an option for spoof protection for packets that hit that layer.
The recommended way to globally block unwanted traffic is to use a DNAT rule to direct traffic to a dead-end destination. This KB article explains how to ensure that port 3400 is only available to known RED device IP Addresses.
https://community.sophos.com/kb/en-us/126989
Rule #2 in this how-to document is also helpful for configuring DNAT rules.
https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz
The Port Usage Matrices
This is my compendium of UTM services and the ports that they use. Please reply with your feedback. Some of the information comes from the WebAdmin interface, some from the WebAdmin help, some from web searches to identify the industry-standard behavior that UTM implements, and some from conversations with Sophos Support. Perhaps someday, Sophos will provide a GUI tool to display and manipulate which ports are enabled on which entry points, so that the system administrator will not need to guess from a user-developed document like this one. I hope other users find this helpful.
An Interface Group object can be used to group multiple Interface Addresses into one object, and can probably be used anywhere that an Interface Address is requested. An Interface Group, or a Network Group of Interface and Additional Addresses, may be usable wherever a Target Address is requested. Consequently, in the table below I use the term "One Interface Object" to represent an Interface Address or Interface Group. Similarly, I use the term "One Address Object" to represent an Additional Address, Interface Address, Interface Group, or Network Group.
User Portal and SSL VPN documentation indicate that the default is "Any". I have not used this setting, so I am unclear whether this should be configured by leaving the address blank or by configuring the "Any" object into the GUI; most likely, either will work. I expect that "Any" will include both Additional Addresses and Interface Addresses. The documentation notes that using Any may create port conflicts with WAF. To avoid ambiguity, I suggest using an Interface Group or Network Group, instead of blank or Any, to choose a list of interfaces for those services.
|
Address-dependent services and Standard Mode proxies |
|
|
|
|
Function |
Target Port |
Target Address(es) |
Allowed Networks Filter |
|
Cisco VPN Client |
UDP 500 |
All Interface Addresses |
Use DNAT |
|
DNS |
UDP 53 |
All Interface Addresses |
Yes |
|
NTP |
UDP 123 |
All Interface Addresses |
Yes |
|
Remote Access L2TP over IPSEC |
UDP 500 |
All Interface Addresses |
Use Firewall Rules or DNAT |
|
Remote Access PPTP |
TCP 1723 |
All Interface Addresses |
Use Firewall Rules or DNAT |
|
Remote Access SSL |
TCP/UDP 443* |
One Interface Object |
Use Firewall Rules or DNAT |
|
Site-To-Site Amazon VPC |
Amazon controlled |
All Interface Addresses |
Specified Peer |
|
Site-To-Site IPSEC |
UDP 500 |
One Interface Object (each) |
Specified Peer |
|
Site-To-Site SSL |
TCP/UDP 443* |
One Interface Object |
Specified Peer |
|
SMTP (Authenticated Outbound) |
TCP 465,587 |
All Interface Addresses |
Use DNAT to prevent specific source address from connecting to UTM on this port. Recommend disabling authenticated relay completely, as your mail server should be used for this purpose instead of UTM. |
|
SMTP (Outbound Relay) |
TCP 25 |
All Interface Addresses |
Use Trusted Relay list to limit which internal hosts can send through UTM. Use Firewall Rules to control whether internal hosts can bypass UTM to send mail. |
|
SMTP (Inbound Relay) |
TCP 25 |
All Interface Addresses |
Use DNAT to block non-MX addresses from receiving traffic |
|
Standard FTP |
TCP 2121 |
All Interface Addresses |
Yes |
|
Standard Web |
TCP 8080* |
All Interface Addresses |
Yes |
|
Web Admin |
TCP 4444* |
All Interface Addresses |
Yes |
|
User Portal |
TCP 443* |
One Address Object |
Yes |
|
WAF Virtual Server |
One TCP port or 80+443 |
One Address Object (each) |
Configured on Site Path Routing object, with Access Control checkbox enabled. |
|
Client Authentication |
<TBD> |
Fake address 1.2.3.4 |
No |
|
Wireless Access Point Management |
<TBD> |
Fake address 1.2.3.4 |
No |
|
Reserved to SUM |
TCP 4422 |
All Addresses |
No |
|
Reserved Other |
UDP 10443 |
All Addresses |
No |
Interface Groups are a way of representing multiple interfaces with one object. In the list below, most services are not configurable to an interface. For the ones that are configurable, I don't think an Interface Group would make sense, but their use may be possible.
|
Interface-dependent services and Transparent Mode Proxies |
|
|
|
|
Function |
Target Port |
Target Interface(s) |
Allowed Networks Filter |
|
Advanced Threat Protection |
All ports |
All Interfaces |
Source IP skip list |
|
Country Blocking |
All ports |
All Interfaces |
Public IP Destinations only |
|
DHCP |
<not applicable> |
One Interface (each) |
N/A |
|
DNAT |
All ports |
All Interfaces |
No |
|
Firewall |
All ports |
All Interfaces |
No |
|
Generic Proxy |
TCP/UDP Configured Port |
One Interface (each) |
No |
|
IDENT Reverse Proxy |
TCP 113 |
All Interfaces |
No |
|
Intrusion Protection System |
All ports |
All Interfaces |
Internal network, less exceptions |
|
SMTP (Authenticated Outbound) |
TCP 465,587 |
All Interface Addresses |
I don't think this applies in Transparent Mode. If you enable authenticated relay, it probably behaves like the Standard Mode Proxy if you use a UTM destination address, and uses Firewall Rules if you use any other address. Not tested. |
|
SMTP (Outbound Relay) |
TCP 25 |
All Interfaces |
Use Transparent Mode Skiplist to exclude hosts from using SMTP Proxy to send mail, then use firewall rules to control block them from using port 25 at all. I do not think the Trusted Relay List applies for Transparent Mode, but needs to be tested. |
|
SMTP (Inbound Relay) |
TCP 25 |
All Interface Addresses |
Use DNAT to block non-MX addresses from receiving traffic |
|
NAT Masquerading |
All ports |
One Interface |
No |
|
SNAT |
All ports |
All Interfaces |
No |
|
SOCKS4 Proxy |
TCP 1080 |
All Interfaces |
Yes |
|
SOCKS5 Proxy |
TCP 1080 |
All Interfaces |
Yes |
|
Transparent FTP |
TCP 21 |
All Interfaces |
Yes, less exclude list |
|
Transparent SSO/NTLM Authentication |
TCP 80, 443 |
Configured Interfaces |
No |
|
Transparent Web |
TCP 80, 443 |
All Interfaces |
Yes, less exclude list |
|
VOIP H.323 |
TCP 1720 + secondary channel |
All Interfaces |
Client & Server networks |
|
VOIP SIP |
TCP/UDP 5060 |
All Interfaces |
Client & Gatekeeper networks |
|
FQDN-dependent service |
|
|
|
|
Function |
Target FQDN |
Target Interface(s) |
Allowed Networks Filter |
|
Web Filter Block/Warn Pages |
DNS fw.passthru-notify.net or fw.passthrough-notify.net |
All Interfaces |
No |
|
Sophos Cloud-Dependent Services |
|
|
|
|
Function |
Incoming Port |
Target Addresse(s) |
Allowed Networks Filter |
|
RED |
TCP 3040 |
All Public IP interface addresses |
Use DNAT |
|
Endpoint Protection |
<TBD> |
All Public IP interface addresses |
No |
This thread was automatically locked due to age.
