Depending on your network layout, you may need to open some ports on your firewall and edit your firewall rules. These changes let you access the important web addresses that are essential for Symantec Endpoint Detection and Response operations.

Table: Symantec EDR web and IP addresses lists the web and IP addresses to which Symantec EDR requires access.

Table: Symantec EDR web and IP addresses

Web addresses/IP Address

Protocol

Port

Description

https://api-gateway.symantec.com

TCP

443

Accesses Symantec's Targeted Attack Analytics service

licensing.dmas.symantec.com

TCP

443

Used to get the Cynic license

api.us.dmas.symantec.com

api.eu.dmas.symantec.com

TCP

443

Used to perform queries to the Cynic US and UK servers (required)

liveupdate.symantec.com

TCP

80

Used to check for and download definitions for Symantec's detection technologies

ratings-wrs.symantec.com

TCP

443

Used to query Norton Safe Web server to identify malicious websites

stnd-avpg.crsi.symantec.com

stnd-ipsg.crsi.symantec.com

TCP

443

Used to send detection telemetry to Symantec

register.brightmail.com

TCP

443

Used to register the Symantec EDR appliance

swupdate.brightmail.com

TCP

443

Used to check for and download new releases of Symantec EDR

shasta-rrs.symantec.com

shasta-mrs.symantec.com

TCP

443

Used to perform reputation lookups for Windows executable and APK installable files

datafeedapi.symanteccloud.com

TCP

443

Used to download EDR: Roaming and Email Security.cloud events

stats.norton.com

TCP

443

When telemetry is configured, used to send statistics telemetry to Symantec

telemetry.symantec.com

TCP

443

When telemetry is configured, used to send file telemetry and to upload diagnostic packages to Symantec

EDR appliance console

TCP

443 (inbound)

Access to Symantec EDR public API

: https://edrc.symantec.com

TCP

443

Used to register and connect your Symantec EDR appliances with the Symantec EDR Cloud.

Also used to allow the Dissolvable Agents (that run on your clients) and the Dissolvable Agent Servers to access the Symantec EDR Cloud.

Table: Symantec EDR ports and settings describes the ports that Symantec EDR uses for communications, content updates, and interactions with Symantec.cloud detection services.

Table: Symantec EDR ports and settings

Service

Protocol

Port

From

To

Description

Back up

FTP; SSH

20 TCP, UDP

21 TCP

22 TCP, UDP

Management platform or all-in-one appliances

Configured backup storage server

(Internal traffic)

FTP server: FTP ports 20, 21.

SSH server: SSH port 22.

Email notifications

SMTP

25 TCP

587 TCP

Management platform or all-in-one appliance

SMTP server

(Internal traffic)

Communication with the SMTP server.

Content updates

HTTP

80 TCP

All appliances

Symantec

(External traffic)

Virus and Vantage definitions, and other content that LiveUpdate delivers. This port is required for proper functioning of the product.

Statistics delivery

HTTP

80 TCP

All appliances

Symantec

(External traffic)

Sends the data to Symantec for statistical and diagnostic purposes. Private data is not sent over this port.

Endpoint Communications Channel (ECC) 2.0

HTTPS

HTTP

443

80

Symantec EDR

Managed SEP endpoints

Communicates commands to the endpoints.

ECC 1.0

HTTPS

8446

Symantec EDR

SEPM

Commands to SEPM.

RRS/endpoint submissions

ECC 2.0

HTTPS

HTTP

443

8080

SEP

Symantec EDR

The SEPM private cloud that lets endpoints communicate with Symantec EDR.

RRS/endpoint submissions

ECC 1.0

HTTPS

HTTP

HTTP

443

80

8443

Note:

Port 8443 is only available if you were using this port on previous versions of Symantec EDR and have since updated. If you are installing Symantec EDR for the first time, this port is not available.

SEP

Symantec EDR

The SEPM private cloud that lets endpoints communicate with Symantec EDR.

Symantec cloud detection, analysis, and correlation services and telemetry services

If endpoint activity recorder enabled

If endpoint activity recorder disabled

443 TCP

All Symantec EDR appliances

Symantec

(External traffic)

Cloud service queries and telemetry data exchanges.

If the endpoint activity recorder is enabled SEP sends conviction events directly to Symantec EDR.

Antivirus and intrusion prevention conviction information

HTTPS

HTTP 8080 TCP or HTTPS 443 TCP

HTTP 80 TCP or HTTPS 8443 TCP

SEP clients

Symantec EDR management platform

Information about the files and the network traffic that SEP detects.

Antivirus and intrusion prevention conviction information

HTTPS

HTTP

443 TCP

80

Symantec EDR management platform

Symantec (External traffic)

Information about files and the network traffic that SEP detects.

Product updates

HTTPS

443 TCP

All appliances

Symantec

(External traffic)

Finds and delivers new versions of Symantec EDR.

EDR appliance console

HTTPS

443 TCP

Client connecting to manage an appliance

Management platform or all-in-one appliance

(Internal traffic)

EDR appliance console access for an all-in-one appliance or management platform.

EDR appliance console, network scanners, and all-in-one

SSH

22

Client connecting to manage an appliance

Management platform, scanner, or all-in-one appliance

(Internal traffic)

Command-line access for an all-in-one appliance or management platform.

Synapse SEPM connection with Microsoft SQL Server (optional)

JDBC

1433 TCP (default)

Management platform or all-in-one appliance

SEPM Microsoft SQL Server

(Internal traffic)

Required if using the Microsoft SQL Server for SEPM and Synapse. SEPM administrators can configure a different port for this communication.

Communication channel (management platform and network scanner installations only)

AMQP

5671 TCP

5672 TCP

Network scanner appliance

Management platform

(Internal traffic)

Communications between the management platform and network scanners. Not required for an all-in-one installation. After the initial exchange on this port, the communication is secured.

Blocking page (Inline Block mode only)

HTTP

8080 TCP

Network scanner

Protected endpoints

(Internal traffic)

Sends the blocking page when content is blocked at an endpoint. Not required for Inline Monitor or Tap/Span modes.

Synapse SEPM connection with Embedded DB (optional)

HTTPS

8081 TCP (default)

Management platform or all-in-one appliance

SEPM server

(Internal traffic)

Required if using the embedded database for Synapse connection to SEPM.

Synapse SEPM connection with the SEPM web services Remote Management and Monitoring (RMM) service (optional)

HTTPS

8446 TCP (default)

Management platform or all-in-one appliance

SEPM Server

Required if connecting to the SEPM server for executing management operations. For example, adding or removing items from the blacklist or placing an endpoint under quarantine.

Syslog

Syslog

TCP (preferred) or UDP port should be the same as configured in the EDR appliance console for syslog

All appliances

Configured Syslog server

(Internal or external traffic based on your environment)

If syslog is configured, this connection delivers log messages to remote syslog.

EDR: Roaming

EDR: Email

HTTPS

443 TCP

Management platform or all-in-one appliance

Symantec

This connection allows Symantec EDR to collect conviction events from EDR: Roaming and EDR: Email when Synapse Correlation is enabled for either one of these services.

Active Directory

LDAPS

636

Management platform or all-in-one appliance

Active Directory server

This connection allows Symantec EDR to integrate with Active Directory for user authentication.
Legacy ID: v97213154_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.