Depending on your network layout, you may need to open some ports on your firewall and edit your firewall rules. These changes let you access the important web addresses that are essential for Symantec Advanced Threat Protection (ATP) operations.

Table: ATP web and IP addresses lists the web and IP addresses to which ATP requires access.

Table: ATP web and IP addresses

Web addresses/IP Address

Protocol

Port

Description

https://api-gateway.symantec.com

TCP

443

Accesses Symantec's Targeted Attack Analytics service

licensing.dmas.symantec.com

TCP

443

Used to get the Cynic license

api.us.dmas.symantec.com

api.eu.dmas.symantec.com

TCP

443

Used to perform queries to the Cynic US and UK servers (required)

liveupdate.symantec.com

TCP

80

Used to check for and download definitions for Symantec's detection technologies

ratings-wrs.symantec.com

TCP

443

Used to query Norton Safe Web server to identify malicious websites

stnd-avpg.crsi.symantec.com

stnd-ipsg.crsi.symantec.com

TCP

443

Used to send detection telemetry to Symantec

register.brightmail.com

TCP

443

Used to register the ATP appliance

swupdate.brightmail.com

TCP

443

Used to check for and download new releases of ATP

shasta-rrs.symantec.com

shasta-mrs.symantec.com

TCP

443

Used to perform reputation lookups for Windows executable and APK installable files

datafeedapi.symanteccloud.com

TCP

443

Used to download ATP: Roaming and Email Security.cloud events

stats.norton.com

TCP

443

When telemetry is configured, used to send statistics telemetry to Symantec

telemetry.symantec.com

TCP

443

When telemetry is configured, used to send file telemetry and to upload diagnostic packages to Symantec

synapse.symantec.com

TCP

443

When telemetry is configured, used to send Synapse telemetry

ATP Manager

TCP

443 (inbound)

Access to ATP public API

198.6.48.16

TCP

443

When Synapse telemetry is configured, used to send Synapse telemetry. (The server is accessed through an IP address and not a domain.)

Table: ATP ports and settings describes the ports that ATP uses for communications, content updates, and interactions with Symantec.cloud detection services.

Table: ATP ports and settings

Service

Protocol

Port

From

To

Description

Back up

FTP; SSH

20 TCP, UDP

21 TCP

22 TCP, UDP

Management platform or all-in-one appliances

Configured backup storage server

(Internal traffic)

FTP server: FTP ports 20, 21.

SSH server: SSH port 22.

Email notifications

SMTP

25 TCP

587 TCP

Management platform or all-in-one appliance

SMTP server

(Internal traffic)

Communication with the SMTP server.

Content updates

HTTP

80 TCP

All appliances

Symantec

(External traffic)

Virus and Vantage definitions, and other content that LiveUpdate delivers. This port is required for proper functioning of the product.

Statistics delivery

HTTP

80 TCP

All appliances

Symantec

(External traffic)

Sends the data to Symantec for statistical and diagnostic purposes. Private data is not sent over this port.

Endpoint detection and response (EDR) 2.0

HTTPS

HTTP

443

80

ATP

Managed Symantec Endpoint Protection endpoints

Communicates commands to the endpoints.

EDR 1.0

HTTPS

8446

ATP

Symantec Endpoint Protection Manager

Commands to Symantec Endpoint Protection Manager.

RRS/endpoint submissions

EDR 2.0

HTTPS

HTTP

443

8080

Symantec Endpoint Protection Manager

ATP

The Symantec Endpoint Protection Manager private cloud that lets endpoints communicate with ATP.

RRS/endpoint submissions

EDR 1.0

HTTPS

HTTP

HTTP

443

80

8443

Note:

Port 8443 is only available if you were using this port on previous versions of ATP and have since updated. If you are installing ATP for the first time, this port is not available.

Symantec Endpoint Protection Manager

ATP

The Symantec Endpoint Protection Manager private cloud that lets endpoints communicate with ATP.

Symantec cloud detection, analysis, and correlation services and telemetry services

If endpoint data recorder enabled

If endpoint data recorder disabled

443 TCP

All ATP appliances

Symantec

(External traffic)

Cloud service queries and telemetry data exchanges.

If the endpoint data recorder is enabled Symantec Endpoint Protection sends conviction events directly to ATP.

Antivirus and intrusion prevention conviction information

HTTPS

HTTP 8080 TCP or HTTPS 443 TCP

HTTP 80 TCP or HTTPS 8443 TCP

Symantec Endpoint Protection clients

ATP management platform

Information about the files and the network traffic that Symantec Endpoint Protection detects.

Antivirus and intrusion prevention conviction information

HTTPS

HTTP

443 TCP

80

ATP management platform

Symantec (External traffic)

Information about files and the network traffic that Symantec Endpoint Protection detects.

Product updates

HTTPS

443 TCP

All appliances

Symantec

(External traffic)

Finds and delivers new versions of ATP.

ATP Manager

HTTPS

443 TCP

Client connecting to manage an appliance

Management platform or all-in-one appliance

(Internal traffic)

ATP Manager access for an all-in-one appliance or management platform.

ATP Manager, network scanners, and all-in-one

SSH

22

Client connecting to manage an appliance

Management platform, scanner, or all-in-one appliance

(Internal traffic)

Command-line access for an all-in-one appliance or management platform.

Synapse Symantec Endpoint Protection Manager connection with Microsoft SQL Server (optional)

JDBC

1433 TCP (default)

Management platform or all-in-one appliance

Symantec Endpoint Protection Manager Microsoft SQL Server

(Internal traffic)

Required if using the Microsoft SQL Server for Symantec Endpoint Protection Manager and Synapse. Symantec Endpoint Protection Manager administrators can configure a different port for this communication.

Communication channel (management platform and network scanner installations only)

AMQP

5671 TCP

5672 TCP

Network scanner appliance

Management platform

(Internal traffic)

Communications between the management platform and network scanners. Not required for an all-in-one installation. After the initial exchange on this port, the communication is secured.

Blocking page (Inline Block mode only)

HTTP

8080 TCP

Network scanner

Protected endpoints

(Internal traffic)

Sends the blocking page when content is blocked at an endpoint. Not required for Inline Monitor or Tap/Span modes.

Synapse Symantec Endpoint Protection Manager connection with Embedded DB (optional)

HTTPS

8081 TCP (default)

Management platform or all-in-one appliance

Symantec Endpoint Protection Manager server

(Internal traffic)

Required if using the embedded database for Synapse connection to Symantec Endpoint Protection Manager.

Synapse Symantec Endpoint Protection Manager connection with the Symantec Endpoint Protection Manager web services Remote Management and Monitoring (RMM) service (optional)

HTTPS

8446 TCP (default)

Management platform or all-in-one appliance

Symantec Endpoint Protection Manager Server

Required if connecting to the Symantec Endpoint Protection Manager server for executing management operations. For example, adding or removing items from the blacklist or placing an endpoint under quarantine.

Syslog

Syslog

TCP (preferred) or UDP port should be the same as configured in ATP Manager for syslog

All appliances

Configured Syslog server

(Internal or external traffic based on your environment)

If syslog is configured, this connection delivers log messages to remote syslog.

ATP: Roaming

ATP: Email

HTTPS

443 TCP

Management platform or all-in-one appliance

Symantec

This connection allows ATP to collect conviction events from ATP: Roaming and ATP: Email when Synapse Correlation is enabled for either one of these services.

Active Directory

LDAPS

636

Management platform or all-in-one appliance

Active Directory server

This connection allows ATP to integrate with Active Directory for user authentication.
Legacy ID: v97213154_v127312507

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation