Ports, FQDNs and IP Addresses Used by SonicWall Products
Description
SonicWall firewall appliances initiate and accept a range of network connections to deliver security services, licensing, management, and telemetry. Administrators deploying SonicWall devices behind an upstream firewall or in a restricted network segment must allow the relevant ports and FQDNs listed in this article to ensure correct operation.
All FQDNs resolve to SonicWall-operated infrastructure unless otherwise noted. IP address ranges for these endpoints are not published as static values and may change without notice. Create upstream firewall rules based on FQDN wherever possible rather than on a static IP address.
This information can also be found in the Tech Support Report (TSR). More information about the TSR can be found in the following article: How to Download Tech Support Files (TSR, EXP, Logs) From SonicWall UTM Firewalls
Ports and FQDNs Reference Table
The table below covers all active services for SonicWall Gen7 and Gen8 appliances. Deprecated or discontinued services are listed in the Legacy and Deprecated Services section.
|
Service / Feature |
Direction |
Protocol |
Port |
FQDNs |
Notes |
|
CASS (Anti-Spam) |
Outgoing |
TCP |
25 |
|
|
|
CASS (Anti-Spam) |
Outgoing |
TCP |
10025 |
|
|
|
Capture Threat Assessment v2 |
Outgoing |
TCP |
443 |
ctav2.global.sonicwall.com |
|
|
Content Filter (CFS) |
Outgoing |
UDP |
2257 |
webcfs00.global.sonicwall.com webcfs01.global.sonicwall.com webcfs02 through webcfs11.global.sonicwall.com |
If blocked, disable CFS on the firewall. Blocking causes severe performance impact. Upstream IDS/IPS must not rate-limit these flows. |
|
Content Filter (CFS) |
Outgoing |
UDP |
53 |
webcfs00.global.sonicwall.com webcfs01.global.sonicwall.com webcfs02 through webcfs11.global.sonicwall.com |
DNS lookup for CFS servers. Same performance impact as port 2257 if blocked. |
|
Dashboard (Global Threat Data) |
Outgoing |
TCP |
443 |
lmdashboard.global.sonicwall.com |
Pulls global threat data into the management UI. |
|
DHCP Server |
Incoming |
UDP |
67 / 68 |
|
Required only when the firewall is configured as a DHCP server. |
|
DPI Signature Updates (IPS/GAV/ASW) |
Outgoing |
TCP |
443 |
sig2.sonicwall.com sig3.sonicwall.com |
|
|
DPI SSL Exclusion Download |
Outgoing |
TCP |
443 |
data.global.sonicwall.com |
Built-in DPI-SSL exclusion list maintained by SonicWall. |
|
Firewall Statistics |
Outgoing |
TCP |
59160 |
lmstat.sonicwall.com |
Active only when "Send Diagnostic Info to Support" is enabled. |
|
Flow Reporting |
Outgoing |
UDP |
2055 |
|
|
|
Gateway Anti-Virus (CloudAV) |
Outgoing |
UDP |
2259 |
gcsd.global.sonicwall.com |
If blocked, disable CloudAV. High packet rate expected. Port 2259 is also used by Sandbox Upload and TSA. |
|
GeoIP and Botnet Download |
Outgoing |
TCP |
443 |
gbdata.global.sonicwall.com utmgbdata.global.sonicwall.com |
Downloads the local GeoIP and Botnet IP database. |
|
HTTP Management |
Incoming |
TCP |
80 |
|
Cleartext. Recommended to disable and use HTTPS only. |
|
HTTPS Management |
Incoming |
TCP |
443 |
|
Default management port. Customizable. |
|
LDAP |
Outgoing |
TCP |
389 (LDAP) 3268 (Global Catalog) |
As configured |
Cleartext. Use LDAPS where possible. |
|
LDAPS |
Outgoing |
TCP |
636 (LDAPS) 3269 (GC over SSL) |
As configured |
|
|
License Synchronization |
Outgoing |
TCP |
443 |
licensemanager.sonicwall.com lm2.sonicwall.com lm3.sonicwall.com |
Required for firewall registration, license renewal, and NSM onboarding. |
|
Log Name Resolution (DNS) |
Outgoing |
UDP |
53 |
System DNS server |
Reverse lookups on log entries. Can be disabled or set to None. |
|
Log Name Resolution (NetBIOS) |
Outgoing |
UDP / TCP |
UDP 137 UDP 138 TCP 139 |
System DNS server |
Can be disabled or set to None to eliminate performance impact. |
|
MAC Address Vendor Lookup |
Outgoing |
TCP |
443 |
oui.global.sonicwall.com |
Resolves MAC addresses to vendor names in the management UI. |
|
NSM Reporting |
Outgoing |
UDP |
16001 (Reports) 16002 (Alerts) |
*.elb.eu-central-1.amazonaws.com |
Exact hostname assigned during NSM acquisition and cannot be restricted by IP. Must allow wildcard AWS eu-central-1. |
|
NSM System Status |
Outgoing / Incoming |
UDP |
514 |
nsm-eucentral-syslog.sonicwall.com |
Syslogs carry system status messages in ZT mode. In manual mode, firewall up/down status is determined via syslog receipt. |
|
NSM Zero-Touch |
Outgoing |
TCP |
443 |
nsm-eucentral-iczt.sonicwall.com |
Frankfurt region endpoint for Zero-Touch provisioning. |
|
NTP |
Outgoing |
UDP |
123 |
pool.ntp.org (default) |
Customer-configured NTP FQDN may be used. Incoming NTP supported from SonicOS 7.1.1. |
|
RADIUS |
Outgoing |
UDP |
1812 (Authentication) 1813 (Accounting) |
As configured |
|
|
SAML |
Incoming |
TCP |
443 |
As configured |
Port and interface are customizable. |
|
Sandbox Status (FRA / AMS) |
Outgoing |
TCP |
443 |
sonicsandboxfra.global.sonicwall.com sonicsandboxams.global.sonicwall.com |
Retrieves and displays Capture ATP results in the management UI. |
|
Sandbox Upload (FRA / AMS) |
Outgoing |
UDP |
2259 |
sonicsandboxfra.global.sonicwall.com sonicsandboxams.global.sonicwall.com |
Packet clone upload to sandbox. CloudAV must be enabled. Shares port 2259 with CloudAV and TSA. |
|
Signature Descriptions |
Outgoing |
TCP |
443 |
idpapi.global.sonicwall.com |
Retrieves signature detail text for display in the IPS/GAV UI. |
|
Single Sign-On |
Incoming |
UDP |
2258 |
|
|
|
SMTP (Log Automation / Alerts) |
Outgoing |
TCP |
25 |
As configured |
Used for log automation rules and event alert emails. |
|
SNMP |
Incoming |
UDP |
161 / 162 |
|
For SNMP queries directed at the firewall. |
|
Software Updates |
Outgoing |
TCP |
443 |
software.sonicwall.com |
Firmware updates for SonicWall firewalls and SonicWave APs. NetExtender download. |
|
SSH Management |
Incoming |
TCP |
22 |
|
Port can be changed. |
|
SSL VPN / Virtual Assist |
Incoming |
TCP |
4433 |
|
Port can be customized. |
|
Terminal Server Agent (TSA) |
Incoming |
UDP |
2259 |
|
Receives authentication info from TSA. Shares port 2259 with CloudAV and Sandbox Upload. |
|
URL Category Check |
Outgoing |
TCP |
80 / 443 |
capturelabs.sonicwall.com |
Used to query URL categories interactively in the management UI. |
|
VPN (IPsec ESP) |
Outgoing + Incoming |
ESP |
Protocol 50 |
|
|
|
VPN (IKE) |
Outgoing + Incoming |
UDP |
500 |
|
|
|
VPN (NAT Traversal) |
Outgoing + Incoming |
UDP |
4500 |
|
|
|
WAN Failover and Load Balancing |
Outgoing |
TCP |
50000 |
responder.global.sonicwall.com |
TCP probing mode when WAN Load Balancing is configured. |
|
WAN Failover and Load Balancing |
Outgoing |
ICMP |
Type 8 |
|
ICMP ping probing. Alternative to TCP 50000 per WLB configuration. |
Legacy and Deprecated Services
The services below are discontinued or no longer actively used in current SonicWall releases. Review any existing upstream firewall rules that permit this traffic and consider removing them after confirming no devices in your deployment still rely on these services.
|
Service / Feature |
Protocol |
Port |
Status and Notes |
|
Secure Backup |
TCP |
59160 |
Discontinued. NSM is the recommended tool for backup and configuration management. |
|
Setup Tool |
UDP |
26214 |
Verify whether this port is in active use before creating or removing firewall rules. |
|
Viewpoint |
UDP |
514 |
No longer actively used. Existing rules permitting this traffic can be reviewed for removal. |
|
WXA |
TCP |
135/137/139/445 |
WXA is no longer supported. Existing WXA-related firewall rules should be removed after confirming no WXA devices remain. |
Additional Notes
CFS and CloudAV Performance Impact
If UDP 2257 and UDP 53 to webcfs00-11.global.sonicwall.com are blocked by an upstream device, every HTTP/HTTPS request processed by the SonicWall firewall times out waiting for a CFS response, causing severe throughput degradation. If these ports cannot be opened, disable the Content Filter Service feature on the firewall. Similarly, if UDP 2259 to gcsd.global.sonicwall.com is blocked, disable Gateway Anti-Virus to prevent throughput degradation. Upstream IDS/IPS systems must not block or rate-limit the high connection rates generated by CFS and CloudAV queries.
NSM Reporting
NSM Reporting uses UDP ports 16001 and 16002 to *.elb.eu-central-1.amazonaws.com. The exact hostname is dynamically assigned during the firewall acquisition process in NSM and cannot be determined in advance. Upstream rules must permit the wildcard domain or the full AWS eu-central-1 region IP range.
UDP 2259 Shared Port
UDP port 2259 is used by three services: Gateway Anti-Virus (CloudAV) outgoing to gcsd.global.sonicwall.com, Sandbox Upload (Capture ATP) outgoing to sonicsandboxfra/ams.global.sonicwall.com, and Terminal Server Agent (TSA) incoming from agents on the local network. CloudAV must be enabled for Sandbox Upload to function. When creating upstream rules, a single rule for UDP 2259 must accommodate all three services or be scoped by destination FQDN.
Customizable Management Ports
The following ports can be changed in the SonicWall management interface: HTTPS Management (default 443), SSH Management (default 22), SSL VPN and Virtual Assist (default 4433), and SAML (default 443). If custom ports are configured, ensure that upstream firewall rules are updated to reflect the new port numbers.
