GravityZone (cloud) communication ports
Note
The article provides information on the ports used by the Bitdefender GravityZone cloud platform. For the ports used by the GravityZone on-premises platform, refer to this article.
GravityZone is a distributed solution, meaning that its components communicate with each other through the use of the local network or the internet. Each component uses a series of ports to communicate with the others.
You need to have these ports open and exclude all addresses mentioned in this table from any gateway security solution or network packet inspection so that GravityZone functions flawlessly.
Note
It is recommended that you do not use solutions for inspecting or scanning the traffic between endpoints, relays, and Bitdefender servers, because they may change the checksum and therefore damage the downloads.
Web Console
Inbound
Port | Source / Destination | Purpose |
80 (HTTP) | Any | Access to the Control Center web console; it redirects to 443. |
443 (HTTPS) | Any | Access to the Control Center web console. |
Security Agent (BEST, BEST Legacy, Endpoint Security)
Inbound
Port | Source / Destination | Purpose |
135 (RPC) | Any | Deployment through Relay. |
137, 138, 139 (NetBIOS) | Any | Deployment through Relay. |
Outbound
Port | Source / Destination | Purpose |
80 | lv2.bitdefender.com | License validation. |
cloud-lcs.gravityzone.bitdefender.com cloudgz-lcs.gravityzone.bitdefender.com cloudap-lcs.gravityzone.bitdefender.com | Used for auditing license seat usage in GravityZone Cloud Security for MSP. | |
389 (LDAP) | Active Directory Domain Controller | Integration with Active Directory (only for the endpoint with the role of Active Directory Integrator). |
636 (LDAPS) | ||
3268 | Domain Controller Global Catalog | |
3269 | ||
7074 | Relay agent (if available) | Required for downloading installation packages from the Relay agent, in the deployment phase. Communication messages received from endpoints linked to the Relay agent. |
7076 | Bitdefender Global Protective Network | Encrypted communication messages (when the Relay agent is used as a proxy). |
443 | cloud.gravityzone.bitdefender.com cloudgz.gravityzone.bitdefender.com cloudap.gravityzone.bitdefender.com | Downloading installation packages during deployment (Setup Downloader). |
cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com cloudap-ecs.gravityzone.bitdefender.com | The link between the security agents and Communication Server. | |
eu-lurker-input.gravityzone.bitdefender.com/ us-lurker-input.gravityzone.bitdefender.com/ ap-lurker-input.gravityzone.bitdefender.com/ | The EDR traffic sent by security agent. | |
upgrade.bitdefender.com | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel. | |
*.nimbus.bitdefender.net Or you can exclude all the addresses below instead:
| Antimalware, antiphishing and content control scanning with Bitdefender Global Protective Network. | |
update-cloud.2d585.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel. | |
cloud-lcs.gravityzone.bitdefender.com cloudgz-lcs.gravityzone.bitdefender.com cloudap-lcs.gravityzone.bitdefender.com | Used for auditing license seat usage in GravityZone Cloud Security for MSP. | |
ingestors-eu.bmdr.bitdefender.com ingestors-us.bmdr.bitdefender.com ingestors-ap.bmdr.bitdefender.com | Traffic between the Relay agent and the Bitdefender MDR communication server. | |
22, 445 (SSH & SMB) | Any | Detects endpoints in the local network. |
53 (DNS) | DNS Server | Internal use for DNS queries. |
88 (Kerberos) | Active Directory Domain Controller | Active Directory integration for Linux endpoints. |
389, 636 (LDAP & LDAPS) | Active Directory Domain Controller | Active Directory integration. |
Relay Agent
Inbound
Port | Source / Destination | Purpose |
7074 | Security agent | Communication messages (such as settings and events) received from endpoints linked to the Relay agent. |
7076 | Bitdefender Global Protective Network | Encrypted communication messages proxied from connected endpoints to Bitdefender Global Protective Network. |
Outbound
Port | Source / Destination | Purpose |
80 | lv2.bitdefender.com | License validation. |
cloud-lcs.gravityzone.bitdefender.com cloudgz-lcs.gravityzone.bitdefender.com cloudap-lcs.gravityzone.bitdefender.com | Used for auditing license seat usage in GravityZone Cloud Security for MSP. | |
389 | Active Directory Domain Controller | Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator). |
7074 | Relay agent(*) (if available) | Downloading installation packages from another Relay agent, in the deployment phase. Communication messages received from endpoints linked to the Relay agent |
7076 | Bitdefender Global Protective Network | Encrypted communication messages received from endpoints linked to the Relay agent. |
443 | cloud.gravityzone.bitdefender.com cloudgz.gravityzone.bitdefender.com cloudap.gravityzone.bitdefender.com | Downloading installation packages during deployment (Setup Downloader) |
cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com cloudap-ecs.gravityzone.bitdefender.com | Link between the Relay agent and Communication Server. | |
upgrade.bitdefender.com | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |
*.nimbus.bitdefender.net Or you can exclude instead all the addresses below:
| Antimalware, antiphishing, and content control scanning with Bitdefender Global Protective Network. | |
download.bitdefender.com | Downloading installation packages before deployment from the GravityZone Control Center. | |
update-cloud.2d585.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |
ingestors-eu.bmdr.bitdefender.com ingestors-us.bmdr.bitdefender.com ingestors-ap.bmdr.bitdefender.com | Traffic between the Relay agent and the Bitdefender MDR communication server. | |
cloud-lcs.gravityzone.bitdefender.com cloudgz-lcs.gravityzone.bitdefender.com cloudap-lcs.gravityzone.bitdefender.com | Used for auditing license seat usage in GravityZone Cloud Security for MSP. |
Security Server (Multi-Platform)
Inbound
Port | Source / Destination | Purpose |
1344 | Any | Used by the Security for Storage protection layer to communication between NAS devices compliant with ICAP and the Security Server. |
6379 | Security Server | Allows traffic between Security Servers. |
7081 | Any | Antimalware traffic scanning sent by the Security Agent. |
7083 | Any | Antimalware traffic scanning sent by the Security Agent over SSL. |
Outbound
Port | Source / Destination | Purpose |
443 | *.nimbus.bitdefender.net Or you can exclude all the addresses below instead:
| Periodical verification of antimalware detections with Bitdefender Global Protective Network. |
upgrade.bitdefender.com | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel. | |
*.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel. | |
cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com cloudap-ecs.gravityzone.bitdefender.com | The link between the Security Server and the Communication Server. | |
download.bitdefender.com | Downloading updates. |
Sandbox Analyzer
Inbound and outbound
Port | Source / Destination | Purpose |
443 | Sandbox Analyzer | Allows communication between the endpoint and the Sandbox Analyzer Portal. Handles file submissions to: sandbox-portal.gravityzone.bitdefender.com |
Network Attack Defense
Inbound and outbound
Port | Source / Destination | Purpose |
8887 (TCP) | Any | Opened with BEST for Linux to enable Network Attack Defense. If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not receive traffic. |
(*) Since the relay is an update server that needs to listen on a port at all times, Bitdefender provides a mechanism able to automatically open a random port on localhost (127.0.0.1), so that the update server can receive proper configuration details. The update server tries to open the 7075 port to listen on localhost. If 7075 port is unavailable, the update server will search for another port that is free (in the range of 1025 to 65535) and successfully bind to listen on localhost.
Port 7074 must be open for deployment through Bitdefender Endpoint Security Tools Relay to work.
Note
To ensure secure communication between the GravityZoneControl Center and endpoints in network-restricted environments, create a firewall rule that whitelists the web addresses required to verify the server certificate revocation. The rule should whitelist all the web addresses that contain "digicert.com".
Example of web addresses the rule should match:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com