Skip to main content

GravityZone (cloud) communication ports

Note

The article provides information on the ports used by the Bitdefender GravityZone cloud platform. For the ports used by the GravityZone on-premises platform, refer to this article.

GravityZone is a distributed solution, meaning that its components communicate with each other through the use of the local network or the internet. Each component uses a series of ports to communicate with the others.

You need to have these ports open and exclude all addresses mentioned in this table from any gateway security solution or network packet inspection so that GravityZone functions flawlessly.

Note

It is recommended that you do not use solutions for inspecting or scanning the traffic between endpoints, relays, and Bitdefender servers, because they may change the checksum and therefore damage the downloads.

Web Console

Inbound

Port

Source / Destination

Purpose

80 (HTTP)

Any

Access to the Control Center web console; it redirects to 443.

443 (HTTPS)

Any

Access to the Control Center web console.

Security Agent (BEST, BEST Legacy, Endpoint Security)

Inbound

Port

Source / Destination

Purpose

135 (RPC)

Any

Deployment through Relay.

137, 138, 139 (NetBIOS)

Any

Deployment through Relay.

Outbound

Port

Source / Destination

Purpose

80

lv2.bitdefender.com

License validation.

cloud-lcs.gravityzone.bitdefender.com
cloudgz-lcs.gravityzone.bitdefender.com
cloudap-lcs.gravityzone.bitdefender.com

Used for auditing license seat usage in GravityZone Cloud Security for MSP.

389 (LDAP)

Active Directory Domain Controller

Integration with Active Directory (only for the endpoint with the role of Active Directory Integrator).

636 (LDAPS)

3268

Domain Controller Global Catalog

3269

7074

Relay agent (if available)

Required for downloading installation packages from the Relay agent, in the deployment phase.

Used for product and security content updates.

Communication messages received from endpoints linked to the Relay agent.

7076

Bitdefender Global Protective Network

Encrypted communication messages (when the Relay agent is used as a proxy).

7079

Relay agent (if available)

Required for downloading installation packages from the Relay agent, in the deployment phase.

Used for product and security content updates.

Used for update staging.

443

cloud.gravityzone.bitdefender.com
cloudgz.gravityzone.bitdefender.com
cloudap.gravityzone.bitdefender.com

Downloading installation packages during deployment  (Setup Downloader).

cloud-ecs.gravityzone.bitdefender.com
cloudgz-ecs.gravityzone.bitdefender.com
cloudap-ecs.gravityzone.bitdefender.com

The link between the security agents and Communication Server.

eu-lurker-input.gravityzone.bitdefender.com/
us-lurker-input.gravityzone.bitdefender.com/
ap-lurker-input.gravityzone.bitdefender.com/

The EDR traffic sent by security agent.

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel.

*.nimbus.bitdefender.net

Or you can exclude all the addresses below instead:

nimbus.bitdefender.net
mclb-gcp.nimbus.bitdefender.net
eu.nimbus.bitdefender.net
us.nimbus.bitdefender.net
elb-fra-gcp.nimbus.bitdefender.net
elb-lon-gcp.nimbus.bitdefender.net
elb-nvi-gcp.nimbus.bitdefender.net
elb-ore-gcp.nimbus.bitdefender.net
elb-iow-gcp.nimbus.bitdefender.net
elb-tky-gcp.nimbus.bitdefender.net

Antimalware, antiphishing and content control scanning with Bitdefender Global Protective Network.

update-cloud.2d585.cdn.bitdefender.net

Downloading signature and product updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel.

download.bitdefender.com

(Linux only)

Downloading product updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel.

cloud-lcs.gravityzone.bitdefender.com
cloudgz-lcs.gravityzone.bitdefender.com
cloudap-lcs.gravityzone.bitdefender.com

Used for auditing license seat usage in GravityZone Cloud Security for MSP.

ingestors-eu.bmdr.bitdefender.com
ingestors-us.bmdr.bitdefender.com
ingestors-ap.bmdr.bitdefender.com

Traffic between the Relay agent and the Bitdefender MDR communication server.

22, 445 (SSH & SMB)

Any

Detects endpoints in the local network.

53 (DNS)

DNS Server

Internal use for DNS queries.

88 (Kerberos)

Active Directory Domain Controller

Active Directory integration for Linux endpoints.

389, 636 (LDAP & LDAPS)

Active Directory Domain Controller

Active Directory integration.

Relay Agent

Inbound

Port

Source / Destination

Purpose

7074

Security agent

Communication messages (such as settings and events) received from endpoints linked to the Relay agent.

Used for product and security content updates.

7076

Bitdefender Global Protective Network

Encrypted communication messages proxied from connected endpoints to Bitdefender Global Protective Network.

7079

Security agent

Used for product and security content updates.

Used for update staging.

Outbound

Port

Source / Destination

Purpose

80

lv2.bitdefender.com

License validation.

cloud-lcs.gravityzone.bitdefender.com
cloudgz-lcs.gravityzone.bitdefender.com
cloudap-lcs.gravityzone.bitdefender.com

Used for auditing license seat usage in GravityZone Cloud Security for MSP.

389

Active Directory Domain Controller

Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator).

7074

Relay agent(*) (if available)

Downloading installation packages from another Relay agent, in the deployment phase.

Communication messages received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network

Encrypted communication messages received from endpoints linked to the Relay agent.

eu-lurker-input.gravityzone.bitdefender.com/
us-lurker-input.gravityzone.bitdefender.com/
ap-lurker-input.gravityzone.bitdefender.com/

Encrypted communication messages proxied from connected endpoints to Bitdefender MDR communication server.

443

cloud.gravityzone.bitdefender.com
cloudgz.gravityzone.bitdefender.com
cloudap.gravityzone.bitdefender.com

Downloading installation packages during deployment  (Setup Downloader)

cloud-ecs.gravityzone.bitdefender.com
cloudgz-ecs.gravityzone.bitdefender.com
cloudap-ecs.gravityzone.bitdefender.com

Link between the Relay agent and Communication Server.

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

*.nimbus.bitdefender.net

Or you can exclude instead all the addresses below:

nimbus.bitdefender.net
mclb-gcp.nimbus.bitdefender.net
eu.nimbus.bitdefender.net
us.nimbus.bitdefender.net
elb-fra-gcp.nimbus.bitdefender.net
elb-lon-gcp.nimbus.bitdefender.net
elb-nvi-gcp.nimbus.bitdefender.net
elb-ore-gcp.nimbus.bitdefender.net
elb-iow-gcp.nimbus.bitdefender.net
elb-tky-gcp.nimbus.bitdefender.net

Antimalware, antiphishing, and content control scanning with Bitdefender Global Protective Network.

download.bitdefender.com

Downloading installation packages before deployment from the GravityZone Control Center.

update-cloud.2d585.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

ingestors-eu.bmdr.bitdefender.com
ingestors-us.bmdr.bitdefender.com
ingestors-ap.bmdr.bitdefender.com

Traffic between the Relay agent and the Bitdefender MDR communication server.

cloud-lcs.gravityzone.bitdefender.com
cloudgz-lcs.gravityzone.bitdefender.com
cloudap-lcs.gravityzone.bitdefender.com

Used for auditing license seat usage in GravityZone Cloud Security for MSP.

Security Server (Multi-Platform)

Inbound

Port

Source / Destination

Purpose

1344

Any

Used by the Security for Storage protection layer to communication between NAS devices compliant with ICAP and the Security Server.

6379

Security Server

Allows traffic between Security Servers.

7081

Any

Antimalware traffic scanning sent by the Security Agent.

7083

Any

Antimalware traffic scanning sent by the Security Agent over SSL.

Outbound

Port

Source / Destination

Purpose

443

*.nimbus.bitdefender.net

Or you can exclude all the addresses below instead:

nimbus.bitdefender.net
mclb-gcp.nimbus.bitdefender.net
eu.nimbus.bitdefender.net
us.nimbus.bitdefender.net
elb-fra-gcp.nimbus.bitdefender.net
elb-lon-gcp.nimbus.bitdefender.net
elb-nvi-gcp.nimbus.bitdefender.net
elb-ore-gcp.nimbus.bitdefender.net
elb-iow-gcp.nimbus.bitdefender.net
elb-tky-gcp.nimbus.bitdefender.net

Periodical verification of antimalware detections with Bitdefender Global Protective Network.

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel.

*.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel.

cloud-ecs.gravityzone.bitdefender.com
cloudgz-ecs.gravityzone.bitdefender.com
cloudap-ecs.gravityzone.bitdefender.com

The link between the Security Server and the Communication Server.

download.bitdefender.com

Downloading updates.

Sandbox Analyzer

Inbound and outbound

Port

Source / Destination

Purpose

443

Sandbox Analyzer

Allows communication between the endpoint and the Sandbox Analyzer Portal. Handles file submissions to:

sandbox-portal.gravityzone.bitdefender.com

Network Attack Defense

Inbound and outbound

Port

Source / Destination

Purpose

8887 (TCP)

Any

Opened with BEST for Linux to enable Network Attack Defense.

If port 8887 is used by another application or blocked by a firewall, Network Attack Defense will not receive traffic.

(*) Since the relay is an update server that needs to listen on a port at all times, Bitdefender provides a mechanism able to automatically open a random port on localhost (127.0.0.1), so that the update server can receive proper configuration details. The update server tries to open the 7075 port to listen on localhost. If 7075 port is unavailable, the update server will search for another port that is free (in the range of 1025 to 65535) and successfully bind to listen on localhost.

Port 7074 must be open for deployment through Bitdefender Endpoint Security Tools Relay to work.

Note

To ensure secure communication between the GravityZoneControl Center and endpoints in network-restricted environments, create a firewall rule that whitelists the web addresses required to verify the server certificate revocation. The rule should whitelist all the web addresses that contain digicert.com.

Example of web addresses the rule should match:

  • http://crl3.digicert.com

  • http://crl4.digicert.com

  • http://ocsp.digicert.com