Skip to main content

PARTNERS

GravityZone (cloud) communication ports

GravityZone is a distributed solution, meaning that its components communicate with each other through the use of the local network or the Internet. Each component uses a series of ports to communicate with the others.

Note

For the GravityZone (on-premises) communication ports, refer to this section.

The following table provides information on the ports used by Bitdefender GravityZone (cloud console) components.

You need to have these ports open and exclude all addresses mentioned in this table from any gateway security solution or network packet inspection so that GravityZone functions flawlessly.

Note

It is recommended that you do not use solutions for inspecting or scanning the traffic between endpoints, relays, and Bitdefender servers, because they may change the checksum and therefore damage the downloads.

Component

Direction

Port

Source / Destination

Description

Web Console  (Control Center)

Inbound

80 (HTTP)

Any

Access to the Control Center web console, redirect to 443

443 (HTTPS)

Any

Access to the Control Center web console

Security Agent (BEST, BEST Legacy, Endpoint Security, Bitdefender Endpoint Security Tools)

Outbound

80

upgrade.bitdefender.com

*.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository)

lv2.bitdefender.com

License validation

389 (LDAP)

Active Directory Domain Controller

Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator)

636 (LDAPS)

3268

Domain Controller Global Catalog

3269

7074

Relay agent (if available)

Downloading installation packages in the deployment phase from the Relay agent

Communication messages received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network: nimbus.bitdefender.net/elam/blob

Encrypted communication messages (when the Relay agent is used as a proxy)

443

cloud.gravityzone.bitdefender.com cloudgz.gravityzone.bitdefender.com

Downloading installation packages during deployment  (Setup Downloader)

cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com

Link between the security agents and Communication Server

https://eu-lurker-input.gravityzone.bitdefender.com/

https://us-lurker-input.gravityzone.bitdefender.com/

EDR traffic sent by Security Agent

nimbus.bitdefender.net/elam/blob

Early Launch Anti-Malware (ELAM) cloud server

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

*.nimbus.bitdefender.net

Or you can exclude instead all the addresses below:

nimbus.bitdefender.net

elb-fra-gcp.nimbus.bitdefender.net

elb-lon-gcp.nimbus.bitdefender.net

elb-nvi-gcp.nimbus.bitdefender.net

elb-ore-gcp.nimbus.bitdefender.net

elb-iow-gcp.nimbus.bitdefender.net

elb-tky-gcp.nimbus.bitdefender.net

Antimalware, antiphishing and content control scanning with Bitdefender Global Protective Network

https://update-cloud.2d585.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

22, 445 (SSH & SMB)

Any

Detects computers in the local network

53 (DNS)

DNS Server

Internal use for DNS queries

88 (Kerberos)

Active Directory Domain Controller

Active Directory integration for Linux computers

389, 636 (LDAP & LDAPS)

Active Directory Domain Controller

Active Directory integration

Inbound

135 (RPC)

Any

Deployment through Relay

137, 138, 139 (NetBIOS)

Any

Deployment through Relay

Relay agent

Inbound

7074

Security agent

Communication messages (such as settings and events) received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network: nimbus.bitdefender.net/elam/blob

Encrypted communication messages proxied from connected endpoints to Bitdefender Global Protective Network:

Outbound

80

upgrade.bitdefender.com

*.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository)

lv2.bitdefender.com

License validation

389

Active Directory Domain Controller

Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator)

7074

Relay agent(*) (if available)

Downloading installation packages in the deployment phase from another Relay Agent

Communication messages received from endpoints linked to the Relay agent

7076

Bitdefender Global Protective Network nimbus.bitdefender.net/elam/blob

Encrypted communication messages received from endpoints linked to the Relay agent

443

cloud.gravityzone.bitdefender.com

cloudgz.gravityzone.bitdefender.com

Downloading installation packages during deployment  (Setup Downloader)

cloud-ecs.gravityzone.bitdefender.com

cloudgz-ecs.gravityzone.bitdefender.com

Link between the Relay agent and Communication Server

nimbus.bitdefender.net/elam/blob

Early Launch Anti-Malware (ELAM) cloud server, a component of Bitdefender Global Protective Network

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

*.nimbus.bitdefender.net

Or you can exclude instead all the addresses below:

nimbus.bitdefender.net

elb-fra-gcp.nimbus.bitdefender.net

elb-lon-gcp.nimbus.bitdefender.net

elb-nvi-gcp.nimbus.bitdefender.net

elb-ore-gcp.nimbus.bitdefender.net

elb-iow-gcp.nimbus.bitdefender.net

elb-tky-gcp.nimbus.bitdefender.net

Antimalware, antiphishing, and content control scanning with Bitdefender Global Protective Network

download.bitdefender.com

Downloading installation packages before deployment from the GravityZone Cloud Control Center

https://update-cloud.2d585.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

ingestors-eu.bmdr.bitdefender.com

ingestors-us.bmdr.bitdefender.com

Traffic between the Relay agent and the managed EDR communication server.

Security Server (Multi-Platform)

Inbound

1344

Any

Used by Security for Storage protection layer for communication between NAS devices compliant with ICAP and Security Server

6379

Security Server

Allows traffic between Security Servers

7081

Any

Antimalware traffic scanning sent by the Security Agent

7083

Any

Antimalware traffic scanning sent by the Security Agent over SSL

Outbound

443

*.nimbus.bitdefender.net

Or you can exclude instead all the addresses below:

nimbus.bitdefender.net

elb-fra-gcp.nimbus.bitdefender.net

elb-lon-gcp.nimbus.bitdefender.net

elb-nvi-gcp.nimbus.bitdefender.net

elb-ore-gcp.nimbus.bitdefender.net

elb-iow-gcp.nimbus.bitdefender.net

elb-tky-gcp.nimbus.bitdefender.net

Periodical verification of antimalware detections with Bitdefender Global Protective Network

upgrade.bitdefender.com

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

*.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel

cloud-ecs.gravityzone.bitdefender.com

cloudgz-ecs.gravityzone.bitdefender.com

Link between Security Server and Communication Server

download.bitdefender.com

Downloading updates

80

upgrade.bitdefender.com

Fallback for downloading updates from the Bitdefender Update Servers (the official repository)

download.bitdefender.com

Downloading installation kits

*.cdn.bitdefender.net

Downloading updates from the online Bitdefender Update Servers (the official repository)

443

Sandbox Analyzer Portal

Sandbox Analyzer

Both

Allows communication between the endpoint and the Sandbox Analyzer Portal. Handles file submission to sandbox-portal.gravityzone.bitdefender.com.

(*) Since the relay is an update server that needs to listen all the time on a port, Bitdefender provides a mechanism able to automatically open a random port on localhost (127.0.0.1), so that the update server can receive proper configuration details. The update server tries to open the 7075 port to listen on localhost. If 7075 port is unavailable, the update server will search for another port that is free (in the range of 1025 to 65535) and successfully bind to listen on localhost.

Port 7074 must be open for deployment through Bitdefender Endpoint Security Tools Relay to work.

Note

To ensure secure communication between the GravityZone console and endpoints in network-restricted environments, create a firewall rule that whitelists the web addresses required to verify the server certificate revocation. The rule should whitelist all the web addresses that contain digicert.com.

Example of web addresses the rule should match:

  • http://crl3.digicert.com

  • http://crl4.digicert.com

  • http://ocsp.digicert.com