GravityZone (cloud) communication ports
GravityZone is a distributed solution, meaning that its components communicate with each other through the use of the local network or the Internet. Each component uses a series of ports to communicate with the others.
Note
For the GravityZone (on-premises) communication ports, refer to this section.
The following table provides information on the ports used by Bitdefender GravityZone (cloud console) components.
You need to have these ports open and exclude all addresses mentioned in this table from any gateway security solution or network packet inspection so that GravityZone functions flawlessly.
Note
It is recommended that you do not use solutions for inspecting or scanning the traffic between endpoints, relays, and Bitdefender servers, because they may change the checksum and therefore damage the downloads.
Component | Direction | Port | Source / Destination | Description |
|---|---|---|---|---|
Web Console (Control Center) | Inbound | 80 (HTTP) | Any | Access to the Control Center web console, redirect to 443 |
443 (HTTPS) | Any | Access to the Control Center web console | ||
Security Agent (BEST, BEST Legacy, Endpoint Security, Bitdefender Endpoint Security Tools) | Outbound | 80 | ||
upgrade.bitdefender.com *.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) | |||
lv2.bitdefender.com | License validation | |||
389 (LDAP) | Active Directory Domain Controller | Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator) | ||
636 (LDAPS) | ||||
3268 | Domain Controller Global Catalog | |||
3269 | ||||
7074 | ||||
Relay agent (if available) | Downloading installation packages in the deployment phase from the Relay agent Communication messages received from endpoints linked to the Relay agent | |||
7076 | Bitdefender Global Protective Network: nimbus.bitdefender.net/elam/blob | Encrypted communication messages (when the Relay agent is used as a proxy) | ||
443 | cloud.gravityzone.bitdefender.com cloudgz.gravityzone.bitdefender.com | Downloading installation packages during deployment (Setup Downloader) | ||
cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com | Link between the security agents and Communication Server | |||
https://eu-lurker-input.gravityzone.bitdefender.com/ https://us-lurker-input.gravityzone.bitdefender.com/ | EDR traffic sent by Security Agent | |||
nimbus.bitdefender.net/elam/blob | Early Launch Anti-Malware (ELAM) cloud server | |||
upgrade.bitdefender.com | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |||
*.nimbus.bitdefender.net Or you can exclude instead all the addresses below: nimbus.bitdefender.net elb-fra-gcp.nimbus.bitdefender.net elb-lon-gcp.nimbus.bitdefender.net elb-nvi-gcp.nimbus.bitdefender.net elb-ore-gcp.nimbus.bitdefender.net elb-iow-gcp.nimbus.bitdefender.net elb-tky-gcp.nimbus.bitdefender.net | Antimalware, antiphishing and content control scanning with Bitdefender Global Protective Network | |||
https://update-cloud.2d585.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |||
22, 445 (SSH & SMB) | Any | Detects computers in the local network | ||
53 (DNS) | DNS Server | Internal use for DNS queries | ||
88 (Kerberos) | Active Directory Domain Controller | Active Directory integration for Linux computers | ||
389, 636 (LDAP & LDAPS) | Active Directory Domain Controller | Active Directory integration | ||
Inbound | 135 (RPC) | Any | Deployment through Relay | |
137, 138, 139 (NetBIOS) | Any | Deployment through Relay | ||
Relay agent | Inbound | 7074 | Security agent | Communication messages (such as settings and events) received from endpoints linked to the Relay agent |
7076 | Bitdefender Global Protective Network: nimbus.bitdefender.net/elam/blob | Encrypted communication messages proxied from connected endpoints to Bitdefender Global Protective Network: | ||
Outbound | 80 | |||
upgrade.bitdefender.com *.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) | |||
lv2.bitdefender.com | License validation | |||
389 | Active Directory Domain Controller | Integration with Active Directory (only for the endpoint which has the role of Active Directory Integrator) | ||
7074 | Relay agent(*) (if available) | |||
Downloading installation packages in the deployment phase from another Relay Agent Communication messages received from endpoints linked to the Relay agent | ||||
7076 | Bitdefender Global Protective Network nimbus.bitdefender.net/elam/blob | Encrypted communication messages received from endpoints linked to the Relay agent | ||
443 | cloud.gravityzone.bitdefender.com cloudgz.gravityzone.bitdefender.com | Downloading installation packages during deployment (Setup Downloader) | ||
cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com | Link between the Relay agent and Communication Server | |||
nimbus.bitdefender.net/elam/blob | Early Launch Anti-Malware (ELAM) cloud server, a component of Bitdefender Global Protective Network | |||
upgrade.bitdefender.com | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |||
*.nimbus.bitdefender.net Or you can exclude instead all the addresses below: nimbus.bitdefender.net elb-fra-gcp.nimbus.bitdefender.net elb-lon-gcp.nimbus.bitdefender.net elb-nvi-gcp.nimbus.bitdefender.net elb-ore-gcp.nimbus.bitdefender.net elb-iow-gcp.nimbus.bitdefender.net elb-tky-gcp.nimbus.bitdefender.net | Antimalware, antiphishing, and content control scanning with Bitdefender Global Protective Network | |||
download.bitdefender.com | Downloading installation packages before deployment from the GravityZone Cloud Control Center | |||
https://update-cloud.2d585.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |||
ingestors-eu.bmdr.bitdefender.com ingestors-us.bmdr.bitdefender.com | Traffic between the Relay agent and the managed EDR communication server. | |||
Security Server (Multi-Platform) | Inbound | 1344 | Any | Used by Security for Storage protection layer for communication between NAS devices compliant with ICAP and Security Server |
6379 | Security Server | Allows traffic between Security Servers | ||
7081 | Any | Antimalware traffic scanning sent by the Security Agent | ||
7083 | Any | Antimalware traffic scanning sent by the Security Agent over SSL | ||
Outbound | 443 | *.nimbus.bitdefender.net Or you can exclude instead all the addresses below: nimbus.bitdefender.net elb-fra-gcp.nimbus.bitdefender.net elb-lon-gcp.nimbus.bitdefender.net elb-nvi-gcp.nimbus.bitdefender.net elb-ore-gcp.nimbus.bitdefender.net elb-iow-gcp.nimbus.bitdefender.net elb-tky-gcp.nimbus.bitdefender.net | Periodical verification of antimalware detections with Bitdefender Global Protective Network | |
upgrade.bitdefender.com | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |||
*.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) over an encrypted channel | |||
cloud-ecs.gravityzone.bitdefender.com cloudgz-ecs.gravityzone.bitdefender.com | Link between Security Server and Communication Server | |||
download.bitdefender.com | Downloading updates | |||
80 | upgrade.bitdefender.com | Fallback for downloading updates from the Bitdefender Update Servers (the official repository) | ||
download.bitdefender.com | Downloading installation kits | |||
*.cdn.bitdefender.net | Downloading updates from the online Bitdefender Update Servers (the official repository) | |||
443 | Sandbox Analyzer Portal | |||
Sandbox Analyzer | Both | Allows communication between the endpoint and the Sandbox Analyzer Portal. Handles file submission to sandbox-portal.gravityzone.bitdefender.com. |
(*) Since the relay is an update server that needs to listen all the time on a port, Bitdefender provides a mechanism able to automatically open a random port on localhost (127.0.0.1), so that the update server can receive proper configuration details. The update server tries to open the 7075 port to listen on localhost. If 7075 port is unavailable, the update server will search for another port that is free (in the range of 1025 to 65535) and successfully bind to listen on localhost.
Port 7074 must be open for deployment through Bitdefender Endpoint Security Tools Relay to work.
Note
To ensure secure communication between the GravityZone console and endpoints in network-restricted environments, create a firewall rule that whitelists the web addresses required to verify the server certificate revocation. The rule should whitelist all the web addresses that contain digicert.com.
Example of web addresses the rule should match:
http://crl3.digicert.com
http://crl4.digicert.com
http://ocsp.digicert.com