When Deep Security Agent 10.1 or earlier was installed on Linux, it disabled the iptables
service to avoid firewall conflicts unless you added a configuration file that prevented
that change. However, the iptables service is used for more than just firewall (for
example, Docker manages iptables rules as part of its normal operation), so disabling
it sometimes had negative consequences.
With Deep Security 10.2 and higher (including Deep Security 11), the functionality
around iptables has changed. Deep Security Agent no longer disables iptables. (If
iptables is enabled, it stays enabled after the agent installation. If iptables is
disabled, it stays disabled.) However, if the iptables service is running, Deep Security
Agent and Deep Security Manager require certain iptables rules, as described below.
Rules required by Deep Security Manager
If iptables is enabled on the computer where Deep Security Manager is being installed,
there are two required iptables rules. By default, these rules are added when Deep
Security Manager starts up and removed when the manager is stopped or uninstalled.
Alternatively, you can Prevent Deep Security from automatically adding iptables rules and add them manually instead:
-
Allow incoming traffic on port 4119. This is required for access to the Deep Security Manager web UI and API.
-
Allow incoming traffic on port 4120. This is required to listen for agent heartbeats. (For more information, see Agent-manager communication.)
 |
NoteThese are the default port numbers - yours may be different. For a complete list of
ports used in Deep Security, see Port numbers.
|
Rules required by Deep Security Agent
If iptables is enabled on the computer where Deep Security Agent is being installed,
iptables may require additional rules. By default, these rules are added when Deep
Security Agent starts up and removed when the agent is stopped or uninstalled. Alternatively,
you can Prevent Deep Security from automatically adding iptables rules and add them manually instead:
-
Allow incoming traffic on port 4118. This is required when the agent uses manager-initiated or bidirectional communication. (For more information, see Agent-manager communication.)
-
Allow incoming traffic on port 4122. This is required when the agent is acting as a relay, so that the relay can distribute software updates. (For more information, see Distribute security and software updates with relays.)
|
NoteThese are the default port numbers - yours may be different. For a complete list of
ports used in Deep Security, see Port numbers.
|
Prevent Deep Security from automatically adding iptables rules
You can prevent Deep Security Manager and Deep Security Agent from modifying iptables
if you would rather add the required rules manually. To prevent the automatic modification
of iptables, create the following file on the computers where you plan to install
Deep Security Manager and Deep Security Agent:
/etc/do_not_open_ports_on_iptables