Clarification on Ports Used for HA and Related Functions

CrisCris
in Firebox - QoS and Traffic Management

Hello WatchGuard Community,
I am currently investigating some network behavior related to my WatchGuard Firebox devices configured in a FireCluster (High Availability). The SOC team informed me that this behavior is benign, and they shared the following table with common ports used for different cluster functions:

I have reviewed the official documentation on FireCluster and failover, but I could not find any explicit reference to these ports. Could you please confirm:

  • Are these port ranges officially documented by WatchGuard?
  • If so, where can I find the official source?
  • Is there any best practice or KB article that explains why these ports are used and how to secure them?

Any guidance or official references would be greatly appreciated.
Thank you in advance!

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Cris

    The scresnhsot seems to be multiple things mashed together, and only a bit of it applies to the firebox.

    -HA Discovery happens over port 3456 via multicast traffic (224.0.0.2)
    -VRRP is utilized for cluster management.
    -Heartbeat is via ping and TCP connections in the range of 4110-4119.

    Much of the traffic happens over the cluster interface (the cable that goes directly between the cluster members.) Some traffic does go across the interface specified as the management interface. Securing this will come down to choosing a network where the cluster members can communicate with each other, and generally, this should be a dedicated management network for this purpose.

    -James Carson
    WatchGuard Customer Support

  • CrisCris

    @james.carson said:
    Hi @Cris

    The scresnhsot seems to be multiple things mashed together, and only a bit of it applies to the firebox.

    -HA Discovery happens over port 3456 via multicast traffic (224.0.0.2)
    -VRRP is utilized for cluster management.
    -Heartbeat is via ping and TCP connections in the range of 4110-4119.

    Much of the traffic happens over the cluster interface (the cable that goes directly between the cluster members.) Some traffic does go across the interface specified as the management interface. Securing this will come down to choosing a network where the cluster members can communicate with each other, and generally, this should be a dedicated management network for this purpose.

    Hi @james.carson

    Thank you very much for the explanation.
    I'll tell you about the behavior we've been detecting coming from one of our fireboxes to the other with source port 51874 and destination port 22.

    In other cases, we've seen communication from the firebox to a device on the network with source port 51873 to destination port 5811.

    From what you've explained to me, would this be expected behavior?

  • Bruce_BriggsBruce_Briggs

    TCP port 22 = Peer Health Check
    TCP port 5811 could be device discovery

Sign In to comment.