Solved: 回复： Firewall Open Required Ports for ISE 3.2

CCC3 · ‎01-20-2025

We are investigating the ports that need to be opened by the firewall when deploying ISE.

It's in a Cisco document.
but There seems to be no mention of source and destination.
And the same seems to be true about whether two-way is needed.

Do you have any documents or materials that are organized?

ilay · ‎01-20-2025

I have marked some of the official documents, please check the attached information.

In general, which ports need to be opened depends on which services ISE provides and how it is deployed.

For example, a single-node deployed ISE provides radius and tacacs+ services, and LDAP is added as an external identity source. At this time, the ports that need to be released by the firewall can be divided into the following parts:

1. Management: tcp/22 tcp/443

2. Service ports: udp/1812, udp/1813, udp/1645, udp/1646, tcp/49

3. Ports used by external identity sources: TCP/389, 3268, UDP/389 (ports used by ISE to access the outside world)

4. System built-in function dependent ports: nmap/dhcp/dns/OCSP/SCEP, etc.

If an ISE cluster is deployed across firewalls, in addition to the above applications, additional considerations need to be given to the issue of internal cluster communication. Then all ports marked by "Replication and Synchronization" need to be released, outbound syslog also needs to be allowed, as well as tcp/9443, tcp/1521, etc.

In general, under the premise of ensuring that the basic service ports are released, add the service-related ports to the firewall's release list based on the functions or service roles enabled by ISE.

View solution in original post

ilay · ‎01-20-2025

Refer to this document：https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_7.html

CCC3 · ‎01-20-2025

That's the document I saw.

However, I can't see what I was curious about in that document.

Is it something I can't find?

ilay · ‎01-20-2025

I have marked some of the official documents, please check the attached information.

In general, which ports need to be opened depends on which services ISE provides and how it is deployed.

For example, a single-node deployed ISE provides radius and tacacs+ services, and LDAP is added as an external identity source. At this time, the ports that need to be released by the firewall can be divided into the following parts:

1. Management: tcp/22 tcp/443

2. Service ports: udp/1812, udp/1813, udp/1645, udp/1646, tcp/49

3. Ports used by external identity sources: TCP/389, 3268, UDP/389 (ports used by ISE to access the outside world)

4. System built-in function dependent ports: nmap/dhcp/dns/OCSP/SCEP, etc.

If an ISE cluster is deployed across firewalls, in addition to the above applications, additional considerations need to be given to the issue of internal cluster communication. Then all ports marked by "Replication and Synchronization" need to be released, outbound syslog also needs to be allowed, as well as tcp/9443, tcp/1521, etc.

In general, under the premise of ensuring that the basic service ports are released, add the service-related ports to the firewall's release list based on the functions or service roles enabled by ISE.

CCC3 · ‎01-20-2025

Thank you for your answer.

You can get information about the port.
Does it not provide which source and destination the port should be set to?

ilay · ‎01-20-2025

The management port and the communication between ISE nodes use the IP address of the G0 interface. You can directly use the IP of the ise node as the source or destination.

The service port, such as radius, tacacs, depends on the routing settings of ISE. If there are multiple interfaces, you need to determine which ISE IP to use as the destination address based on the routing. Accessing external identity sources is also based on routing.