Port/Protocol/Process Rules and AV/File Monitor Exclusions

To ensure proper operation of the LogRhythm Axon Agent, the correct port/protocol rules and antivirus/file monitor exclusions must be applied. Where these rules will apply depends on your environment. Port and protocol exceptions may need to be entered both on the local system where Axon Agent is installed, as well as on any LAN network equipment which forwards or filters traffic (such as firewalls or layer 3 switches). Antivirus and file monitor exclusions will need to be created for the folders and processes used by Axon Agent.

In addition, review the Axon Prerequisites and Considerations for basic URLs that must be accessible.

Ports and Protocols

The following ports/protocols need to be open on the host system as well as any intermediate network equipment which forwards or filters LAN traffic.

Inbound

• 80 TCP

• 80 UDP

• 443 TCP

• 443 TLS

• Any custom syslog port will need to be added to inbound exclusions

Outbound

• 443 TCP

Antivirus Exclusions

Exclude the specified directories and subfolders, depending on your operating system.

Any program (such as a file monitor) which scans and holds files open will interfere with Axon Agent.

Process Exclusions

The following processes need to be whitelisted in both the firewall and any Antivirus software. Anything that interferes with these specific processes will cause the Axon Agent to not function.

Special Cases

Check Point Firewall Settings

Check Point Firewalls with “SSL Decryption” enabled cause the following error:

{"level":"error","ts":"2024-04-29T12:35:46-04:00","msg":"Error in SendEnrollment response","error: ":"rpc error: code = Unavailable desc = error reading from server: connection error: COMPRESSION_ERROR"}

This will prevent the Axon Agent from connecting and enrolling to the Axon backend.

The host system running the Axon Agent must be excluded from the SSL Decryption policy to restore function.