05-16-2025 02:42 AM
We’re experiencing an issue with Cortex brokers related to the network mapper.
When we run network scans using the "ICMP Echo" flag, the scan completes successfully and everything works as expected.
However, when performing a "TCP SYN" scan on the following ports:
80, 443, 22, 21, 25, 53, 23, 110, 123, 135, 137, 139, 143, 3389, 3306, 445, 1433, 161, 5900, 993, 587, 8080, 6660-6669, 5432, 5985, 5986, 636, 9100,
the result is always a failure.
On our firewalls and core switches, we’ve already created ACLs allowing any service, but the behavior remains the same.
We have not observed any signs of network congestion. We use multiple monitoring platforms and none have reported any issues.
As for the scanning configuration, we’re currently using a /16 range instead of /24. This is because we manage multiple sites, and each sites contains 50-100 of /24 subnets.
What is the recommended approach for conducting large-scale scans?
Would it be more efficient or accurate to specify each /24 subnet individually rather than scanning an entire /16?
05-20-2025 10:10 AM
Hello @tlmarques
Thanks for reaching out on LiveCommunity!
Can you please share what kind of error messages you are seeing? Please share the screenshot (hiding any confidential information).
05-20-2025 11:15 AM - edited 05-20-2025 11:17 AM
Hi,
the error is :
in this case is only a test network...
but normaly we using a /16 range .
05-21-2025 08:26 AM
Hello @tlmarques
Thanks for your response. There is a possibility of firewalls blocking broker vm traffic. Please make sure to allow broker vm network resources on your firewalls. Below is the link for all the network FQDNs and IPs required by XDR. You will find resources specific to broker vm under heading "Required for deployments that use Broker VM features".
If above resources are allowed and still seeing error then open a TAC case to investigate logs for troubleshooting.
05-29-2025 05:44 AM
I have full communication open to and from the broker VM. I spoke with support, and they mentioned that the issue is related to the number of open ports. They recommend a maximum of 20 ports.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
