Doing some hardening on my splunk and would like to block any outgoing connections not required.
Besides DNS as far as i logged on last couple of days splunk only requires outgoing on port 443 over /TCP/SSL on servers using certificates with names that fit "*splunk.com"?
I am talking about license and etc conections required by splunk, for this question assume a standalone enterprise splunk server with no integration with other servers or forwarders.
Hi @Harold,
as @scelikok said, if you're speaking about hardening, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/WhatyoucansecurewithSplunk, in addition in the last .Conf there was an interesting webinar https://conf.splunk.com/files/2020/slides/TRU1537C.pdf about Splunk hardening.
Anyway, if you want the connections used by Splunk, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/InheritedDeployment/Ports
Ciao.
Giuseppe
Hi @Harold,
Assuming there is no integration, standalone Splunk does not need any outgoing connections. Since we are talking about hardening, *splunk.com connections are also not necessary. They are for Splunk/apps version checking, and sending some telemetry data to Splunk about you usage. It is safe to block all outgoing connections.