Most of the Local Manager’s communication is designed to be initiated by the Local Manager, reducing the number of potential security vulnerabilities. These operations are discussed in detail below.
If the Local Manager is managed by a Control Center, the Local Manager periodically archives device statistics, user session log files, device files, and other data automatically to the Control Center using HTTPS over port 8443. Archiving uses high data compression to reduce the impact to the network. When operating out-of-band, archiving is suspended by default until the Local Manager returns to in-band communication. This functionality can be enabled to work when the Local Manager is communicating over its out-of-band connection.
If the Local Manager is not managed by a Control Center, use the config export command to create an XML file of the Local Manager's configuration and send it to the IP address of your choice using SCP or FTP. Use the config system export command to archive collected device statistics to an external server using FTP or SCP.
The Pulse client uses the ECHO protocol (TCP port 7) to determine network availability. TCP ECHO packets are sent every 30 seconds from the management Ethernet port to one or more pulse servers (usually in the Network Operation Center or on the other side of the WAN). The in-band/production network is deemed down after four consecutive ECHO failures from all defined pulse servers, after which the Local Manager can automatically initiate an out-of-band connection over the modem or secondary Ethernet port to reestablish connectivity to the remote site.
While out-of-band, the Local Manager routes all traffic over the out-of-band connection except for ECHOs destined for the pulse server and for local traffic as defined by the user with the config system route command. The Local Manager will automatically tear down the out-of-band connection and communicate over the in-band/management Ethernet connection when it sees that the in-band network is operational again (determined by five consecutive successful echo requests).
The Local Manager communicates with the Control Center using a proprietary TLS-encrypted protocol that uses TCP port 8443 to provide regular updates that include current device status information, status of scheduled jobs, alarms, events and configuration changes on the Local Manager. The message that is sent by the Local Manger to the Control Center and that is acknowledged by the Control Center is called the heartbeat. The heartbeat contains compressed data to reduce the load on the network and has a 30 second interval by default.
You can change the heartbeat interval and TCP port from the command line using the config system management command.
If this feature is enabled, the Local Manager will synchronize time with a Network Time Protocol (NTP) server using UDP port 123. If the Local Manager is used with the Control Center, it will sync its time over the heartbeat with the Control Center by default. The Local Manager can be configured to sync its time with an NTP server instead of the Control Center using the config system ntp command.
If Reverse SSH is enabled, the Control Center will listen for connections from the Local Manager on TCP port 2222. TCP port 2244 is used by clients to connect their workstation to the Control Center via the Reverse SSH tunnel.
If a third-party AAA server is used, for RADIUS servers the default port is UDP 1645 or 1812; for TACACS, the default port is TCP 49.