Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles
How to Follow Data Through the Search PipelineEndpoint for Windows Configuration Reference GuideEndpoint Software Command Line InterfaceBasic Troubleshooting Steps (Enterprise Console)Endpoints or Results Fail to be Displayed in the ConsoleMongoDB and TLS 1.3SQL Client SQL Exception ErrorHow to Troubleshoot Spirion Client Search Failures and How to WhitelistCustomer Notice – Spirion Agent Update & Security Assessment for PostgreSQLHow to Enable Verbose/Debug Logging for the Endpoint ServiceHow can I monitor the status of a queue job?Can I monitor the job queue status automatically?Troubleshooting: "Unable to find job queue: search_queue"How to Verify the Discovery Agent's StatusHow to check if port 6433 is open on your networkWhat is the SDM Translator Service?How to Create a Single Tenant App for OneDrive and Exchange Online SearchesHow to Configure Spirion for Sybase DiscoveryHow to Use Certificates to Authenticate with SharePoint OnlineHow to Quarantine to a Remote Location Using Spirion Sensitive Data PlatformA Server Error has Occurred: How to use the Chrome Developer ToolsWhy doesn't my Oracle 19c Database scan?How to Enable Full Disk Access on a Mac AgentWhy is My Scan Node Running Out of Disk Space?What to do about Message Processing and Delays, also known as 'Lag,' in SpirionDetails About the Box API used by Spirion to Search Box AccountsHow to Build a Mac Package (PKG)How to Sanitize AgentsHow to Set User and Role AccessHow to Enable SSL Communication between Linux Agents and the Spirion ConsoleHow to Enable HTTPS for the Spirion ConsoleHow to Search BoxFAQ: How do I avoid being prompted to re-login to the Spirion console?Spirion Sensitive Data Platform Scan PerformanceHow to Authenticate to SharePoint On-PremiseHow to Configure Spirion Sensitive Data Platform to Connect to an Oracle DatabaseFAQ: Linux 12.5 Client Package Build WorkaroundTroubleshoot Exchange Online Using Microsoft Graph ExplorerFAQ: What to do when an agent will not start the discovery team scan?Required SQL Server PermissionsHow to Scan Microsoft Teams with Spirion Sensitive Data PlatformField Input Using Linux Machines Anti-virus Alerts Received during Spirion SearchVersion 13.6 MSI Installation Issues - Exe file not signedWhat are common firewall rules needed for distributed scans?
Release Notes

What are common firewall rules needed for distributed scans?

To support a Distributed Scan in the Spirion Sensitive Data Platform, you must configure firewall rules to allow communication between the Discovery Agent, the Search Agents (Workers), and the Spirion Sensitive Data Platform console.

The architecture relies on a Postgres-backed queueing model where the Discovery Agent hosts the "work" and Search Agents connect to it to claim tasks.

1. Internal Network (Agent-to-Agent)

These rules must be open on the Discovery Agent's local firewall and any network firewalls between the Discovery Agent and the Search Agents.

Direction

Port

Protocol

Purpose

Inbound to Discovery

6433

TCP

pgBouncer (Critical): Search Agents connect here to check out work from the job queue.

Inbound to Discovery

5433

TCP

PostgreSQL: Used for direct database management and initialization (usually local, but sometimes needed for remote troubleshooting).

Inbound to Discovery

8080 / 443

TCP

Agent Communication: In some configurations, agents use these ports to coordinate status or heartbeat if not going through the console.

2. External Network (Agent-to-Spirion Sensitive Data Platform)

All agents (Discovery and Search) must be able to communicate with the Spirion Cloud Console. These are typically Outbound rules.

Direction

Port

Protocol

Destination

Purpose

Outbound

443

HTTPS

*.spirion.com

Policy & Reporting: Downloading scan instructions and uploading results/telemetry.

Outbound

443

HTTPS

*.amazonaws.com

Storage/Ingress: Results are often shipped to an S3-backed Ingress service.

3. Target Access (Discovery Agent only)

The Discovery Agent requires specific permissions to crawl the Target locations.

For example:

  • File Shares (SMB): Ports 139 and 445 (TCP/UDP) must be open from the Discovery Agent to the File Server.
  • SharePoint/O365: Port 443 (HTTPS) must be open to Microsoft's cloud URLs.
  • SQL Databases: Port 1433 (TCP) for MS SQL, or the specific port for Oracle/MySQL/etc.

Common Pitfalls and Troubleshooting

  • The "Ephemeral Port" Issue: Ensure that the Discovery Agent machine isn't blocking the high-range ports used by Windows for dynamic RPC communication if scanning remote Windows targets.
  • Postgres Binding: By default, the Spirion Postgres instance binds to the IP address of the Discovery Agent. If the agent has multiple NICs, ensure the firewall rule matches the IP registered in the SDP Console.
  • SSL Inspection: Deep Packet Inspection (DPI) or SSL Inspection on firewalls/proxies can break the connection to SDP Cloud. Ensure *.spirion.com is bypassed or the Spirion certificate is trusted.
  • Verification Command: From a Search Agent machine, run this PowerShell command to test connectivity to the Discovery Agent:
    Test-NetConnection [Discovery_Agent_IP] -Port 6433
    • If this returns TcpTestSucceeded : False, the Search Agent will log the "Unable to find job queue" error you saw earlier.

Summary for your specific error

Since your logs show "Job Queue connection failed," the most likely culprit is that Port 6433 is blocked on the Discovery Agent, preventing your Search Agents from reaching the Postgres queue.

Was this article helpful?

Powered by Product Fruits