STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Tanium 7.x Security Technical Implementation Guide

V-253858

CAT II (Medium)

Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

Rule ID

SV-253858r997280_rule

STIG

Tanium 7.x Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-001762

Discussion

If using the Tanium Zone Server to proxy traffic from Tanium-managed computers on less trusted network segments to the Tanium Server on the core network, the Tanium Zone Server Hub, typically installed to the Tanium Server device, must be able to connect to the Zone Server(s) in the DMZ. This is the only configuration that requires allowing outbound traffic on port 17472 from the Tanium Server device. The ZoneServerList.txt configuration file in the Tanium Zone Server Hub's installation folder identifies the addresses of the destination Zone Servers. Refer to the Zone Server Configuration page for more details. Port Needed: Tanium Server to Zone Server over TCP port 17472. Network firewall rules: Allow TCP traffic on port 17472 from the Zone Server Hub, usually the Tanium Server device, to the destination DMZ devices(s) hosting the Zone Server(s). Endpoint firewall rules: For additional security, configure the following endpoint firewall rules: Allow TCP traffic outbound on port 17472 from only the Zone Server Hub process running on the Tanium Server device. Allow TCP traffic inbound on port 17472 to only the Zone Server process running on the designated Zone Server device(s). For more information, refer to ttps://docs.tanium.com/platform_install/platform_install/reference_network_ports.html.

Check Content

Note: If a Zone Server is not being used, this is not applicable.

Consult with the Tanium system administrator to verify which firewall is being used as a host-based firewall on the Tanium Server.

1. Access the Tanium Server.

2. Log on to the server with an account that has administrative privileges.

3. Access the host-based firewall configuration on the Tanium Server.

4. Validate a rule exists for the following:

Port Needed: Tanium Server to Zone Server over TCP port 17472.

Note: By default, the Zone Server uses 17472 for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, different ports can be configured for the hubs and clients.

If a host-based firewall rule does not exist to allow TCP port 17472 or other defined port, bidirectionally, from the Tanium Server to the Tanium Zone Server, this is a finding.

Fix Text

1. Configure host-based firewall rules on the Tanium Zone server to include the following required traffic:

Allow Tanium Server to Zone Server over TCP port 17472.

2. Configure the network firewall to allow the above traffic.

Note: By default, the Zone Server uses 17472 for traffic from Zone Server Hubs and Tanium Clients. However, as a best practice to improve the security of the Zone Server, different ports can be configured for the hubs and clients.