The web resources for firewall settings only indicates the ports required, but only indicates two ports, 5683 and 5684. However, network logs show the devices making an outbound connection request to port 123, which I see Particle has registered as using for NTP time syncing. Are devices now using port 123? If so, can the protocol be confirmed as well as the domain or IP(s) used on that port?
Additionally, I have noted the below domains as having been mentioned for those that the devices require. Is this list correct? If possible, can all these details be added to the online documentation as well? It says to avoid using the list of static IPs but does not provide the list of domains.
Here is my current list I share with customers for the Particle cloud connections:
TCP Ports Open (Outbound Traffic)
5683
UDP Ports Open (Outbound Traffic)
5684
Domains Open (Outbound Traffic) - note that DNS filtering must use DNS group filtering not single-host DNS filtering
The cloud time sync is done a CoAP packet on the regular cloud connection. There is no NTP in Device OS for time synchronization.
However, if you have a Particle cloud connection failure, there is an internet test that makes an outgoing NTP UDP request (pool.ntp.org, port 123) to see if you have working DNS and Internet to other hosts. If you have this blocked, the cloud connection will still work, but it will affect the logs,
Got it - yes this was a situation where we were working through a firewall issue with a customer and the device didn’t have full connectivity. That makes sense!
It doesn’t sound like there’s much risk to leaving that blocked in normal operation - I assume it wouldn’t cause any blocking behavior to user firmware (system thread is enabled) though if that’s incorrect please let me know.
Thanks so much as always. I also saw that the documentation was updated with some of this info. One additional suggestions would be that if the list of required domains could be added that would probably be helpful for future customers dealing with firewalls (and may be helpful to specify that group filtering is required).