Free tool
Is your firewall locked down on the way out?
Most firewalls are good at blocking traffic coming in. This quick test checks the other direction: whether your network lets traffic out on standard and non-standard ports, which is a key part of your security posture.
Outbound firewall & port test
Checks whether your network lets traffic out on standard and non-standard HTTPS ports. Tightly controlled outbound access is good security. Wide-open egress is a red flag.
A browser can only test outbound HTTPS reachability, so this is an indicative check, not a full port scan. It can’t test raw SSH, RDP, SMTP or UDP, so for that you need a proper assessment from your network. See the notes below.
How to read these results
- This runs from your browser, so it can only test outbound HTTPS reachability. It can’t open raw SSH, RDP, SMTP or UDP connections.
- It probes a Cloudflare endpoint that listens on standard and alternate HTTPS ports, so there’s always a real server on the other end. A reply means your firewall let the traffic out; a timeout means it was blocked.
- Port 443 is the baseline and should always be reachable. If it isn’t, you’re likely offline or behind a proxy and the other results aren’t meaningful.
- A blocked port here means egress on that port is filtered, which is usually a good thing. Reachable non-standard ports aren’t necessarily bad, but unnecessary open egress widens your attack surface.
- A corporate proxy doing TLS inspection may still allow these and rewrite the connection, so results are indicative, not a substitute for a proper firewall audit.
The ports a browser can't reach
The risky ports that need a real test
A web page can't open these, but they're exactly the ones malware and attackers abuse. A proper egress review checks them from inside your network, where there are no browser limits.
RDP
3389Remote Desktop, a top ransomware entry point when exposed.
SSH
22Remote shell and file transfer.
Telnet
23Unencrypted remote access that should never be open.
SMTP
25 / 587Outbound mail, where open egress enables spam and exfiltration.
SMB
445Windows file sharing, wormable (e.g. WannaCry).
FTP
21Legacy, often unencrypted file transfer.
SQL
1433 / 3306Database ports (SQL Server / MySQL) that should stay internal.
DNS
53Can be abused for tunnelling and data exfiltration.
Why it matters
Controlling the way out is half of security
Locking down outbound traffic limits what malware can do and how data can leave. It's a quiet but vital part of a healthy security posture.
Tighten and monitor your egress
We review and harden firewall rules to a sensible default-deny outbound policy as part of network remediation, then keep watch with our 24×7 Network Operations Centre so unusual outbound traffic is spotted fast.
A proper security review
This browser test only scratches the surface. For the full picture across ports, protocols, data exposure and shadow IT, an AI security audit or a hands-on assessment from our support team gives you a prioritised plan.
Questions
About this tool
It checks whether your network allows outbound HTTPS connections on a range of standard and non-standard ports. We probe a Cloudflare endpoint that answers on several HTTPS ports (443, 2053, 2083, 2087, 2096 and 8443), so a successful connection tells you your firewall permitted that outbound traffic, and a timeout tells you it was blocked.
Most security attention goes on blocking inbound traffic, but controlling what can leave your network is just as important. Malware, ransomware and data-exfiltration tools often 'phone home' or move data out over unusual ports. A firewall that only allows the outbound traffic you actually need makes that much harder, and is a requirement of frameworks like Cyber Essentials.
Not always. Some legitimate services use alternate ports. But every port you allow out is one more path an attacker or a piece of malware can use. Good practice is default-deny outbound, opening only what's needed. If lots of non-standard ports are wide open, it's worth reviewing your firewall's egress rules.
Browsers can't open raw TCP or UDP sockets, only HTTP/HTTPS and WebSockets, and they can't reach plain HTTP from a secure page. So this tool can only indicate HTTPS egress. Testing the full range of ports and protocols (SSH on 22, RDP on 3389, SMTP on 25, DNS, and so on) needs a proper assessment run from inside your network, which is exactly the kind of thing we do.
No. The test runs entirely in your browser and nothing is stored. It only makes lightweight requests to our own domain to see which ports are reachable, and there's no sign-up and no logging of your results.
Open outbound ports aren't an emergency, but they're worth understanding. We can review your firewall configuration, tighten egress to a default-deny policy, and put monitoring in place so unusual outbound traffic is spotted quickly. Get in touch for a firewall and network security review.
Want a proper firewall review?
We'll assess your inbound and outbound rules, tighten what needs tightening, and monitor the rest. No jargon, no hard sell.