Port 3220: xnm-ssl — Juniper's XML Management Protocol over SSL

What Port 3220 Does

Port 3220 is assigned to xnm-ssl: the Junos XML Network Management Protocol over SSL. It is the encrypted listening port for Juniper routers and switches running Junos OS, accepting connections from XML protocol client applications that manage device configuration and state.

The unencrypted counterpart — cleartext XML management — runs on port 3221.

If you see port 3220 open on a device, you are almost certainly looking at a Juniper device with the Junos XML protocol server enabled.

How the Junos XML Protocol Works

Juniper developed its own XML-based management protocol as a way to programmatically configure and query Junos devices. A client connects to the device, negotiates an SSL session on port 3220, and then exchanges XML documents — sending RPC requests (<get-interface-information/>, <load-configuration/>) and receiving structured XML responses.

This predates NETCONF's standardization but covers similar ground. NETCONF (which runs over SSH on port 830) eventually became the industry standard for model-driven network automation. The Junos XML protocol remains supported on Juniper devices, particularly in environments that built automation tooling before NETCONF matured.

To enable it on a Junos device:

set system services xnm-ssl

By default, the server supports up to 75 simultaneous SSL sessions and limits connection attempts to 150 per minute. Both limits are configurable.¹

Who Uses This Port

Network operations teams managing Juniper infrastructure — particularly those running older automation scripts or tools built against the Junos XML API rather than NETCONF or gRPC. In modern Juniper environments, NETCONF over SSH (port 830) is the preferred path, but xnm-ssl survives in shops that haven't migrated.

If you encounter port 3220 open on the public Internet, it is either a misconfigured Juniper device exposing its management plane (a security problem) or a scanner artifact.

Security Considerations

Management plane ports — xnm-ssl included — should never be reachable from untrusted networks. If you find port 3220 open externally, the device's XML management interface is exposed. An attacker with valid credentials could read full device configuration, modify routing, or exfiltrate network topology.

Junos devices should restrict xnm-ssl access with firewall filters that limit connections to known management hosts.

How to Check What's Listening on Port 3220

On Linux or macOS:

# See what process is listening
ss -tlnp sport = :3220

# Or with lsof
lsof -i :3220

# Test if a remote host is listening
nc -zv <host> 3220

On a Junos device, to see if xnm-ssl is active:

show system services

Port Range Context

Port 3220 sits in the registered port range (1024–49151). These ports are assigned by IANA for specific services upon application — they are not reserved for system use like well-known ports (0–1023), but they are not randomly assigned either. When IANA lists a service on a registered port, a vendor or working group submitted a formal request documenting the protocol and its intended use.

xnm-ssl is IANA-registered, which means Juniper went through that process. The assignment is real, narrow, and vendor-specific.

Related Ports