Firewall Requirements
Last Updated | 28 August 2025 |
General Network Requirements
All Peer Agent servers must have network access to the server running the Peer Management Broker (typically installed with Peer Management Center, but starting in PeerGFS v5.1, it can run on a standalone server).
Each Peer Agent must be configured with the hostname, FQDN, or IP address of the server hosting the Peer Management Broker.
In multi-broker environments, each Agent must be configured with the address of every assigned broker, including both primary and failover brokers.
Any Peer Agent partnered with a storage platform must reside on the same domain, same network segment, and same subnet as its partner. The connection must operate at minimum 1 Gbit/sec with sub-millisecond latency.
Port and protocol requirements depend on the storage platform. See Platform-Specific Requirements for details.
Firewall Requirements between Peer Management Center/Peer Management Broker and Peer Agent
Peer Management Center/Peer Management Broker:
Inbound port TCP 61617 must be open for TLS/SSL communication with Peer Agents.
Inbound port TCP 61616 must be open for unencrypted TCP communication with Peer Agents if TLS/SSL communication is not required.
Peer Agents:
Outbound port TCP 61617 must be open for TLS/SSL communication with Peer Management Center/Peer Management Broker.
Outbound port TCP 61616 must be open for unencrypted TCP communication with Peer Management Center/Peer Management Broker if TLS/SSL communication is not required.
Firewall Requirements between Peer Management Center and the Internet
Peer Management Center has the following firewall requirements to upload log files and analytics data, as well as to check for software updates:
Outbound ports TCP 80 (HTTP) and TCP 443 (HTTPS) must be opened. More Information can be found here.
Firewall Requirements between Peer Management Center and the local network
In order to be able to access the Peer Management Center Web UI or REST API, the following default firewall requirements must be met:
Inbound port TCP 8443 (HTTPS) must be open to be able to access the Web UI.
Inbound port TCP 8442 (HTTPS) must be open to be able to access the REST API.
Those ports can be changed in the Peer Management Center Preferences dialog, under the General Configuration section. You also can set/update the firewall rules from there.
Firewall Requirements between Peer Management Brokers (including on the server hosting the Peer Management Center)
Inbound and Outbound port TCP 61617 must be open for TLS/SSL communication between Peer Brokers.
Inbound and Outbound port TCP 61616 must be open for unencrypted TCP communication between Peer Brokers if TLS/SSL communication is not required.
Firewall Requirements between the Peer Edge Service and the Peer Master Data Service (Edge Caching only)
Peer Agents running the Peer Master Data Service:
Inbound port TCP 8446 must be open to receive encrypted requests from the Peer Edge Service in order to support stub file rehydration and pass-through reads.
Peer Agents running the Peer Edge Service:
Outbound port TCP 8446 must be open to send encrypted requests to the Peer Master Data Service in order to support stub file rehydration and pass-through reads.
This port is configurable for each server hosting the Peer Master Data Service. It is configured during initial setup of Edge Caching and can be changed in the Peer Management Center Preferences dialog, under Collab, Sync, and Replication > Edge Caching > Master Data Service.
PeerIQ Local Network Firewall Requirements
Firewall Requirements between PeerIQ and the Internet
PeerIQ has the following firewall requirements to upload log files and analytics data, as well as to check for software updates:
Outbound ports TCP 80 (HTTP) and TCP 443 (HTTPS) must be opened. More Information can be found here.
Firewall Requirements between PeerIQ and the local network
If you have deployed the Ubuntu-based PeerIQ virtual appliance, the following default firewall requirements must be met in order to access the main PeerIQ UI as well as the Service Administrator portal:
Inbound port TCP 443 (HTTPS) must be open to be able to access the main PeerIQ portal.
Inbound port TCP 4443 (HTTPS) must be open to be able to access PeerIQ's Service Administrator portal.
If you have installed PeerIQ on an existing Red Hat Enterprise Linux or Rocky Linux server, the following default firewall requirements must be met in order to access the main PeerIQ UI as well as the Service Administrator portal:
Inbound port TCP 4430 (HTTPS) must be open to be able to access the main PeerIQ portal.
Inbound port TCP 4443 (HTTPS) must be open to be able to access PeerIQ's Service Administrator portal.
Firewall Requirements between PeerIQ and the Peer Management Broker on the server hosting the Peer Management Center
Inbound and Outbound port TCP 61617 must be open for TLS/SSL communication between PeerIQ and the Peer Management Broker.
Inbound and Outbound port TCP 61616 must be open for unencrypted TCP communication between PeerIQ and the Peer Management Broker if TLS/SSL communication is not required.
Storage Platform-Specific Requirements
Firewall Requirements between a Peer Agent and Nutanix Files
TCP Port 9898 must be open inbound into the Peer Agent server and outbound from Nutanix Files. This allows the Peer Agent to receive file activity notifications from Nutanix Files.
TCP Port 9440 must be open outbound from the Peer Agent server and inbound into Nutanix Files. This allows the Peer Agent to access the REST API built into Nutanix Files.
SMB-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.
NFS-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.
Peer Agent | Nutanix Files | |
|---|---|---|
TCP 9898 | <-- | TCP 9898 |
TCP 9440 | --> | TCP 9440 |
SMB | --> | SMB |
NFS | --> | NFS |
Firewall Requirements between a Peer Agent and NetApp ONTAP
TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the NetApp cluster. This allows the Peer Agent to receive FPolicy requests from the NetApp nodes.
TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's REST API.
SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.
NFS-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.
Peer Agent | NetApp cluster nodes | |
|---|---|---|
TCP 9883 | <-- | TCP 9883 |
Peer Agent | SVM management LIF | |
TCP 443 | --> | TCP 443 |
Peer Agent | SVM data LIF | |
SMB | --> | SMB |
NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Amazon FSx for NetApp ONTAP (FSxN)
TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the FSxN cluster. This allows the Peer Agent to receive FPolicy requests from the FSxN nodes.
TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's REST API.
SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.
NFS-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.
Peer Agent | FSxN cluster nodes | |
|---|---|---|
TCP 9883 | <-- | TCP 9883 |
Peer Agent | SVM management LIF | |
TCP 443 | --> | TCP 443 |
Peer Agent | SVM data LIF | |
SMB | --> | SMB |
NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Dell PowerScale using CEE and RabbitMQ
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from each node in the PowerScale cluster. This allows CEE to receive audit notifications from the cluster.
TCP Ports 22 and 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to access the SSH- and REST API built into OneFS.
SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.
CEE service | PowerScale | |
|---|---|---|
TCP 12228 | <-- | TCP 12228 |
Peer Agent | PowerScale | |
TCP 22 | --> | TCP 22 |
TCP 8080 | --> | TCP 8080 |
SMB | --> | SMB |
Firewall Requirements between a Peer Agent and Dell PowerScale using Syslog
TCP Port 6514 must be open inbound into the Peer Agent server and outbound from each node in the PowerScale cluster to receive audit notifications from the cluster. This is a default port number and can be configured.
TCP Port 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to access the REST API built into OneFS.
SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.
NFS-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.
Peer Agent | PowerScale | |
|---|---|---|
TCP 6514 | <-- | TCP 6514 |
TCP 8080 | --> | TCP 8080 |
SMB | --> | SMB |
NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Dell Unity using CEE and RabbitMQ (SMB Only)
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from the NAS Server. This allows CEE to receive notifications from Unity.
TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to access the REST API built into Unity OE.
SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.
CEE service | Unity | |
|---|---|---|
TCP 12228 | <-- | TCP 12228 |
Peer Agent | Unity | |
TCP 443 | --> | TCP 443 |
SMB | --> | SMB |
NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Dell Unity using CEE HTTP
TCP Port 12228 must be open inbound into the CEE service (which may be installed on the Peer Agent server) and outbound from the NAS Server. This allows CEE to receive notifications from Unity.
TCP Port 9843 must be open inbound into the Peer Agent and outbound from the server running the CEE service. This allows CEE to send events to the Peer Agent.
Note: If the CEE service is installed on the same server as the Peer Agent, TCP Port 9843 does not have to be explicitly opened.TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to access the REST API built into Unity OE.
SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.
NFS-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.
CEE service | Unity | |
|---|---|---|
TCP 12228 | <-- | TCP 12228 |
Peer Agent | CEE service | |
TCP 9843* | <-- | TCP 9843* |
Peer Agent | Unity | |
TCP 443 | --> | TCP 443 |
SMB | --> | SMB |
NFS | --> | NFS |
* TCP Port 9843 only needs to be open if the CEE service is installed on a server other than the Peer Agent.
Firewall Requirements between a Peer Agent and Dell PowerStore
TCP Port 12228 must be open inbound into the CEE service (which may be installed on the Peer Agent server) and outbound from the NAS Server. This allows CEE to receive notifications from PowerStore.
TCP Port 9843 must be open inbound into the Peer Agent and outbound from the server running the CEE service. This allows CEE to send events to the Peer Agent.
Note: If the CEE service is installed on the same server as the Peer Agent, TCP Port 9843 does not have to be explicitly opened.TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS server. This allows the Peer Agent to access the REST API built into PowerStore OS.
SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.
NFS-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.
CEE service | PowerStore | |
|---|---|---|
TCP 12228 | <-- | TCP 12228 |
Peer Agent | CEE service | |
TCP 9843* | <-- | TCP 9843* |
Peer Agent | Unity | |
TCP 443 | --> | TCP 443 |
SMB | --> | SMB |
TCP Port 9843 only needs to be open if the CEE service is installed on a server other than the Peer Agent.
Notes on Port Usage
SMB-Related Ports
Port | Protocol | Description |
|---|---|---|
TCP/UDP 137 | NBT | Name services |
UDP 138 | NBT | Datagram services |
TCP 139 | SMB 1.0 | Legacy SMB/NBT |
TCP 445 | SMB 2+ | Modern SMB protocol |
NFS-Related Ports
Port | Protocol | Description |
|---|---|---|
TCP/UDP 2049 | NFS | NFS daemon communication |
TCP/UDP 111 | Portmapper | Used by NFS v3 only |
Related articles
- Can PeerSync send email via server requiring SSL?
- Firewall Requirements
- HSTS blocks access to the PMC's web interface
- Replace TLS certificates
- Using the PortCheck utility to troubleshoot connectivity issues
- What causes an Agent to disconnect?
- What firewall settings are needed to enable PeerGFS uploads and download software updates?
- What firewall settings are needed when syncing over FTP?