Firewall Requirements
| Last Updated | 22 August 2024 |
General Network Requirements
- All Peer Agent servers must have some form of network access to the server where Peer Management Broker (usually Peer Management Center) is installed. Starting with PeerGFS v5.1, Peer Management Broker can also be installed on a standalone server.
- All Peer Agents must be configured with the hostname, FQDN, or IP address of the server running Peer Management Broker. In a multiple broker environment, Agents should be configured with the hostname, FQDN, or IP address of each broker that they are assigned to (including both primary and failover brokers).
- Any Peer Agent server that will be partnered with a storage platform must be on the same domain, same network segment, and same subnet as its partner. This network connection must operate at speeds of at least 1 Gbit/sec with sub-millisecond latency.
Specific port and protocol requirements must be met to allow the necessary communication and data flow needed between the Broker, PMC, Agents, and storage platforms. See storage platform-specific information below for the required communication ports and protocols.
Firewall Requirements between Peer Management Center/Peer Management Broker and Peer Agent
Peer Management Center/Peer Management Broker:
- Inbound port TCP 61617 must be open for TLS/SSL communication with Peer Agents.
- Inbound port TCP 61616 must be open for unencrypted TCP communication with Peer Agents if TLS/SSL communication is not required.
Peer Agents:
- Outbound port TCP 61617 must be open for TLS/SSL communication with Peer Management Center/Peer Management Broker.
- Outbound port TCP 61616 must be open for unencrypted TCP communication with Peer Management Center/Peer Management Broker if TLS/SSL communication is not required.
Firewall Requirements between Peer Management Center and the Internet
Peer Management Center has the following firewall requirements to upload logfiles and analytics data, as well as to check for software updates:
- Outbound ports TCP 80 (HTTP) and TCP 443 (HTTPS) must be opened. More Information can be found here.
Firewall Requirements between Peer Management Center and the local network
In order to be able to access the Peer Management Center Web UI or REST API, the following default firewall requirements must be met:
- Inbound port TCP 8443 (HTTPS) must be open to be able to access the Web UI.
- Inbound port TCP 8442 (HTTPS) must be open to be able to access the REST API.
Those ports can be changed in the Peer Management Center Preferences dialog, under the General Configuration section. You also can set/update the firewall rules from there.
Firewall Requirements between Peer Management Brokers (including on the server hosting the Peer Management Center)
- Inbound and Outbound port TCP 61617 must be open for TLS/SSL communication between Peer Brokers.
- Inbound and Outbound port TCP 61616 must be open for unencrypted TCP communication between Peer Brokers if TLS/SSL communication is not required.
Firewall Requirements between the Peer Edge Service and the Peer Master Data Service (Edge Caching only)
Peer Agents running the Peer Master Data Service:
- Inbound port TCP 8446 must be open to receive encrypted requests from the Peer Edge Service in order to support stub file rehydration and pass-through reads.
Peer Agents running the Peer Edge Service:
- Outbound port TCP 8446 must be open to send encrypted requests to the Peer Master Data Service in order to support stub file rehydration and pass-through reads.
This port is configurable for each server hosting the Peer Master Data Service. It is configured during initial setup of Edge Caching and can be changed in the Peer Management Center Preferences dialog, under Collab, Sync, and Replication > Edge Caching > Master Data Service.
Firewall Requirements between a Peer Agent and Nutanix Files
- TCP Port 9898 must be open inbound into the Peer Agent server and outbound from Nutanix Files. This allows the Peer Agent to receive file activity notifications from Nutanix Files.
- TCP Port 9440 must be open outbound from the Peer Agent server and inbound into Nutanix Files. This allows the Peer Agent to access the HTTPS REST-based API built into Nutanix Files.
- SMB-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.
- NFS-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.
| Peer Agent | Nutanix Files | |
|---|---|---|
| TCP 9898 | <-- | TCP 9898 |
| TCP 9440 | --> | TCP 9440 |
| SMB | --> | SMB |
| NFS | --> | NFS |
Firewall Requirements between a Peer Agent and NetApp ONTAP
- TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the NetApp cluster. This allows the Peer Agent to receive FPolicy requests from the NetApp nodes.
- TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's API interface.
- SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.
- NFS-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.
| Peer Agent | NetApp cluster nodes | |
|---|---|---|
| TCP 9883 | <-- | TCP 9883 |
| Peer Agent | SVM management LIF | |
| TCP 443 | --> | TCP 443 |
| Peer Agent | SVM data LIF | |
SMB | --> | SMB |
NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Amazon FSx for NetApp ONTAP (FSxN)
- TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the FSxN cluster. This allows the Peer Agent to receive FPolicy requests from the FSxN nodes.
- TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's API interface.
- SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.
- NFS-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.
| Peer Agent | FSxN cluster nodes | |
|---|---|---|
| TCP 9883 | <-- | TCP 9883 |
| Peer Agent | SVM management LIF | |
| TCP 443 | --> | TCP 443 |
| Peer Agent | SVM data LIF | |
| SMB | --> | SMB |
| NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Dell PowerScale using CEE and RabbitMQ
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from each node in the PowerScale cluster. This allows CEE to receive audit notifications from the cluster.
- TCP Ports 22 and 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to access the SSH- and web-based API built into OneFS.
- SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.
| CEE service | PowerScale | |
|---|---|---|
| TCP 12228 | <-- | TCP 12228 |
| Peer Agent | PowerScale | |
| TCP 22 | --> | TCP 22 |
| TCP 8080 | --> | TCP 8080 |
| SMB | --> | SMB |
Firewall Requirements between a Peer Agent and Dell PowerScale using Syslog
TCP Port 6514 must be open inbound into the Peer Agent server and outbound from each node in the PowerScale cluster to receive audit notifications from the cluster. This is a default port number and can be configured.
- TCP Port 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to access the web-based API built into OneFS.
- SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.
- NFS-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.
| Peer Agent | PowerScale | |
|---|---|---|
| TCP 6514 | <-- | TCP 6514 |
| TCP 8080 | --> | TCP 8080 |
| SMB | --> | SMB |
| NFS | --> | NFS |
Firewall Requirements between a Peer Agent and Dell Unity
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from the NAS server. This allows CEE to receive notifications from Unity.
- TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS server. This allows the Peer Agent to access the web-based API built into Unity OE.
- SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS server. This allows the Peer Agent to read and write data.
| CEE service | Unity | |
|---|---|---|
| TCP 12228 | <-- | TCP 12228 |
| Peer Agent | Unity | |
| TCP 443 | --> | TCP 443 |
| SMB | --> | SMB |
Notes on SMB ports
SMB-related ports are typically:
| Port TCP/UDP 137 | NBT Name services |
| Port UDP 138 | NBT Datagram services |
| Port TCP 139 | SMB 1.0 / NBT |
| Port TCP 445 | SMB 2 and above |
Notes on NFS ports
NFS-related ports are typically:
| Port TCP/UDP 2049 | Used by the NFS daemon |
| Port TCP/UDP 111 | Used by portmapper for NFS v3 only |
Related articles
- Can PeerSync send email via server requiring SSL?
- Firewall Requirements
- HSTS blocks access to the PMC's web interface
- Replace TLS certificates
- Using the PortCheck utility to troubleshoot connectivity issues
- What causes an Agent to disconnect?
- What firewall settings are needed to enable PeerGFS uploads and download software updates?
- What firewall settings are needed when syncing over FTP?