Firewall Requirements
| Last Updated | 26 June 2023 |
General Network Requirements
- All Peer Agent servers must have some form of network access to the server where the Peer Management Broker (usually the Peer Management Center) is installed. Starting with PeerGFS v5.1, the Peer Management Broker can also be installed on a standalone server.
- All Peer Agents must be configured with the hostname, FQDN, or IP address of the server running the Peer Management Broker. In a multiple broker environment, Agents should be configured with the hostname, FQDN, or IP address of each Broker that they are assigned to (including both primary and failover Brokers).
- Any Peer Agent server that will be partnered with a storage platform must be on the same domain, same network segment, and same subnet as its partner. This network must operate at speeds of at least 1 Gbit/sec.
Specific port and protocol requirements must be met to allow the necessary communication and data flow needed between the Broker, PMC, Agents, and storage platforms. See storage platform-specific information below for the required communication ports and protocols.
Firewall Requirements
Between Peer Management Center/Peer Management Broker and the Peer Agent
Peer Management Center/Peer Management Broker:
- Inbound port TCP 61617 must be open for TLS/SSL communication with Peer Agents.
- Inbound port TCP 61616 must be open for unencrypted TCP communication with Peer Agents if TLS/SSL communication is not required.
Peer Agents:
- Outbound port TCP 61617 must be open for TLS/SSL communication with Peer Management Center/Peer Management Broker.
- Outbound port TCP 61616 must be open for unencrypted TCP communication with Peer Management Center/Peer Management Broker if TLS/SSL communication is not required.
Between Peer Management Center and the Internet
Peer Management Center has the following firewall requirements to upload logfiles and analytics data, as well as to check for software updates:
- Outbound ports TCP 80 (HTTP) and TCP 443 (HTTPS) must be opened. More Information can be found in What firewall settings are needed to enable PeerGFS uploads and download software updates?
Between Peer Management Center and the local network
In order to be able to access the Peer Management Center Web UI or REST API the following default firewall requirements must be met:
- Inbound port TCP 8443 (HTTPS) must be open to be able to access the Web UI.
- Inbound port TCP 8442 (HTTPS) must be open to be able to access the REST API.
Those ports can be changed in the Peer Management Center Preferences under the General Configuration section. You also can set / update the firewall rules from there.
Between Peer Management Brokers (including on the server hosting the Peer Management Center)
- Inbound and Outbound port TCP 61617 must be open for TLS/SSL communication between Peer Brokers.
- Inbound and Outbound port TCP 61616 must be open for unencrypted TCP communication between Peer Brokers if TLS/SSL communication is not required.
Between a Peer Agent and Nutanix Files
- TCP Port 9898 must be open inbound into the Peer Agent server and outbound from Nutanix Files. This allows the Peer Agent to receive file activity notifications from Nutanix Files.
- TCP Port 9440 must be open outbound from the Peer Agent server and inbound into Nutanix Files. This allows the Peer Agent to access the HTTPS REST-based API built into Nutanix Files.
- SMB-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.
| Peer Agent | Nutanix Files | |
|---|---|---|
| TCP 9898 | <-- | TCP 9898 |
| TCP 9440 | --> | TCP 9440 |
| SMB | --> | SMB |
Between a Peer Agent and NetApp ONTAP | Clustered Data ONTAP
- TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the NetApp cluster. This allows the Peer Agent to receive FPolicy requests from the NetApp nodes.
- TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's API interface.
- SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.
- NFS-related ports* must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.
| Peer Agent | NetApp cluster nodes | |
|---|---|---|
| TCP 9883 | <-- | TCP 9883 |
| Peer Agent | SVM management LIF | |
| TCP 443 | --> | TCP 443 |
| Peer Agent | SVM data LIF | |
SMB | --> | SMB |
NFS* | --> | NFS* |
* NFS support for ONTAP and FSxN is early access as of PeerGFS v5.1.1. To request more information, please visit here.
Between a Peer Agent and Amazon FSx for NetApp ONTAP (FSxN)
- TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the FSxN cluster. This allows the Peer Agent to receive FPolicy requests from the FSxN nodes.
- TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's API interface.
- SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.
- NFS-related ports* must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.
| Peer Agent | FSxN cluster nodes | |
|---|---|---|
| TCP 9883 | <-- | TCP 9883 |
| Peer Agent | SVM management LIF | |
| TCP 443 | --> | TCP 443 |
| Peer Agent | SVM data LIF | |
| SMB | --> | SMB |
| NFS* | --> | NFS* |
* NFS support for ONTAP and FSxN is early access as of PeerGFS v5.1.1. To request more information, please visit here.
Between a Peer Agent and NetApp 7-Mode
- SMB-related ports must be open in both directions for both the Peer Agent server and the NetApp filer. This allows the Peer Agent to read and write data, access ONTAPI, and receive FPolicy requests from the filer.
| Peer Agent | 7Mode Filer | |
|---|---|---|
| SMB | --> | SMB |
Between a Peer Agent and Dell PowerScale | EMC Isilon
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from each node in the PowerScale or Isilon cluster. This allows CEE to receive audit notifications from the cluster.
- TCP Ports 22 and 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale or Isilon cluster. This allows the Peer Agent to access the SSH- and web-based API built into OneFS.
- SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale or Isilon cluster. This allows the Peer Agent to read and write data.
| CEE service | PowerScale | Isilon | |
|---|---|---|
| TCP 12228 | <-- | TCP 12228 |
| Peer Agent | PowerScale | Isilon | |
| TCP 22 | --> | TCP 22 |
| TCP 8080 | --> | TCP 8080 |
| SMB | --> | SMB |
Between a Peer Agent and Dell EMC Unity
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from the NAS server. This allows CEE to receive notifications from Unity.
- TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS server. This allows the Peer Agent to access the web-based API built into Unity OE.
- SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS server. This allows the Peer Agent to read and write data.
| CEE service | Unity | |
|---|---|---|
| TCP 12228 | <-- | TCP 12228 |
| Peer Agent | Unity | |
| TCP 443 | --> | TCP 443 |
| SMB | --> | SMB |
Between a Peer Agent and Dell EMC Celerra | VNX | VNX2
TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from the data mover. This allows CEE to receive notifications from the data mover.
- TCP Port 443 must be open outbound from the Peer Agent and inbound into the data mover. This allows the Peer Agent to access the web-based API built into DART.
- SMB-related ports must be open outbound from the Peer Agent and inbound into the data mover. This allows the Peer Agent to read and write data.
| CEE service | Celerra | VNX | VNX2 | |
|---|---|---|
| TCP 12228 | <-- | TCP 12228 |
| Peer Agent | Celerra | VNX | VNX2 | |
| TCP 443 | --> | TCP 443 |
| SMB | --> | SMB |
Notes on Ports
SMB Ports
SMB-related ports are typically:
| Port TCP/UDP 137 | NBT Name services |
| Port UDP 138 | NBT Datagram services |
| Port TCP 139 | SMB 1.0 / NBT |
| Port TCP 445 | SMB 2 and above |
NFS Ports
NFS-related ports are typically:
| Port TCP/UDP 2049 | Used by the NFS daemon |
| Port TCP/UDP 111 | Used by portmapper for NFS v3 only |
Related articles
- Can PeerSync send email via server requiring SSL?
- Firewall Requirements
- HSTS blocks access to the PMC's web interface
- Replace the default web service SSL certificate
- What causes an Agent to disconnect?
- What firewall settings are needed to enable PeerGFS uploads and download software updates?
- What firewall settings are needed when syncing over FTP?