Skip to main content
Skip table of contents

Firewall Requirements

Last Updated

28 August 2025

General Network Requirements

  • All Peer Agent servers must have network access to the server running the Peer Management Broker (typically installed with Peer Management Center, but starting in PeerGFS v5.1, it can run on a standalone server).

  • Each Peer Agent must be configured with the hostname, FQDN, or IP address of the server hosting the Peer Management Broker.

  • In multi-broker environments, each Agent must be configured with the address of every assigned broker, including both primary and failover brokers.

  • Any Peer Agent partnered with a storage platform must reside on the same domain, same network segment, and same subnet as its partner.  The connection must operate at minimum 1 Gbit/sec with sub-millisecond latency.

  • Port and protocol requirements depend on the storage platform. See Platform-Specific Requirements for details.


Firewall Requirements between Peer Management Center/Peer Management Broker and Peer Agent

Peer Management Center/Peer Management Broker:

  • Inbound port TCP 61617 must be open for TLS/SSL communication with Peer Agents.

  • Inbound port TCP 61616 must be open for unencrypted TCP communication with Peer Agents if TLS/SSL communication is not required.

Peer Agents:

  • Outbound port TCP 61617 must be open for TLS/SSL communication with Peer Management Center/Peer Management Broker.

  • Outbound port TCP 61616 must be open for unencrypted TCP communication with Peer Management Center/Peer Management Broker if TLS/SSL communication is not required.

Firewall Requirements between Peer Management Center and the Internet

Peer Management Center has the following firewall requirements to upload log files and analytics data, as well as to check for software updates:

  • Outbound ports TCP 80 (HTTP) and TCP 443 (HTTPS) must be opened. More Information can be found here.

Firewall Requirements between Peer Management Center and the local network

In order to be able to access the Peer Management Center Web UI or REST API, the following default firewall requirements must be met:

  • Inbound port TCP 8443 (HTTPS) must be open to be able to access the Web UI.

  • Inbound port TCP 8442 (HTTPS) must be open to be able to access the REST API.

Those ports can be changed in the Peer Management Center Preferences dialog, under the General Configuration section. You also can set/update the firewall rules from there.


Firewall Requirements between Peer Management Brokers (including on the server hosting the Peer Management Center)

  • Inbound and Outbound port TCP 61617 must be open for TLS/SSL communication between Peer Brokers.

  • Inbound and Outbound port TCP 61616 must be open for unencrypted TCP communication between Peer Brokers if TLS/SSL communication is not required.


Firewall Requirements between the Peer Edge Service and the Peer Master Data Service (Edge Caching only)

Peer Agents running the Peer Master Data Service:

  • Inbound port TCP 8446 must be open to receive encrypted requests from the Peer Edge Service in order to support stub file rehydration and pass-through reads.

Peer Agents running the Peer Edge Service:

  • Outbound port TCP 8446 must be open to send encrypted requests to the Peer Master Data Service in order to support stub file rehydration and pass-through reads.

This port is configurable for each server hosting the Peer Master Data Service.  It is configured during initial setup of Edge Caching and can be changed in the Peer Management Center Preferences dialog, under Collab, Sync, and Replication > Edge Caching > Master Data Service.


PeerIQ Local Network Firewall Requirements

Firewall Requirements between PeerIQ and the Internet

PeerIQ has the following firewall requirements to upload log files and analytics data, as well as to check for software updates:

  • Outbound ports TCP 80 (HTTP) and TCP 443 (HTTPS) must be opened. More Information can be found here.

Firewall Requirements between PeerIQ and the local network

If you have deployed the Ubuntu-based PeerIQ virtual appliance, the following default firewall requirements must be met in order to access the main PeerIQ UI as well as the Service Administrator portal:

  • Inbound port TCP 443 (HTTPS) must be open to be able to access the main PeerIQ portal.

  • Inbound port TCP 4443 (HTTPS) must be open to be able to access PeerIQ's Service Administrator portal.

If you have installed PeerIQ on an existing Red Hat Enterprise Linux or Rocky Linux server, the following default firewall requirements must be met in order to access the main PeerIQ UI as well as the Service Administrator portal:

  • Inbound port TCP 4430 (HTTPS) must be open to be able to access the main PeerIQ portal.

  • Inbound port TCP 4443 (HTTPS) must be open to be able to access PeerIQ's Service Administrator portal.

Firewall Requirements between PeerIQ and the Peer Management Broker on the server hosting the Peer Management Center

  • Inbound and Outbound port TCP 61617 must be open for TLS/SSL communication between PeerIQ and the Peer Management Broker.

  • Inbound and Outbound port TCP 61616 must be open for unencrypted TCP communication between PeerIQ and the Peer Management Broker if TLS/SSL communication is not required.


Storage Platform-Specific Requirements

Firewall Requirements between a Peer Agent and Nutanix Files

  • TCP Port 9898 must be open inbound into the Peer Agent server and outbound from Nutanix Files.  This allows the Peer Agent to receive file activity notifications from Nutanix Files.

  • TCP Port 9440 must be open outbound from the Peer Agent server and inbound into Nutanix Files. This allows the Peer Agent to access the REST API built into Nutanix Files.

  • SMB-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.

  • NFS-related ports must be open outbound from the Peer Agent server and inbound into Nutanix files. This allows the Peer Agent to read and write data.

Peer Agent

Nutanix Files

TCP 9898 

<--

TCP 9898

TCP 9440

-->

TCP 9440

SMB

-->

SMB

NFS

-->

NFS

Firewall Requirements between a Peer Agent and NetApp ONTAP

  • TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the NetApp cluster. This allows the Peer Agent to receive FPolicy requests from the NetApp nodes.

  • TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's REST API.

  • SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.

  • NFS-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.

Peer Agent

NetApp cluster nodes

TCP 9883

<--

TCP 9883

Peer Agent

SVM management LIF

TCP 443

-->

TCP 443

Peer Agent

SVM data LIF

SMB

-->

SMB

NFS

-->

NFS

Firewall Requirements between a Peer Agent and Amazon FSx for NetApp ONTAP (FSxN)

  • TCP Port 9883 must be open inbound into the Peer Agent server and outbound from each node in the FSxN cluster. This allows the Peer Agent to receive FPolicy requests from the FSxN nodes.

  • TCP Port 443 must be open outbound from the Peer Agent server and inbound into the SVM's management LIF. This allows the Peer Agent to access ONTAP's REST API.

  • SMB-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Peer Agent to read and write data via SMB.

  • NFS-related ports must be open outbound from the Peer Agent server and inbound into the SVM's data LIF(s). This allows the Agent to read and write data via NFS.

Peer Agent

FSxN cluster nodes

TCP 9883

<--

TCP 9883

Peer Agent

SVM management LIF

TCP 443

-->

TCP 443

Peer Agent

SVM data LIF

SMB

-->

SMB

NFS

-->

NFS

Firewall Requirements between a Peer Agent and Dell PowerScale using CEE and RabbitMQ

  • TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from each node in the PowerScale cluster. This allows CEE to receive audit notifications from the cluster.

  • TCP Ports 22 and 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to access the SSH- and REST API built into OneFS.

  • SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.

CEE service

PowerScale

TCP 12228

<--

TCP 12228

Peer Agent

PowerScale

TCP 22

-->

TCP 22

TCP 8080

-->

TCP 8080

SMB

-->

SMB

Firewall Requirements between a Peer Agent and Dell PowerScale using Syslog

  • TCP Port 6514 must be open inbound into the Peer Agent server and outbound from each node in the PowerScale cluster to receive audit notifications from the cluster. This is a default port number and can be configured.

  • TCP Port 8080 must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to access the REST API built into OneFS.

  • SMB-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.

  • NFS-related ports must be open outbound from the Peer Agent and inbound into each node in the PowerScale cluster. This allows the Peer Agent to read and write data.

Peer Agent

PowerScale

TCP 6514

<--

TCP 6514

TCP 8080

-->

TCP 8080

SMB

-->

SMB

NFS

-->

NFS

Firewall Requirements between a Peer Agent and Dell Unity using CEE and RabbitMQ (SMB Only)

  • TCP Port 12228 must be open inbound into the CEE services installed on the Peer Agent server and outbound from the NAS Server. This allows CEE to receive notifications from Unity.

  • TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to access the REST API built into Unity OE.

  • SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.

CEE service

Unity

TCP 12228

<--

TCP 12228

Peer Agent

Unity

TCP 443

-->

TCP 443

SMB

-->

SMB

NFS

-->

NFS

Firewall Requirements between a Peer Agent and Dell Unity using CEE HTTP

  • TCP Port 12228 must be open inbound into the CEE service (which may be installed on the Peer Agent server) and outbound from the NAS Server. This allows CEE to receive notifications from Unity.

  • TCP Port 9843 must be open inbound into the Peer Agent and outbound from the server running the CEE service. This allows CEE to send events to the Peer Agent.
    Note: If the CEE service is installed on the same server as the Peer Agent, TCP Port 9843 does not have to be explicitly opened.

  • TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to access the REST API built into Unity OE.

  • SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.

  • NFS-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.

CEE service

Unity

TCP 12228

<--

TCP 12228

Peer Agent

CEE service

TCP 9843*

<--

TCP 9843*

Peer Agent

Unity

TCP 443

-->

TCP 443

SMB

-->

SMB

NFS

-->

NFS

* TCP Port 9843 only needs to be open if the CEE service is installed on a server other than the Peer Agent.

Firewall Requirements between a Peer Agent and Dell PowerStore

  • TCP Port 12228 must be open inbound into the CEE service (which may be installed on the Peer Agent server) and outbound from the NAS Server. This allows CEE to receive notifications from PowerStore.

  • TCP Port 9843 must be open inbound into the Peer Agent and outbound from the server running the CEE service. This allows CEE to send events to the Peer Agent.
    Note: If the CEE service is installed on the same server as the Peer Agent, TCP Port 9843 does not have to be explicitly opened.

  • TCP Port 443 must be open outbound from the Peer Agent and inbound into the NAS server. This allows the Peer Agent to access the REST API built into PowerStore OS.

  • SMB-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.

  • NFS-related ports must be open outbound from the Peer Agent and inbound into the NAS Server. This allows the Peer Agent to read and write data.

CEE service

PowerStore

TCP 12228

<--

TCP 12228

Peer Agent

CEE service

TCP 9843*

<--

TCP 9843*

Peer Agent

Unity

TCP 443

-->

TCP 443

SMB

-->

SMB

  • TCP Port 9843 only needs to be open if the CEE service is installed on a server other than the Peer Agent.


Notes on Port Usage

SMB-Related Ports

Port

Protocol

Description

TCP/UDP 137

NBT

Name services

UDP 138

NBT

Datagram services

TCP 139

SMB 1.0

Legacy SMB/NBT

TCP 445

SMB 2+

Modern SMB protocol

NFS-Related Ports

Port

Protocol

Description

TCP/UDP 2049

NFS

NFS daemon communication

TCP/UDP 111

Portmapper

Used by NFS v3 only

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.