Firewall Requirements for SANnav Management Portal

Installation / SANnav Management Portal Deployment / Firewall Requirements for SANnav Management Portal

If your network utilizes a firewall between the SANnav Management Portal client and server or between the server and SAN, a set of ports must be open in the firewall to ensure proper communication.

The following table lists the ports that must be open in the firewall.

These ports are added to the IP tables by default when the SANnav server is running, so you do not need to open them in the firewalld, if it is enabled and running on the SANnav server.

Table 2. Ports That Must Be Open in the Firewall
Port Number	Transport	Inbound/Outbound	Communication Path	Description
22	TCP	Both	Client --> Server Server <--> Switch	Internal SSH server
80	TCP	Both	Client --> Server Server --> Switch	HTTP port for access from browser to server HTTP port for access from server to switch
161	UDP	Outbound	Server --> Switch	SNMP port
162	UDP	Inbound	Switch --> Server	SNMP trap port
443	TCP	Both	Client --> Server Server --> Switch Server --> vCenter	HTTPS port for secure access from browser to server HTTPS port for secure access from server to switch HTTPS port for secure access from server to vCenter
514	UDP	Inbound	Switch --> Server	Syslog port
6514	UDP	Inbound	Switch --> Server	Secure Syslog port
8081	TCP	Inbound	Switch --> Server	Avro schema registry port
19092	TCP	Inbound	Switch --> Server	Kafka port
19094	TCP	Inbound	Switch --> Server	Secured Kafka
29092	TCP	Inbound	Switch --> Server	Kafka port
29094	TCP	Inbound	Switch --> Server	Secured Kafka
39092	TCP	Inbound	Switch --> Server	Kafka port
39094	TCP	Inbound	Switch --> Server	Secured Kafka

The following table lists additional ports that must be open in the following conditions:

• If your network utilizes an external firewall between the nodes in a multi-node deployment, these ports must be open in the firewall.

• If firewalld is enabled in the server, these ports must be open in the firewalld configuration.

If firewalld is enabled, in addition, you must add the ssh service to the trusted zone in the firewalld for the firmware download feature to work. See Configuring a Firewall for SANnav for instructions on how to configure firewalld.

Table 3. Additional Ports That Must Be Open in the Firewall
Port Number	Transport	Inbound/Outbound	Communication Path	Description
2377	TCP	Both	Server <--> Server	Cluster management communications
4789	UDP	Both	Server <--> Server	Overlay network traffic
7946	TCP	Both	Server <--> Server	Node-to-node communication
7946	UDP	Both	Server <--> Server	Node-to-node communication

If you configure an external authentication server (LDAP, RADIUS, or TACACS+) or an email server (SMTP), ensure that the SANnav Management Portal server has access to the ports listed in the following table. The default ports are listed in the table, but you can change the default.

Table 4. Ports That the Server Must Be Able to Access
Port Number	Transport	Inbound/Outbound	Communication Path	Description
25	TCP	Outbound	Server --> SMTP Server	SMTP server port for email communication if you use email notifications without SSL or TLS
49	TCP	Outbound	Server --> TACACS+ Server	TACACS+ server port for authentication if you use TACACS+ for external authentication
389	TCP	Outbound	Server --> LDAP Server	LDAP server port for authentication if you use LDAP for external authentication and SSL is not enabled
465	TCP	Outbound	Server --> SMTP Server	SMTP server port for email communication if you use email notifications with SSL
587	TCP	Outbound	Server --> SMTP Server	SMTP server port for email communication if you use email notifications with TLS
636	TCP	Outbound	Server --> LDAP Server	LDAP server port for authentication if you use LDAP for external authentication and SSL is enabled
1812	UDP	Outbound	Server --> RADIUS Server	RADIUS server port for authentication if you use RADIUS for external authentication

Parent topic

SANnav Management Portal Deployment