Central Cluster Ports

  • All nodes refer to a central cluster only.

  • The port refers to the destination node.

  • All node-to-node traffic within the cluster and all central-remote cluster connectivity is encrypted.

For more information, see TOS Aurora Architecture.

Source Destination Service / Port Description
User PC browser
  • Cluster Primary VIP

  • External Load Balancer VIP (cloud deployments)

HTTPS <TCP 443>

Mandatory

User access to web UI

After setting the external Load Balancer VIP, connect the External Load Balancer to the cluster using HTTPS <TCP 31443>

Administrator's PC

Any node (physical IP)

SSH <TCP 22>

Mandatory

Used for system maintenance

Any node (physical IP)

Any node (physical IP)

TCP <TCP 9092, 9093, 9095 and 9308>

All ports mandatory, except for 9095, which is required only if you have a remote cluster connected to the central cluster. These ports are used for event streaming between cluster nodes.

Any node (physical IP)

Any node (physical IP)

TCP <TCP 7472>

Required for all deployments except Azure/AWS/GCP

Used by MetalLB speaker

Any node (physical IP)

Check Point audited devices, Cisco Routers, and ASA Firewalls

SSH <TCP 22>

Required to run the device audit log in STRE. These ports are required even if the audited device is monitored on a Remote Cluster; communication comes from the TOS Aurora Central Cluster.

Any node (physical IP)

Fortimanager and Panorama audited devices

HTTPS <TCP 443>

Required to run the device audit log in STRE. These ports are required even if the audited device is monitored on a Remote Cluster; communication comes from the TOS Aurora Central Cluster.

Any node (physical IP)

Any node (physical IP)

UCP <UDP 323>

Mandatory

Used for Chrony

Any node (physical IP)

SMTP server SMTP <TCP 25> (default) or alternative port as configured

Required if you configure notifications via email.

Any node (physical IP)

DNS Server

DNS <UDP 53>

Mandatory

Used for domain lookups

Any node (physical IP)

NTP Server

NTP <UDP 123>

Required if NTP is used for network time synchronization

Any node (physical IP)

Syslog Server

Syslog <UDP 514> (default)

Syslog <TCP 10514>

Or alternative port as configured

Required if you configure notifications via syslog.

Option to select UDP/TCP protocol is supported for Check Point R80 and later

Any node (physical IP)

LDAP server

LDAP <TCP 389>

LDAP over SSL <TCP 636>

LDAP global catalog <TCP 3286>

LDAP global catalog over SSL <TCP 3269>

Required if you authenticate users using an LDAP server

Any node (physical IP)

TACACS Server

TACACS
<TCP 49>

Required if you authenticate users via a TACACS server

Any node (physical IP)

RADIUS server

RADIUS
<UDP 1812>

Required if you authenticate users via a RADIUS server

SNMP Management Server

  • Cluster Primary VIP

  • External Load Balancer VIP (cloud deployments)

SNMP <UDP 161> (default) or alternative port as configured

Used for SNMP queries

After setting the external Load Balancer VIP, connect the External Load Balancer to the cluster using HTTPS <TCP 30161>

Any node (physical IP)

SNMP Management Server

SNMP-Trap <UDP 162> (default) or alternative port as configured

Used for SNMP traps

Administrator's PC

RMM interfaces on all Tufin Appliances

Web GUI <TCP 80> or <TCP 443> (SSL certificate upload available)

Unencrypted: KVM <TCP 7578>

CDROM <TCP 5120>

USB <TCP 5123>

Encrypted (AES/RC4/Stunnel):

KVM <TCP 7582>

CDROM <TCP 5124>

USB <TCP 5127>

Required for Tufin appliances only

Used for remote management module (RMM) network card address

See also:

Configuring RMM for Gen 4

Configuring RMM for Gen 3.5

 

Any node (physical IP)

Any node (physical IP)

UDP 51820

Mandatory

K3s server and agent nodes required by Wireguard

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 2379-2381>

Mandatory

Etcd server communication

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 6443-6444>

Mandatory

Kubernetes API Server

Any node (physical IP)

Any node (physical IP)

Application Specific <TCP/UDP 30000-32767>

Mandatory

Kubernetes internal service range

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 10248-10252,10255, 10256>

Mandatory

Kubernetes components

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 32500>

Mandatory

Docker registry

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 9100>

Mandatory

Kubernetes node-exporter

Any node (physical IP)

Any node (physical IP)

HTTPS <TCP 8080>

Required for adding and removing nodes from the cluster

Any node (physical IP)

HTTPS <TCP 443>

The URL is used to connect the SecureChange server to SecureCloud or to an external cloud repository, in an environment where this integration is enabled

Any node (physical IP)

(Active)

Any node (physical IP)

(Standby)

HTTPS <TCP 32444>

Required for disaster recovery