On This Page
Central Cluster Ports
-
All nodes refer to a central cluster only.
-
The port refers to the destination node.
-
All node-to-node traffic within the cluster and all central-remote cluster connectivity is encrypted.
For more information, see TOS Aurora Architecture.
Source | Destination | Service / Port | Description |
---|---|---|---|
User PC browser |
|
HTTPS <TCP 443> |
Mandatory User access to web UI After setting the external Load Balancer VIP, connect the External Load Balancer to the cluster using HTTPS <TCP 31443> |
Administrator's PC |
Any node (physical IP) |
SSH <TCP 22> |
Mandatory Used for system maintenance |
Any node (physical IP) |
Any node (physical IP) |
TCP <TCP 9092, 9093, 9095 and 9308> |
All ports mandatory, except for 9095, which is required only if you have a remote cluster connected to the central cluster. These ports are used for event streaming between cluster nodes. |
Any node (physical IP) |
Any node (physical IP) |
TCP <TCP 7472> |
Required for all deployments except Azure/AWS/GCP Used by MetalLB speaker |
Any node (physical IP) |
Check Point audited devices, Cisco Routers, and ASA Firewalls |
SSH <TCP 22> |
Required to run the device audit log in STRE. These ports are required even if the audited device is monitored on a Remote Cluster; communication comes from the TOS Aurora Central Cluster. |
Any node (physical IP) |
Fortimanager and Panorama audited devices |
HTTPS <TCP 443> |
Required to run the device audit log in STRE. These ports are required even if the audited device is monitored on a Remote Cluster; communication comes from the TOS Aurora Central Cluster. |
Any node (physical IP) |
Any node (physical IP) |
UCP <UDP 323> |
Mandatory Used for Chrony |
Any node (physical IP) |
SMTP server | SMTP <TCP 25> (default) or alternative port as configured |
Required if you configure notifications via email. |
Any node (physical IP) |
DNS Server |
DNS <UDP 53> |
Mandatory Used for domain lookups |
Any node (physical IP) |
NTP Server |
NTP <UDP 123> |
Required if NTP is used for network time synchronization |
Any node (physical IP) |
Syslog Server |
Syslog <UDP 514> (default) Syslog <TCP 10514> Or alternative port as configured |
Required if you configure notifications via syslog. Option to select UDP/TCP protocol is supported for Check Point R80 and later |
Any node (physical IP) |
LDAP server |
LDAP <TCP 389> LDAP over SSL <TCP 636> LDAP global catalog <TCP 3286> LDAP global catalog over SSL <TCP 3269> |
Required if you authenticate users using an LDAP server |
Any node (physical IP) |
TACACS Server |
TACACS |
Required if you authenticate users via a TACACS server |
Any node (physical IP) |
RADIUS server |
RADIUS |
Required if you authenticate users via a RADIUS server |
SNMP Management Server |
|
SNMP <UDP 161> (default) or alternative port as configured |
Used for SNMP queries After setting the external Load Balancer VIP, connect the External Load Balancer to the cluster using HTTPS <TCP 30161> |
Any node (physical IP) |
SNMP Management Server |
SNMP-Trap <UDP 162> (default) or alternative port as configured |
Used for SNMP traps |
Administrator's PC |
RMM interfaces on all Tufin Appliances |
Web GUI <TCP 80> or <TCP 443> (SSL certificate upload available) Unencrypted: KVM <TCP 7578> CDROM <TCP 5120> USB <TCP 5123> Encrypted (AES/RC4/Stunnel): KVM <TCP 7582> CDROM <TCP 5124> USB <TCP 5127> |
Required for Tufin appliances only Used for remote management module (RMM) network card address See also:
|
Any node (physical IP) |
Any node (physical IP) |
UDP 51820 |
Mandatory K3s server and agent nodes required by Wireguard |
Any node (physical IP) |
Any node (physical IP) |
HTTPS <TCP 2379-2381> |
Mandatory Etcd server communication |
Any node (physical IP) |
Any node (physical IP) |
HTTPS <TCP 6443-6444> |
Mandatory Kubernetes API Server |
Any node (physical IP) |
Any node (physical IP) |
Application Specific <TCP/UDP 30000-32767> |
Mandatory Kubernetes internal service range |
Any node (physical IP) |
Any node (physical IP) |
HTTPS <TCP 10248-10252,10255, 10256> |
Mandatory Kubernetes components |
Any node (physical IP) |
Any node (physical IP) |
HTTPS <TCP 32500> |
Mandatory Docker registry |
Any node (physical IP) |
Any node (physical IP) |
HTTPS <TCP 9100> |
Mandatory Kubernetes node-exporter |
Any node (physical IP) |
Any node (physical IP) |
HTTPS <TCP 8080> |
Required for adding and removing nodes from the cluster |
Any node (physical IP) |
|
HTTPS <TCP 443> |
The URL is used to connect the SecureChange server to SecureCloud or to an external cloud repository, in an environment where this integration is enabled |
Any node (physical IP) (Active) |
Any node (physical IP) (Standby) |
HTTPS <TCP 32444> |
Required for disaster recovery |