On This Page
Central Cluster Ports
-
All nodes refer to a central cluster only.
-
The port refers to the destination node.
-
All node-to-node traffic within the cluster and all central-remote cluster connectivity is encrypted.
For more information, see TOS Architecture.
| Source | Destination | Service / Port | Description |
|---|---|---|---|
| User PC browser |
|
HTTPS <TCP 443> |
Mandatory User access to web UI After setting the external Load Balancer VIP, connect the External Load Balancer to the cluster using HTTPS <TCP 31443> |
| Administrator's PC |
Physical IPs of all nodes |
SSH <TCP 22> |
Mandatory Used for system maintenance |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
TCP <TCP 9092, 9093, 9095 and 9308> |
All ports mandatory, except for 9095, which is required only if you have a remote cluster connected to the central cluster. These ports are used for event streaming between cluster nodes. |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
TCP <TCP 7472> |
Required for all deployments except Azure/AWS/GCP Used by MetalLB speaker |
|
Physical IPs of all nodes |
Check Point audited devices, Cisco Routers, and ASA Firewalls |
SSH <TCP 22> |
Required to run the device audit log in STRE. These ports are required even if the audited device is monitored on a Remote Cluster; communication comes from the TOS Central Cluster. |
|
Physical IPs of all nodes |
Fortimanager and Panorama audited devices |
HTTPS <TCP 443> |
Required to run the device audit log in STRE. These ports are required even if the audited device is monitored on a Remote Cluster; communication comes from the TOS Central Cluster. |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
UCP <UDP 323> |
Mandatory Used for Chrony |
|
Physical IPs of all nodes |
SMTP server | SMTP <TCP 25> (default) or alternative port as configured |
Required if you configure notifications via email. |
|
Physical IPs of all nodes |
DNS Server |
DNS <UDP 53> |
Mandatory Used for domain lookups |
|
Physical IPs of all nodes |
NTP Server |
NTP <UDP 123> |
Required if NTP is used for network time synchronization |
|
Physical IPs of all nodes |
Syslog Server |
Syslog <UDP 514> (default) Syslog <TCP 31514> Or alternative port as configured |
Required if you configure notifications via syslog. |
|
Physical IPs of all nodes |
LDAP server |
LDAP <TCP 389> LDAP over SSL <TCP 636> LDAP global catalog <TCP 3286> LDAP global catalog over SSL <TCP 3269> |
Required if you authenticate users using an LDAP server |
|
Physical IPs of all nodes |
TACACS Server |
TACACS |
Required if you authenticate users via a TACACS server |
|
Physical IPs of all nodes |
RADIUS server |
RADIUS |
Required if you authenticate users via a RADIUS server |
|
SNMP Management Server |
|
SNMP <UDP 161> (default) or alternative port as configured |
Used for SNMP queries After setting the external Load Balancer VIP, connect the External Load Balancer to the cluster using HTTPS <TCP 30161> |
|
Physical IPs of all nodes |
SNMP Management Server |
SNMP-Trap <UDP 162> (default) or alternative port as configured |
Used for SNMP traps |
|
Administrator's PC |
RMM interfaces on all Tufin Appliances |
Web GUI <TCP 80> or <TCP 443> (SSL certificate upload available) Unencrypted: KVM <TCP 7578> CDROM <TCP 5120> USB <TCP 5123> Encrypted (AES/RC4/Stunnel): KVM <TCP 7582> CDROM <TCP 5124> USB <TCP 5127> |
Required for Tufin appliances only Used for remote management module (RMM) network card address See also: Configuring RMM for Gen 4
|
|
Physical IPs of all nodes |
Physical IPs of all nodes |
UDP 51820 |
Mandatory K3s server and agent nodes required by Wireguard |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 2379-2381> |
Mandatory etcd server communication |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 6443-6444> |
Mandatory Kubernetes API Server |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
Application Specific <TCP/UDP 30000-32767> |
Mandatory Kubernetes internal service range |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 10248-10252,10255, 10256> |
Mandatory Kubernetes components |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 32500> |
Mandatory Docker registry |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 9100> |
Mandatory Kubernetes node-exporter |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 8080> |
Required for adding and removing nodes from the cluster |
|
Physical IPs of all nodes |
External cloud repository |
HTTPS <TCP 443> |
The URL is used to connect the SecureChange server to an external cloud repository, in an environment where this integration is enabled |
|
Physical IPs of all nodes |
Physical IPs of all nodes |
HTTPS <TCP 32444> |
Required for disaster recovery on both active and backup clusters (bi-directional) |
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague