psoni1
2 Iron

CX-300 Firewall Ports

Hi,

What firewall ports need to be opened if the storage array and hosts are in different subnets ?

I am not able to ping the IPs of storage processors from the hosts and the hosts are not reachable (symbol U) in Navi Manager.

I couldn't find any documentation on powerlink ..

Please advice..

Labels (1)
0 Kudos
10 Replies
dynamox
7 Thorium

Re: CX-300 Firewall Ports

take a look at this document

CLARiiON Release 29 Security Configuration Guide

https://powerlink.emc.com/nsepn/webapps/btg548664833igtcuup4826/km/live1/en_US/Offering_Technical/Technical_Documentation/300-010-805.pdf

0 Kudos
psoni1
2 Iron

Re: CX-300 Firewall Ports

Thanks Dynamox..

Are the rules given in this document appplied to Clariion CX-300 with FLARE 02.25.300.5 ?

Does 'management server' run on the storage processors ?

So, if I understand correctly (after looking to the tables on page 17-18), we need the following rule in firewall to provide connectivity for hosts that are in a different subnet. Let me know if I am wrong.

SourceDestinationPortProtocol
SP-A & SP-BHost6389TCP
SP-A & SP-BHost6390-6392TCP
HostSP-A & SP-B6389TCP
HostSP-A & SP-B6390-6392TCP
SP-A & SP-BSMTP Server25TCP
HostSMTP Server25TCP

SAN, Host & SMTP Server are all in different subnets..

Currently I am able to access NaviManager and we are not using NavisphereExpress, InitializationUtility,SnapView, SNMP traps etc..

Do I need both TCP & SSL for port 443 to use with secure CLI ?

0 Kudos
kelleg
5 Rhenium

Re: CX-300 Firewall Ports

The firewall ports are the same for all Clariions. These are ports that the clariion uses to talk to the hosts.

The "Management Server" is the process running on the array.

You need port 6389 for Navisphere Host Agent running on the host. 6390 to 6392 are normally only used when you perform an NDU (flare upgrade).

SecureCLI uses the same ports.

glen

0 Kudos
psoni1
2 Iron

Re: CX-300 Firewall Ports

Glen, thanks for the information.

There is a NetScreen firewall between storage array and a host.

One more thing...are these the destination ports ? If so, what are the source ports requirements ?

Source Address

Source Protocol/Port

Destination Address

Destination Protocol/Port

Action: Deny/Permit

SP-A

Host

    6389-6392/TCP

Permit

               SP-B

Host

     6389-6392/TCP

Permit

Host

SP-A

     6389-6392/TCP

Permit

Host

SP-B

     6389-6392/TCP

Permit

0 Kudos
kelleg
5 Rhenium

Re: CX-300 Firewall Ports

These are destination ports - the array initiates the session to the hosts. One the host side, the port is random going out.

glen

0 Kudos
psoni1
2 Iron

Re: CX-300 Firewall Ports

Glen, does that mean I need to keep source ports to 0-0 for the host initiated sessions ?

Is there any way to change this setting ? I am looking for a limited number of ports...

Thanks for any help and direction on this !!

0 Kudos
kelleg
5 Rhenium

Re: CX-300 Firewall Ports

I believe that all you need to do is open the ports (6389-6392) on the firewall - I don't believe that you can control source ports and you probably do not need to be concerned about it.

glen

0 Kudos
psoni1
2 Iron

Re: CX-300 Firewall Ports

I am not sure I understood the point.  So,  allowing communication bothways only on 6389-6392 should resolve this issue ?

What will happen if host randomly chooses a port which is blocked by firewall ?

Sorry for asking very basic questions but I am still little confused.

Thanks ..

0 Kudos
AranH1
4 Ruthenium

Re: CX-300 Firewall Ports

psoni wrote:

I am not sure I understood the point.  So,  allowing communication bothways only on 6389-6392 should resolve this issue ?

What will happen if host randomly chooses a port which is blocked by firewall ?

Sorry for asking very basic questions but I am still little confused.

Thanks ..

The source port is used by the source device for creating the connection to the remote device. The destination port is the port that needs to be opened on the firewall as that is the port that is attempting to be used when transitioning through the firewall.

0 Kudos