Unsolved
This post is more than 5 years old
41 Posts
0
2762
CX-300 Firewall Ports
Hi,
What firewall ports need to be opened if the storage array and hosts are in different subnets ?
I am not able to ping the IPs of storage processors from the hosts and the hosts are not reachable (symbol U) in Navi Manager.
I couldn't find any documentation on powerlink ..
Please advice..
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
March 31st, 2010 20:00
take a look at this document
CLARiiON Release 29 Security Configuration Guide
https://powerlink.emc.com/nsepn/webapps/btg548664833igtcuup4826/km/live1/en_US/Offering_Technical/Technical_Documentation/300-010-805.pdf
psoni1
41 Posts
0
April 1st, 2010 12:00
Thanks Dynamox..
Are the rules given in this document appplied to Clariion CX-300 with FLARE 02.25.300.5 ?
Does 'management server' run on the storage processors ?
So, if I understand correctly (after looking to the tables on page 17-18), we need the following rule in firewall to provide connectivity for hosts that are in a different subnet. Let me know if I am wrong.
SAN, Host & SMTP Server are all in different subnets..
Currently I am able to access NaviManager and we are not using NavisphereExpress, InitializationUtility,SnapView, SNMP traps etc..
Do I need both TCP & SSL for port 443 to use with secure CLI ?
kelleg
4.5K Posts
0
April 1st, 2010 14:00
The firewall ports are the same for all Clariions. These are ports that the clariion uses to talk to the hosts.
The "Management Server" is the process running on the array.
You need port 6389 for Navisphere Host Agent running on the host. 6390 to 6392 are normally only used when you perform an NDU (flare upgrade).
SecureCLI uses the same ports.
glen
psoni1
41 Posts
0
April 2nd, 2010 05:00
Glen, thanks for the information.
There is a NetScreen firewall between storage array and a host.
One more thing...are these the destination ports ? If so, what are the source ports requirements ?
Source Address
Source Protocol/Port
Destination Address
Destination Protocol/Port
Action: Deny/Permit
SP-A
Host
6389-6392/TCP
Permit
SP-B
Host
6389-6392/TCP
Permit
Host
SP-A
6389-6392/TCP
Permit
Host
SP-B
6389-6392/TCP
Permit
kelleg
4.5K Posts
0
April 2nd, 2010 07:00
These are destination ports - the array initiates the session to the hosts. One the host side, the port is random going out.
glen
psoni1
41 Posts
0
April 2nd, 2010 08:00
Glen, does that mean I need to keep source ports to 0-0 for the host initiated sessions ?
Is there any way to change this setting ? I am looking for a limited number of ports...
Thanks for any help and direction on this !!
kelleg
4.5K Posts
0
April 2nd, 2010 08:00
I believe that all you need to do is open the ports (6389-6392) on the firewall - I don't believe that you can control source ports and you probably do not need to be concerned about it.
glen
psoni1
41 Posts
0
April 2nd, 2010 08:00
I am not sure I understood the point. So, allowing communication bothways only on 6389-6392 should resolve this issue ?
What will happen if host randomly chooses a port which is blocked by firewall ?
Sorry for asking very basic questions but I am still little confused.
Thanks ..
AranH1
2.2K Posts
0
April 2nd, 2010 08:00
The source port used on the host is not the issue, that won't be blocked by a firewall. It is the destination ports on the host and array that the firewall is blocking, and that you need to create rules for. Also if you are unable to ping the array then you need to enable ICMP echo request and reply for the storage array.
AranH1
2.2K Posts
0
April 2nd, 2010 08:00
The source port is used by the source device for creating the connection to the remote device. The destination port is the port that needs to be opened on the firewall as that is the port that is attempting to be used when transitioning through the firewall.