PowerFlex Required Ports and Protocols
Summary: PowerFlex Security Configuration Guide documentation may not accurately list all requires ports and protocols for PowerFlex Manager functionality. An updated table has been provided in this article to highlight all requirements. ...
Instructions
PowerFlex environments where firewalls are used may encounter various failures related to network/port connectivity during normal operations.
Multiple ports that are required for standard operation are still blocked after following documentation to open all required ports.
Impact
Various operations may be impacted such as node expansions, upgrades, and deployments.
Cause
The PowerFlex Security Configuration Guide does not reflect all required network ports and protocols for PowerFlex Manager operation.
Resolution
The Security Configuration Guide will be updated for PowerFlex 4.8 to reflect the expanded requirements.
Refer to the following table and ensure all listed ports/protocols are open within the PFMP and PowerFlex environment:
|
Source |
Destination |
Destination ports |
Protocol |
Port type |
Direction |
Notes |
|
PFMP |
CloudLink Center |
443 |
HTTPS/ REST |
TCP |
Unidirectional |
PFMP issues commands to CloudLink Center over the HTTPS REST API. |
|
PFMP |
iDRAC |
N/A |
ICMP |
N/A |
Unidirectional |
Health monitoring checks whether it can ping the iDRAC. |
|
PFMP |
iDRAC |
22 |
SSH |
TCP |
Unidirectional |
PFMP uses a handful of RACADM commands issued to iDRAC over SSH, for example, to reset the iDRAC if it is not responding correctly. |
|
iDRAC |
PFxM |
111 892 2049 20048 32765 32767 |
NFS |
TCP |
Unidirectional |
iDRAC downloads VIBs and system configuration files from the PFMP NFS share. iDRAC mounts virtual ISOs and floppies from PFMP via NFS share. |
|
111 32765 32767 |
UDP |
|||||
|
iDRAC |
PFxM |
162 |
SNMP |
UDP |
Unidirectional |
iDRAC sends SNMP traps to PFMP. |
|
PFMP |
iDRAC |
443 |
HTTPS/ WSMan |
TCP |
Bi-directional |
PFMP uses WSMan (SOAP over HTTPS) to issue commands to iDRAC. |
|
PFMP |
IP addresses used during deployment |
22 80 135 |
N/A |
TCP |
Unidirectional |
Ports are used to verify that an IP address is not in use during deployment. PFMP outbound to IP addresses to be used for duplicate IP detection. |
|
PFMP |
LDAP/AD |
389 |
Unsecure |
TCP |
Unidirectional |
AD/LDAP connectivity, default port shown, can be customized. |
|
PFMP |
LDAP/AD |
636 |
SSL |
TCP |
Unidirectional |
AD/LDAP connectivity, default port shown, can be customized. |
|
PFMP |
Mail notification |
25 |
SMTP |
TCP |
Unidirectional |
Outbound mail notifications (optional). |
|
PFMP |
Nodes |
22 |
SSH |
TCP |
Unidirectional |
PFMP uses SSH to configure nodes and perform operating system updates. |
|
PFMP |
PowerFlex file sharing |
21 |
FTP |
TCP |
Unidirectional |
Download of PFMP upgrade packages (optional). |
|
PFMP |
PowerFlex file sharing |
139 445 |
CIFS |
TCP |
Unidirectional |
Backups of PFMP and download of upgrade bundles. |
|
PFMP |
PowerFlex file sharing |
443 |
HTTP/ HTTPS |
TCP |
Unidirectional |
Download of PFMP upgrade packages. |
|
PFMP |
PowerFlex management platform installer |
22 |
SSH |
TCP |
Unidirectional |
Used to install the PFMP or upgrade the Management Virtual Machines (MVMs). |
|
PFMP |
PowerFlex MDM |
8611 |
mTLS |
TCP |
Unidirectional |
Used by PFMP to establish connections to MDM using mTLS. |
|
PFMP |
PowerFlex MDM |
61714 |
ActiveMQ |
TCP |
Unidirectional |
Used by PFMP to retrieve events from MDMs. |
|
PFMP |
Secure Connect Gateway |
443 |
Rest API |
TCP |
Bi-directional |
Used to transfer files to or from PFMP. |
|
PFMP |
Secure Connect Gateway |
9443 |
Rest API |
TCP |
Unidirectional |
Register and receive alert and heartbeat data from PFMP. |
|
PFMP |
Switch |
N/A |
ICMP |
N/A |
Unidirectional |
Health monitoring checks whether it can ping the configured switch. |
|
PFMP |
Switch |
22 |
SSH |
TCP |
Unidirectional |
PFMP uses SSH to configure, retrieve, and set configurations. |
|
Switch |
PFMP |
111 892 2049 20048 32765 32767 |
NFS |
TCP |
Unidirectional |
The switch must be able to download firmware from the PFMP NFS share for switch updates. |
|
111 32765 32767 |
UDP |
|||||
|
PFMP |
Switch |
161 162 |
SNMP |
UCP |
Bi-directional |
PFMP uses and receives SNMP from switches for health monitoring and alert forwarding. |
|
PFMP |
Switch |
443 |
HTTPS |
TCP |
Unidirectional |
PFMP uses HTTPS REST API to retrieve switch metrics. |
|
Switch |
PFxM (only for PFxM 3.x) |
8080 |
HTTP |
TCP |
Unidirectional |
The switch must be able to download firmware from the PFMP HTTP share for switch updates. |
|
PFMP |
Syslog Server |
514 |
N/A |
TCP/UDP |
Unidirectional |
Outbound mail notifications (optional). |
|
PFMP |
ESXi |
22 |
SSH |
TCP |
Unidirectional |
SSH only to ESXi, not to VMware vCenter. Used during configuration flows. |
|
ESXi |
PFMP |
111 892 2049 20048 32765 32767 |
NFS |
TCP |
Unidirectional |
ESXi needs to be able to mount the PFMP NFS share to retrieve VIBs and mount configuration ISOs used by VM deployments. |
|
111 32765 32767 |
UDP |
|||||
|
3.x PFxM |
4.6.x PFMP |
111 892 2049 20048 32765 32767 |
NFS |
TCP |
Unidirectional |
This is used only during One-Time Migration (OTM) from PFxM 3.x to PFMP 4.6.x.
PFxM 3.x needs to mount the NFS share from PFMP 4.x to export backups. |
|
111 32765 32767 |
NFS |
UDP |
||||
|
4.x PFMP |
3.x PowerFlex MDM |
6611 |
Protobuf |
TCP |
Unidirectional |
Used by PowerFlex management platform to establish connections to MDM during Powerflex Cluster upgrade from 3.x to 4.x (OTM) |
|
PFMP |
ESXi and vCenter |
443 |
HTTPS/ SOAP |
TCP |
Unidirectional |
VMware API is accessed over port 443 (ESXi and vCenter). |
|
PFMP |
Storage-only nodes, SVM, Compute nodes |
443 |
HTTPS |
TCP |
Bidirectional |
Used during PowerFlex Gateway and RG upgrade to access the repository from PFxM over port 443 via http-share |