Hi
@theGman
There is a documentation talking about firewall requirements:
https://portal.nutanix.com/#/page/docs/details?targetId=Acropolis-Upgrade-Guide-v511:wc-support-firewall-wc-c.html
But all these ports are from CVM to external networks, like for instance to download 1-Click and LCM upgrade bundles, send Pulse data to Nutanix and so on.
From different network to CVMs, for management purpose, you may have to open 22 (SSH) and 9440 (Prism), which for sure are the most used management interfaces.
But keep in mind that you will may need to open additional ports also for IPMI like 443 (HTTPS) and 5900 (console) and there are also many other ports to CVM like 2009 (Stargate page), 8000 (Foundation page), 2222 (SFTP), 2010 (Curator page)... but in most of the cases once support access the CVM SSH, we use the links tools on CVM to access the Stargate, Curator and other diagnostic pages locally.
Hi Richard - I have seen the KB you presented already, it states the following:
"Use these firewall requirements to configure rules in your external firewall to allow Nutanix Remote Support, Pulse, SMTP, 1-click upgrades, and LCM updates."
I am looking for the documentation that shows the complete listing of all ports in use by the product and not a subset based on specific services.
Note, I am going to leave this post unanswered until I see good documentation pertaining to all ports in use by Nutanix CVMs which includes both incoming and outgoing details. No offense to Nutanix engineering but I'm about sick and tired of piece-meal documentation that is scattered about from vendors that are getting wealthy on the sale of products that leave engineers and architects in a constant state of searching around for the required details they seek, often to come up short.
Hi
@theGman, we recognize there is room for improvement in relation to documentation. Please check the post below and let me know if that brings you any closer to the sought after information. Please share your suggestions as they helps us improve documentation.
There is no such thing as too many layers of security - Nutanix network ports
hello theGman,
The primary document that *should* cover this is the Security Guide. The link there goes to the firewall recommendations.
If you think something is missing there, please clarify. I can work with the documentation team, and security team if necessary, to close the gap.
There is also this article “Port numbers used for inter CVM communication” which lists what services on the CVM use which ports. These do not all need to be open to the outside, many of them definitely should not be, so I only mention the KB as a knowledge reference. The firewall rules requirements, with explanation, should be in the security guide as I indicated earlier so if anything is missing there we can address it in that document.
I think in writing the documentation, there is an expectation that Prism access would be from within the corporate network.
You mentioned
TCP 22 is needed for SSH, and 80 and 9440 are needed for accessing the web console.
Is this is? or are there more ports that would need to be opened up for the various types of admin interactions?
- how about running cli tools against the cluster?
- how about downloading support files?
I think you have it covered for admin access. CLI tools such as NCLI use the Nutanix REST API, which needs port 9440. SSH needs port 22, and for collecting files locally I generally recommend SCP which uses the same port. There is also the option of exporting logs via SFTP using logbay on a CVM, and here again we use port 22.
I could think of various other scenarios, such as remote access to the Nutanix containers to upload files, or remote iSCSI access, but if you don’t mind please let me know what scenarios I’ve missed and what’s not covered in the security guide and let’s see if I can’t get the security guide to cover it.
hello theGman,
The primary document that *should* cover this is the Security Guide. The link there goes to the firewall recommendations.
If you think something is missing there, please clarify. I can work with the documentation team, and security team if necessary, to close the gap.
There is also this article “Port numbers used for inter CVM communication” which lists what services on the CVM use which ports. These do not all need to be open to the outside, many of them definitely should not be, so I only mention the KB as a knowledge reference. The firewall rules requirements, with explanation, should be in the security guide as I indicated earlier so if anything is missing there we can address it in that document.
I think in writing the documentation, there is an expectation that Prism access would be from within the corporate network.
You mentioned
TCP 22 is needed for SSH, and 80 and 9440 are needed for accessing the web console.
Is this is? or are there more ports that would need to be opened up for the various types of admin interactions?
- how about running cli tools against the cluster?
- how about downloading support files?
I think you have it covered for admin access. CLI tools such as NCLI use the Nutanix REST API, which needs port 9440. SSH needs port 22, and for collecting files locally I generally recommend SCP which uses the same port. There is also the option of exporting logs via SFTP using logbay on a CVM, and here again we use port 22.
I could think of various other scenarios, such as remote access to the Nutanix containers to upload files, or remote iSCSI access, but if you don’t mind please let me know what scenarios I’ve missed and what’s not covered in the security guide and let’s see if I can’t get the security guide to cover it.
Hi, I just came across this and am having the same issue. The document you list above shows what is need to get out of my network to access Nutanix for downloads and support.
What is missing are the firewall ports I would need to open to manage a Nutanix when the user is separated from the hardware by a firewall.
For example,
As an admin I need to get to the ILO IP and login. Does that only require port 443?
