Let's say that you performed a vulnerability scan on one of the CVMs and you see that some unused ports are open, what are these ports and why are they opened?
For example, some of the ambiguous ports that are open are ports 445 and 2071, but you won't find documentation for this.
Port 445 used by CVMs are used by stargate service, a critical service used by hypervisor/UVMs to access our storage
Port 2071 is for the NGT regardless of your hypervisor type. Some use cases for NGT for non-AHV hypervisors are application consistent snapshot, file level restore, etc.
Closing the wrong port might affect your cluster performance, you should be careful when editing any port.
If you are unsure of what a specific port is, contact Nutanix support for information and assist.
Here are some commands to modify the ports on your nodes: https://portal.nutanix.com/#/page/docs/details?targetId=Nutanix-Security-Guide-v510:wc-cvm-firewall-block-unblock-ports-cli-t.html
Example of firewall ports that must be open to successfully access the cluster:
Prism web console: 9440, 80
SSH to both CVM and Hypervisor: 22
Cluster remote support: 80, 8443
vCenter remote console: 443, 902, 903 from both the user host and vCenter
vCenter from Prism web console: 443, 80
Following is the list of ports that must be kept open for the IPMI Remote console:
HTTP: 80 (TCP)
HTTPS: 443 (TCP)
IPMI: 623 (UDP)
Remote console: 5900 (TCP)
Virtual media: 623 (UDP)
SMASH: 22 (TCP)
WS-MAN: 8889 (TCP)
Putty/ssh to virtual media: 5120 (TCP)
See the full list of external access to CVMs ports and Reserved ports for CVM inter-communication: https://portal.nutanix.com/kb/1202