Fortanix Data Security Manager Port Requirements

List of required open ports

External/Application Ports

The following ports need to be accessible by clients wanting to access Fortanix-Data-Security-Manager (DSM). 

Protocol

Inbound/ Outbound

Port Number

Load Balancer Use (Yes/No)

Purpose

TCP

Inbound

22

No

SSH connection to Fortanix Data Security Manager server.

TCP

Inbound

443

Yes

HTTPS – Used for WebUI and calling REST API. Applications will access the cluster URL on this port. Each individual node will also need this port open.

TCP

Inbound

4445

Yes

HTTPS - Used for delivering static content in WebUI.

TCP

Inbound

5696

Yes

Used by applications that use KMIP for interacting with Fortanix DSM. Applications will access cluster URL on this port. Each individual node will also need this port open.

Intra-cluster ports 

The following ports are needed for communication between different cluster nodes.

Protocol

Inbound/ Outbound

Port Number

Load Balancer Use (Yes/No)

Purpose

IP

 

 

No

Protocol Number 112 (VRRP) â€“ Cluster IP negotiation (keepalived)

TCP

Both

2379

No

HTTP – etcd API 

(This port uses TLS after upgrade to 3.24)

TCP

Both

2380

No

etcd intra-cluster communication

TCP

Both

2382

No

etcd intra-cluster communication over TLS

(This port needs to be open before upgrading to 3.24).

TCP

Both

6443

No

HTTPS – Kubernetes API.

TCP

Both

10250

No

Kubelet Port

UDP

Both

8472

No

VXLAN – intra-cluster communication.

Outbound Ports 

The following outbound ports must be open for Fortanix DSM in case these external systems shall be accessible.

Protocol

Inbound/ Outbound

Port Number

Load Balancer Use (Yes/No)

Purpose

TCP

Outbound

 SMTP

No

If SMTP email is configured.

TCP

Outbound

443

No

If email is configured using AWS SES.

UDP

Outbound

514

No

if external Syslog is used with fluentd configuration for cluster POD logs.

TCP

Outbound

514

No

if external logging is used to push Audit logs.

TCP

Outbound

514

No

If external logging using Syslog TLS is configured.

TCP

Outbound

8089

No

If external logging using Splunk is configured.

TCP

Outbound

443

No

If external logging using Google stack driver is configured.

TCP

Outbound

636

No

If SSO authentication with AD/LDAP is configured.

TCP

Outbound

443

No

If external logging using OAuth is configured.

TCP

Outbound

443

No

For connection to IAS proxy if attestation is enabled.

UDP

Outbound

123 

No

When external NTP is configured.

TCP

Outbound

80

No

Used for Intel remote attestation when SGX is configured. For more details refer to the Fortanix DSM Attestation Guide.

TCP

Outbound

443

No

Used for Intel remote attestation service when SGX is configured. For more details refer to the Fortanix DSM Attestation Guide.

TCP

Outbound

443

No

Used for communication with GitHub repository for Fortanix DSM plugins. Refer to https://github.com/fortanix/sdkms-plugin-library

TCP

Outbound

53

No

The DNS ports that are used to query and request information from the DNS servers.

UDP

Outbound

53

No

The DNS ports that are used to query and request information from the DNS servers.

Management Interface Ports 

When the MGMT network port is connected to the network, the following ports must be open to use the Intelligent Platform Management Interface (IPMI):

Protocol

Inbound/ Outbound

Port Number

Load Balancer Use (Yes/No)

Purpose

TCP

 Inbound

 80

No

Only applicable for FX2200 appliances - For IPMI WebUI.

TCP

Inbound

443

No

Only applicable for FX2200 appliances - For IPMI WebUI via HTTPS if configured.

UDP

Inbound

623

No

Only applicable for FX2200 appliances - For IPMI and SOL.