Fortanix Data Security Manager Port Requirements

List of required open ports

External/Application Ports

The following ports need to be accessible by clients wanting to access Fortanix Data Security Manager (DSM). 

Protocol Inbound/ Outbound Port Number Load Balancer Use (Yes/No) Purpose
TCP Inbound 22 No SSH connection to Fortanix Data Security Manager server.
TCP Inbound 443 Yes HTTPS – Used for WebUI and calling REST API. Applications will access the cluster URL on this port. Each individual node will also need this port open.
TCP Inbound 4445 Yes HTTPS - Used for delivering static content in WebUI.
TCP Inbound 5696 Yes Used by applications that use KMIP for interacting with Fortanix DSM. Applications will access cluster URL on this port. Each individual node will also need this port open.

Intra-cluster ports 

The following ports are needed for communication between different cluster nodes.

Protocol Inbound/ Outbound Port Number Load Balancer Use (Yes/No) Purpose
IP     No Protocol Number 112 (VRRP) – Cluster IP negotiation (keepalived)
TCP Both 2379 No

HTTP – etcd API 

(This port uses TLS after upgrade to 3.24)

TCP Both 2380 No etcd intra-cluster communication
TCP Both 2382 No

etcd intra-cluster communication over TLS

(This port needs to be open before upgrading to 3.24).

TCP Both 6443 No HTTPS – Kubernetes API.
TCP Both 10250 No Kubelet Port
UDP Both 8472 No VXLAN – intra-cluster communication.

Outbound Ports 

The following outbound ports must be open for Fortanix DSM in case these external systems shall be accessible.

Protocol Inbound/ Outbound Port Number Load Balancer Use (Yes/No) Purpose
TCP Outbound  SMTP No If SMTP email is configured.
TCP Outbound 443 No If email is configured using AWS SES.
UDP Outbound 514 No if external Syslog is used with fluentd configuration for cluster POD logs.
TCP Outbound 514 No if external logging is used to push Audit logs.
TCP Outbound 514 No If external logging using Syslog TLS is configured.
TCP Outbound 8089 No If external logging using Splunk is configured.
TCP Outbound 443 No If external logging using Google stack driver is configured.
TCP Outbound 636 No If SSO authentication with AD/LDAP is configured.
TCP Outbound 443 No If external logging using OAuth is configured.
TCP Outbound 443 No For connection to IAS proxy if attestation is enabled.
UDP Outbound 123  No When external NTP is configured.
TCP Outbound 80 No Used for Intel remote attestation when SGX is configured. For more details refer to the Fortanix DSM Attestation Guide.
TCP Outbound 443 No Used for Intel remote attestation service when SGX is configured. For more details refer to the Fortanix DSM Attestation Guide.
TCP Outbound 443 No Used for communication with GitHub repository for Fortanix DSM plugins. Refer to https://github.com/fortanix/sdkms-plugin-library
TCP Outbound 53 No The DNS ports that are used to query and request information from the DNS servers.
UDP Outbound 53 No The DNS ports that are used to query and request information from the DNS servers.

Management Interface Ports 

When the MGMT network port is connected to the network, the following ports must be open to use the Intelligent Platform Management Interface (IPMI):

Protocol Inbound/ Outbound Port Number Load Balancer Use (Yes/No) Purpose
TCP  Inbound  80 No Only applicable for FX2200 appliances - For IPMI WebUI.
TCP Inbound 443 No Only applicable for FX2200 appliances - For IPMI WebUI via HTTPS if configured.
UDP Inbound 623 No Only applicable for FX2200 appliances - For IPMI and SOL.

Comments

Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful