This section describes the firewall group rule settings that are required to allow communication within the cluster.

PRIMECLUSTER uses several protocols/ports for communication within the cluster. When setting detailed rules, allow communication of protocols/ports for communication within the cluster.

In addition, you can add rules based on the security requirements of the customer to design firewall groups.

When adding rules according to requirements or adding rules required for the operation of other software, set the rules so that PRIMECLUSTER communication is not rejected.

The tables of the rules below describe the rules for the cluster system with a two-node configuration.

Design the rules of the firewall groups applied to the administrative LAN.

The IN rule setting is not necessary in a single-node cluster.

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
UDP	9382	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for the shutdown facility (SF)
UDP	9796	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for the management view
TCP	9797	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for the management view
ICMP	- (Specify all ports)	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for clchkcluster

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
UDP (*1)	9382	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for the shutdown facility (SF)
UDP (*1)	9796	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for the management view
TCP (*1)	9797	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for the management view
ICMP (*1)	- (Specify all ports)	IP/CIDR	Administrative LAN NIC IP of remote cluster node	Used for clchkcluster
TCP (*1)	53	IP/CIDR	CIDR of DNS	Used for the forced stop (Name resolution of the API endpoint)
UDP (*1)	53	IP/CIDR	CIDR of DNS	Used for the forced stop (Name resolution of the API endpoint)
TCP (*1)	443	IP/CIDR	0.0.0.0/0	Used for the forced stop (Communication with the API endpoint)
TCP	123	IP/CIDR	IP address of NTP server	Used for NTP server query
UDP	123	IP/CIDR	IP address of NTP server	Used for NTP server query

(*1) This setting is not necessary in a single-node cluster.

Design the rules of the firewall groups applied to the Web-Based Admin View.

Design the rules of the firewall groups applied to the Web-Based Admin View (cluster node side).

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	8081	IP/CIDR	Server IP for the management view client	Used for the management view
TCP	9798	IP/CIDR	Server IP for the management view client	Used for the management view
TCP	9799	IP/CIDR	Server IP for the management view client	Used for the management view

Design the rules of the firewall groups applied to the Web-Based Admin View (management client side).

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	8081	IP/CIDR	Administrative LAN NIC IP of all cluster nodes	Used for the management view
TCP	9798	IP/CIDR	Administrative LAN NIC IP of all cluster nodes	Used for the management view
TCP	9799	IP/CIDR	Administrative LAN NIC IP of all cluster nodes	Used for the management view

Also, create an IN rule of the firewall group to allow a remote desktop connection from a remote control terminal of the management view client to a server for the management view client.

Design the rules of the firewall groups applied to the Web-Based Admin View (cluster node side).

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	8081	IP/CIDR	CIDR of the management view client	Used for the management view
TCP	9798	IP/CIDR	CIDR of the management view client	Used for the management view
TCP	9799	IP/CIDR	CIDR of the management view client	Used for the management view

Design the rules of the firewall groups applied to the Web-Based Admin View (VPN gateway side).

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	8081	IP/CIDR	Administrative LAN NIC IP of all cluster nodes	Used for the management view
TCP	9798	IP/CIDR	Administrative LAN NIC IP of all cluster nodes	Used for the management view
TCP	9799	IP/CIDR	Administrative LAN NIC IP of all cluster nodes	Used for the management view

When using a VPN connection, refer to "8.3.2.5 Rules Applied to a VPN Gateway when Using VPN" and set the firewall groups applied to a VPN gateway as well.

Design the rules of the firewall groups applied to server access in introduction and maintenance.

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	22	IP/CIDR	CIDR of the access source	Used for the remote access by SSH

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	80	IP/CIDR	0.0.0.0/0	Used for installing dependent packages
TCP	443	IP/CIDR	0.0.0.0/0	Used for installing dependent packages

Design the rules of the firewall groups applied to the cluster interconnect.

This setting is not necessary in a single-node cluster.

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
ANY	- (Specify all ports)	IP/CIDR	IP of NIC for cluster interconnect of remote cluster node	Used for the heartbeat

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
ANY	- (Specify all ports)	IP/CIDR	IP of NIC for cluster interconnect of remote cluster node	Used for the heartbeat

Design the rules of the firewall groups applied to the public LAN.

Add the rules that are required for application operations, and the following OUT rule.

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
ICMP	- (Specify all ports)	IP/CIDR	CIDR of the monitoring destination of the business network	Used for monitoring the business network

This rule is required when using the network monitoring function.

For details, refer to "6.7.3.6 Setting Up Takeover Network Resources" in "PRIMECLUSTER Installation and Administration Guide."

When using a router for an error monitoring of the public LAN, add the IN rule of the firewall group of the router to allow ICMP from the cluster.

Design the rules of the firewall groups applied to the network for data synchronization.

This setting is not necessary in a single-node cluster.

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	3260	IP/CIDR	IP of NIC for data synchronization of remote cluster node	Used for mirroring among servers

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
TCP	3260	IP/CIDR	IP of NIC for data synchronization of remote cluster node	Used for mirroring among servers

Design the rules of the firewall groups applied to a VPN gateway when using VPN.

IN rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
UDP	500	IP/CIDR	CIDR of the access source	Used for a VPN connection
UDP	4500	IP/CIDR	CIDR of the access source	Used for a VPN connection
ESP	- (Specify all ports)	IP/CIDR	CIDR of the access source	Used for a VPN connection

OUT rule

Protocol	Destination port	Connection source type	IP/CIDR, Group	Description
Protocol used for a communication via VPN	Port used for a communication via VPN	IP/CIDR	IP/CIDR of a cluster communicating via VPN	Used for a VPN connection

For the added OUT rule, add the IN rule of the firewall group of the server to allow the communication from the VPN connection source CIDR.