How to Re-enable firewalld service on Splunk serve...

nishu3788 · ‎03-20-2019

I have RedHat 7.4 environment in which I have to re-enable firewalld services. Can anyone please provide some suggestion on this.

nickhills · ‎03-20-2019

You may need to create rules to allow your forwarding clients, web browsers, restapi, indexer replication etc, etc. to communicate with your server once you have restarted the firewall.

The exact ports you need to configure will depend on your type of server, and whether you are running index clusters etc, however the basic syntax is:

sudo firewall-cmd --zone=<your zone> --add-port=8000/tcp --permanent

Assuming a simple single server deployment, you will need to configure as a minimum TCP:8000, TCP:8089, TCP:9997 and don't forget SSH!
https://firewalld.org/documentation/man-pages/firewall-cmd.html

If my comment helps, please give it a thumbs up!

nishu3788 · ‎03-21-2019

Thank you so much for your reply. To be specific, we have full distributed environment with IDX and SH into cluster. We are taking input from UF, REST API, DB connect and syslog, etc. Can you share the exclusive ports that I can miss apart from the standard Splunk ports.

nickhills · ‎03-21-2019

It depends on your exact setup, but common ports are (all TCP)
8000 for web
8089 for api
9997 and 9998 for forwarders (non SSL and SSL)
9000 for idx replication (although this could be anything)
DB connect will use relevant ports for your DB engines, but those will be egress from DBX

If my comment helps, please give it a thumbs up!

How to Re-enable firewalld service on Splunk servers?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!