Query on Heavy forwarder with SSL connecting to in...

smartpraseetha · ‎06-28-2020

Hello All,

I have a UFs in cloud DCs.

Proposed solution is to have SSL between the Indexer and the Heavy forwarders.

Plan is 1 indexer to connect with 3 HF (Both indexer and HF having SSLS)

I assume this all 3 connections should connect to different ports to indexer

Indexer 9997-1 connection HF

Indexer-9998-2 HF

Indexer-9999-3 HF

Also another question is that Is there a criteria that if HF is sending the data via SSL.

All the UF agents connecting to the HF also needs to have SSL ?

Cheers,

Praseetha

The_Simko · ‎06-28-2020

Taking this one step by step.

1. Indexers listen on the same port for each server. If all indexers are on SSL, then 9997 for each (or whatever port you like, but 9997 is convention)
2. Each HF forwards data to the indexer. That's where you require SSL if I'm understanding your design. The UFs forward to the HF which then send to IDX?
3. UFs to HF is allowed to be SSL if your requirements specify it. Else, that could be unencrypted, and then the SSL out to your IDX is encrypted.

Now, you asked if HF is required to use SSL to send to the IDX? Splunk doesn't mandate it, that is dependent upon your customer's needs. Do you need SSL? If not, don't do it. If you need it, then turn on SSL. Always take it back to the customer's requirements.

That said, are you sure you need HFs? Could the UFs just send directly to the IDX? If so, do that. Even if security team is whining that it makes them do work.

smartpraseetha · ‎06-29-2020

Thank you Micheal

1. Indexers listen on the same port for each server. If all indexers are on SSL, then 9997 for each (or whatever port you like, but 9997 is convention)

I have only 1 Indexer- I have other 3 HF in other Clouds which it will connect to.

Both Indexer and HF will need SSL for secured data flow.

So question is 1 indexer with SSL on 9997 = connecting to 3 HF with SSL on 9997. Is this possible ?

Or do we need to connect each 3 HF with SSL to 9997,9998,9999 ports of Indexer with SSL.

2. Each HF forwards data to the indexer. That's where you require SSL if I'm understanding your design. The UFs forward to the HF which then send to IDX? yes correct each UFs forward to HF.

3. UFs to HF is allowed to be SSL if your requirements specify it. Else, that could be encrypted, and then the SSL out to your IDX is encrypted.

UF and HF are in the same environment. But the question is that HF has SSL and connecting to Indexer to a different environment.

Since HF is having SSL is it required that all the UFs in the same environment.? is my question

Now, you asked if HF is required to use SSL to send to the IDX? Splunk doesn't mandate it, that is dependent upon your customer's needs. Do you need SSL? If not, don't do it. If you need it, then turn on SSL. Always take it back to the customer's requirements.

anilchaithu · ‎06-28-2020

@smartpraseetha

Since UFs are not sending directly to indexers, they won't require SSL. But gain this will be a vulnerability between UF & HF.

Query on Heavy forwarder with SSL connecting to indexer with SSL. So should all the UF agent connections also have SSL

forwarder management

heavy forwarder

indexer

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation