@steven_swor I've added your recommendation.

Kudos. This is very helpful Rob.

I should get around to updating soon with the feedback I've received.

And mark which connections are using SSL bei default (which have to be switched on manually...)

Great picture!

Thank you very much...

Holger

clap clap clap.

The communication on port 8089 will only be if you've setup the deployment server.

From splunk indexer 1:

tcpdump src port 9997

16:03:15.882512 IP ddcsplunkindex01.ddc.verizon.com.palace-6 > 152.190.138.xxx.40612: Flags [P.], seq 114:171, ack 3058, win 6767, options [nop,nop,TS val 511776904 ecr 342512613], length 57

Splunk will only use src port 9997 as replies (src ports are usually higher numbers). I suspect you're reading this data incorrectly. Unless you've set your indexers to output data to the forwarders, there's no reason for the indexers to initiate communication. If they were, the src ports would be higher random numbered ports.

you can add :
port 8089 for the license-master (from license-slave to license-master)
port XXXX for the replication cluster master, and slaves.

and any other ports open to monitor tcp/udp.

8089 for the deployment server is only needed from the client to the deployment server. Client being indexer, UF, etc.
9997 from the forwarder to the indexer. No connection is needed back from the indexers.
8089 is also used from a Search Head to your indexers. Again only single direction.

I downvoted this post because port listing is at best incomplete and another post better answers the question.

KV store port - 8191
Indexer Replication port - 8080
Network port - 514

you may upvoat this now 🙂 @bohanlon @mikelanghorst

9997 is not a default; just a convention. You need to set it explicitly on the receiving instance (indexer).

Awesome couldn't be more clearer than that.