9997 for forwarders to the Splunk indexer.
8000 for clients to the Splunk Search page
8089 for splunkd (also used by deployment server).
All of these can be changed if desired.
The Splunk Documentation has a page that discusses which ports need to be opened, and has diagrams for both standalone and distributed deployments:
Components and their relationship with the network - in the Inherited Deployments Manual
Nice use of colors. One change you may want to review is the direction on the deployer arrows. My understanding is that clients do a pull form a Deployment Server vs the Deployer initiating a push to search peers in a cluster.
I've taken the liberty of updating the diagram slightly to reflect both changes in code since 6.2 and recommendations between this and one other post.
Thanks @rob_jordan for the great effort and for sharing!
Also note that for Search Head Clustering there is a new replication port that you can pick, e.g. 8181. Also with SHC you need the KV store port (by default, 8191) must be available to all other members. You can use the CLI command splunk show kvstore-port to identify the port number.
The replication port must be available to all other members.
It seems many are confused about port required from UFs to a HF. Which is 9997 too i.e.
UFs ---9997---> HF --- 9997---> Indexers
UFs, Indexers, SHs ---8089 ---> DS
Many uses HF & DS as same server.
This is a diagram of Splunk components and network ports that are commonly used in a Splunk Enterprise environment. Firewall rules often need to be updated to allow communication on ports 8000, 8089, 9997, 514 and others.
Source files available here: http://downloads.jordan2000.com/splunk/
Little typo there on the MANAGEMENT TIER.
Does anybody have a version of this made specifically for opening firewall ports between an on-premise installation and splunkcloud.com?
Can anybody me with the commands to specifically opening firewall ports foe an on-premise installation?
Also, what ports to open and how to open the ports?
Wow. Nicely done. This is so hard to find in the official documentation.
I would also suggest adding flows on port 9997 from the search heads, deployment server, license server, and cluster master to the indexers, with a footnote that this is an optional flow used for forwarding Splunk's internal indexes (a recommended best practice).