I need to submit firewall rules for our Splunk (Linux) Forwarders to connect to port 9997 on the indexers. Does this link need to be bi-directional?
No, it does not. You only need to allow traffic from the forwarders to the indexers (as long as your firewall is stateful that is).
View solution in original post
Thanks. That's what I needed to know.
No problem. Please mark my answer as accepted if it solved your problem. Thanks!