Security

What firewall rule is required for indexer acknowledgement?

season88481
Contributor

Hi everyone,

Currently we are trying to introduce indexer acknowledgement to protect against loss of in-flight data.

We have a strict networking environment that only allow open port when totally necessary.

Just wondering how the indexer acknowledge signal being sent to Universal Forwarders? Is there any additional port need to be opened between Universal Forwarder and Indexer? (Or between Universal Forwarder and Heavy Forwarders? )

I have a look at the below article:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Protectagainstlossofin-flightdata

It says "Sends an acknowledgment to the forwarder.". But I cannot see any details at how the acknowledgement is sent?

Does it send to Universal Forwarder via a management port? e.g. 8089? If we disable the management port of UFs, does it mean we cannot use this function any more?

Cheers,
S

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If enabled, acknowledgements are returned within the connection established from the forwarder downstream (to an intermediate forwarder or directly to an indexer). There is no need for another connection.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @season88481,
the only needed ports are:

  • 9997 (by default or another one) between Universal Forwarders and Indexers;
  • 9997 (by default or another one) between Universal Forwarders and Heavy Forwarders (when present);
  • 9997 (by default or another one) between Heavy Forwarders (when present) and Indexers;
  • 8089 (by default or another one) between All Forwarders (Heavy or Universal) and Deployment Server;
  • 514 (by default or another one) between Appliances (syslogs) and Heavy Forwarders.

If you have an Indexers' Cluster or a Search Heads' Cluster you have to open other ports between Splunk Servers.

Ciao.
Giuseppe

0 Karma

season88481
Contributor

Thanks Giuseppe,

So to allow HFs or IDX to send acknowledge to UFs, do we need to open the management port 8089 of all UFs?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @season88481,
beware: UFs send data to Indexers or HFs.
Indexers and HFs don't send nothing to UFs, they only receive.

To send configurations (Technical Add-ons) to UFs (opening 8089 port), you can use an HF or an Indexer only if you have less than 50 target servers, for more it's mandatory to use a dedicated Deployment Server, and I hint to start from the beginning with a DS also if you have less than 50 target server so you'll have less load on the Indexer.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...