Checkmk
to checkmk.com

1. Overview

For monitoring hosts and services as well as communication between different components of a Checkmk installation, Checkmk in many cases uses data transmission over TCP/IP or UDP/IP.

This article will give you an overview of which ports are needed for each type of communication. These ports must be enabled in the firewall configuration or bound to a container when Checkmk is used in that container.

The communication direction is incoming to the component mentioned in the chapter heading, unless otherwise mentioned.

Note: The majority of port numbers listed here are standard ports. These can be manually changed to other ports at any time. Those ports that are not active by default, but instead must be enabled as needed, are additionally marked with a note.

2. Monitoring of hosts (agent, SNMP)

2.1. Monitored host

The following ports on monitored hosts must be accessible from the Checkmk server.

Port Protocol Designation Supplementary Information

161

UDP

Simple Network Management Protocol (SNMP)

Hosts monitored via SNMP receive the GET-REQUEST via this port.

6556

TCP

Agent

Hosts monitored via the Checkmk agent are queried over this port. Communication is TLS encrypted or in plain text (as for the Linux agent in legacy mode).

-

ICMP

Ping

Checkmk monitors the accessibility of hosts via ping. If this is not possible, the host state determination must be specified with the Host Check Command rule.

Active checks directly access the ports of the monitored services, which must therefore also be accessible from the Checkmk server. Monitoring with special agents may require opening other/additional ports. For example, the special agent for VMware ESXi (as well as NetApp and many others) requires the opening of port 443 on the ESXi server.

2.2. The Checkmk server

The following ports on the Checkmk server must be accessible to the hosts in the monitoring.

Port Protocol Designation Supplementary information

80

TCP

Hypertext Transfer Protocol (HTTP)

Agent Updater (Agent Bakery), Agent Controller port discovery

162

UDP

Simple Network Management Protocol Trap (SNMPTRAP) EC

Receive SNMP traps via Event Console (can be optionally enabled)

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

Agent Updater (Agent Bakery), Agent Controller port discovery, with transport encryption

514

TCP and UDP

Syslog (EC)

Receive syslog messages via the Event Console (can be optionally enabled)

6559

UDP

Real-time checks

Receive UDP packets for real-time checks of individual services (rarely used, can be optionally enabled)

8000

TCP

Agent Controller TLS registration (all editions), agents in push mode (Cloud Edition)

If multiple sites are running on the Checkmk server, additional ports (8001, 8002…​) may be needed.

The TLS registration of agents uses the REST API on port 80/443 to discover the port to register (normally 8000 TCP). If both ports are unreachable, the port can be specified via a command line option. If port 8000 is unreachable, a registration by proxy can be performed through other hosts in the monitoring.

3. Distributed monitoring

3.1. Remote sites

The following ports on remote sites must be accessible from the Checkmk server operating as the central site.

Port Protocol Name Supplementary information

80

TCP

HTTPS (Hypertext Transfer Protocol)

Synchronization in distributed monitoring

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

Synchronization in distributed monitoring, with transport encryption

6555

TCP

Notification spooler

The notification spooler is used to send notifications centrally, here when a connection is established by the central site (can be optionally enabled)

6557

TCP

Livestatus

If multiple sites are running on the Checkmk server, additional ports may be required (can be optionally enabled)

6558

TCP

Event Console status port (can be optionally enabled)

3.2. The central site

In principle, distributed monitoring is already possible without further aids such as tunneling if the central site can establish a connection to the remote sites. Accessibility of the central site by remote sites is only required for optional functionalities (e.g. Agent Bakery).

The following ports on the Checkmk server operating as a central site must be accessible by the associated remote sites to provide the described functionality.

Port Protocol Designation Supplementary information

80

TCP

Hypertext Transfer Protocol (HTTP)

For Agent Bakery and dynamic host configuration

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

For Agent Bakery and dynamic host configuration, with transport encryption

6555

TCP

Notification spooler

The notification spooler is used to send notifications centrally, here when a connection is established by a remote site (can be optionally enabled)

4. Local ports on the Checkmk server

The following ports are used by the Checkmk server on the local loopback interface. If you use a very strict firewall configuration on your Checkmk server, these ports must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).

Port Protocol Designation Supplementary information

5000

TCP

HTTP Site Apache

Each Checkmk site has its own Apache, which is accessed by the externally callable Apache as a reverse proxy. Additional sites use port 5001, etc.

6558

TCP

Event Console status port (can be optionally enabled)

5. Local port on Windows hosts

The following port is used on Windows hosts in monitoring for communication of the two components, agent program and Agent Controller. If you use a very strict firewall configuration on the monitored host, this port must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).

Port Protocol Designation Supplementary information

28250

TCP

Checkmk agent

The agent program opens the port. The cmk-agent-ctl.exe Agent Controller responsible for encrypted communication with the Checkmk server accesses it.

6. The Checkmk appliance cluster

You can combine two Checkmk appliances ('nodes') into a cluster. All configurations and data will then be synchronized between the two devices.

The following ports must be enabled for inbound and outbound communication for both nodes.

Attention! Since the communication between both appliances is unencrypted, you might need to take some measures to prevent unauthorized persons from intercepting the network traffic. For example, this could be a direct connection if both appliances are in a rack, or the use of an encrypted VLAN if physical proximity is not desired.

Port Protocol Designation Supplementary information

3121

TCP

Pacemaker

Pacemaker cluster resource manager

4321

UDP

Corosync

Corosync cluster engine

4323

UDP

Corosync

Corosync cluster engine

7789

TCP

DRBD

Synchronization of DRBD (Distributed Replicated Block Device)

7. Accessible ports (outgoing)

You may need some additional ports reachable from the Checkmk server:

Port Protokoll Bezeichnung Ergänzende Informationen

53

UDP

DNS

Name servers specified in the system settings must be reachable

123

UDP

NTP

Time synchronization

25/465/587

TCP

SMTP

Transmission of notifications from the Checkmk server via email (ports depending on the mail server configuration)

443

TCP

HTTPS

Communication with the license server (only commercial editions, Server: license.checkmk.com, alternative: manual submission)

389/636

TCP

LDAP

LDAP authentication (port 389 TCP, as LDAPS on port 636 TCP)

On this page