1. Overview
For monitoring hosts and services as well as communication between different components of a Checkmk installation, Checkmk in many cases uses data transmission over TCP/IP or UDP/IP.
This article will give you an overview of which ports are needed for each type of communication. These ports must be enabled in the firewall configuration or bound to a container when Checkmk is used in that container.
The communication direction is incoming to the component mentioned in the chapter heading, unless otherwise mentioned.
Note: The majority of port numbers listed here are standard ports. These can be manually changed to other ports at any time. Those ports that are not active by default, but instead must be enabled as needed, are additionally marked with a note.
2. Monitoring of hosts (agent, SNMP)
2.1. Monitored host
The following ports on monitored hosts must be accessible from the Checkmk server.
| Port | Protocol | Designation | Supplementary Information |
|---|---|---|---|
161 | UDP | Hosts monitored via SNMP receive the | |
6556 | TCP | Hosts monitored via the Checkmk agent are queried over this port. Communication is TLS encrypted or in plain text (as for the Linux agent in legacy mode). | |
- | ICMP | Ping | Checkmk monitors the accessibility of hosts via ping. If this is not possible, the host state determination must be specified with the Host Check Command rule. |
Active checks directly access the ports of the monitored services, which must therefore also be accessible from the Checkmk server. Monitoring with special agents may require opening other/additional ports. For example, the special agent for VMware ESXi (as well as NetApp and many others) requires the opening of port 443 on the ESXi server.
2.2. The Checkmk server
The following ports on the Checkmk server must be accessible to the hosts in the monitoring.
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
80 | TCP | Hypertext Transfer Protocol (HTTP) | Agent Updater (Agent Bakery), Agent Controller port discovery |
162 | UDP | Simple Network Management Protocol Trap (SNMPTRAP) EC | Receive SNMP traps via Event Console (can be optionally enabled) |
443 | TCP | Hypertext Transfer Protocol over SSL/TLS (HTTPS) | Agent Updater (Agent Bakery), Agent Controller port discovery, with transport encryption |
514 | TCP and UDP | Syslog (EC) | Receive syslog messages via the Event Console (can be optionally enabled) |
6559 | UDP | Receive UDP packets for real-time checks of individual services (rarely used, can be optionally enabled) | |
8000 | TCP | Agent Controller TLS registration | If multiple sites are running on the Checkmk server, additional ports (8001, 8002…) may be needed. |
The TLS registration of agents uses the REST API on port 80/443 to discover the port to register (normally 8000 TCP). If both ports are unreachable, the port can be specified via a command line option. If port 8000 is unreachable, a registration by proxy can be performed through other hosts in the monitoring.
3. Distributed monitoring
3.1. Remote sites
The following ports on remote sites must be accessible from the Checkmk server operating as the central site.
| Port | Protocol | Name | Supplementary information |
|---|---|---|---|
80 | TCP | HTTPS (Hypertext Transfer Protocol) | Synchronization in distributed monitoring |
443 | TCP | Hypertext Transfer Protocol over SSL/TLS (HTTPS) | Synchronization in distributed monitoring, with transport encryption |
6555 | TCP | Notification spooler | The notification spooler is used to send notifications centrally, here when a connection is established by the central site (can be optionally enabled) |
6557 | TCP | If multiple sites are running on the Checkmk server, additional ports may be required (can be optionally enabled) | |
6558 | TCP | Event Console status port (can be optionally enabled) |
3.2. The central site
In principle, distributed monitoring is already possible without further aids such as tunneling if the central site can establish a connection to the remote sites. Accessibility of the central site by remote sites is only required for optional functionalities (e.g. Agent Bakery).
The following ports on the Checkmk server operating as a central site must be accessible by the associated remote sites to provide the described functionality.
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
80 | TCP | Hypertext Transfer Protocol (HTTP) | |
443 | TCP | Hypertext Transfer Protocol over SSL/TLS (HTTPS) | For Agent Bakery and dynamic host configuration, with transport encryption |
6555 | TCP | Notification spooler | The notification spooler is used to send notifications centrally, here when a connection is established by a remote site (can be optionally enabled) |
4. Local ports on the Checkmk server
The following ports are used by the Checkmk server on the local loopback interface. If you use a very strict firewall configuration on your Checkmk server, these ports must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
5000 | TCP | HTTP Site Apache | Each Checkmk site has its own Apache, which is accessed by the externally callable Apache as a reverse proxy. Additional sites use port 5001, etc. |
6558 | TCP | Event Console status port (can be optionally enabled) |
5. Local port on Windows hosts
The following port is used on Windows hosts in monitoring for communication of the two components, agent program and Agent Controller. If you use a very strict firewall configuration on the monitored host, this port must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
28250 | TCP | Checkmk agent | The agent program opens the port. The |
6. The Checkmk appliance cluster
You can combine two Checkmk appliances ('nodes') into a cluster. All configurations and data will then be synchronized between the two devices.
The following ports must be enabled for inbound and outbound communication for both nodes.
Attention! Since the communication between both appliances is unencrypted, you might need to take some measures to prevent unauthorized persons from intercepting the network traffic. For example, this could be a direct connection if both appliances are in a rack, or the use of an encrypted VLAN if physical proximity is not desired.
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
3121 | TCP | Pacemaker | Pacemaker cluster resource manager |
4321 | UDP | Corosync | Corosync cluster engine |
4323 | UDP | Corosync | Corosync cluster engine |
7789 | TCP | DRBD | Synchronization of DRBD (Distributed Replicated Block Device) |
7. Outgoing ports
You may need some additional outgoing ports from the Checkmk server:
SMTP to send notifications from the Checkmk server via email (port 25, 465 or 587 TCP depending on the mail server configuration)
NTP time synchronization (port 123 UDP)
DNS (port 53 UDP)
LDAP authentication (port 389 TCP, as LDAPS on port 636 TCP)