1. Overview
For monitoring hosts and services as well as communication between different components of a Checkmk installation, Checkmk in many cases uses data transmission over TCP/IP or UDP/IP.
This article will give you an overview of which ports are needed for each type of communication. These ports must be enabled in the firewall configuration or bound to a container when Checkmk is used in that container.
The communication direction is incoming to the component mentioned in the chapter heading, unless otherwise mentioned.
 |
The majority of port numbers listed here are standard ports. These can be manually changed to other ports at any time. Those ports that are not active by default, but instead must be enabled as needed, are additionally marked with a note. |
2. Monitoring of hosts (agent, SNMP)
2.1. Monitored host
The following ports on monitored hosts must be accessible from the Checkmk server.
| Port | Protocol | Designation | Supplementary Information |
|---|---|---|---|
161 |
UDP |
Hosts monitored via SNMP receive the |
|
6556 |
TCP |
Hosts monitored via the Checkmk agent are queried over this port. Communication is TLS encrypted or in plain text (as for the Linux agent in legacy mode). |
|
- |
ICMP |
Ping |
Checkmk monitors the accessibility of hosts via ping. If this is not possible, the host state determination must be specified with the Host Check Command rule. |
Active checks directly access the ports of the monitored services, which must therefore also be accessible from the Checkmk server. Monitoring with special agents may require opening other/additional ports. For example, the special agent for VMware ESXi (as well as NetApp and many others) requires the opening of port 443 on the ESXi server.
2.2. The Checkmk server
The following ports on the Checkmk server must be accessible to the hosts in the monitoring.
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
80 |
TCP |
Hypertext Transfer Protocol (HTTP) |
Agent Updater (Agent Bakery), Agent Controller port discovery |
162 |
UDP |
Simple Network Management Protocol Trap (SNMPTRAP) EC |
Receive SNMP traps via Event Console (can be optionally enabled) |
443 |
TCP |
Hypertext Transfer Protocol over SSL/TLS (HTTPS) |
Agent Updater (Agent Bakery), Agent Controller port discovery, with transport encryption |
514 |
TCP and UDP |
Syslog (EC) |
Receive syslog messages via the Event Console (can be optionally enabled) |
4317 |
TCP |
OpenTelemetry (over gRPC) |
Receive OpenTelemetry metrics (can be optionally enabled on Checkmk Cloud and higher) |
4318 |
TCP |
OpenTelemetry (over HTTP/HTTPS) |
Receive OpenTelemetry metrics (can be optionally enabled on Checkmk Cloud and higher) |
6559 |
UDP |
Receive UDP packets for real-time checks of individual services (rarely used, can be optionally enabled) |
|
8000 |
TCP |
Agent Controller TLS registration, agents in push mode |
If multiple sites are running on the Checkmk server, additional ports (8001, 8002…) may be needed. |
The TLS registration of agents uses the REST API on port 80/443 to discover the port to register (normally 8000 TCP). If both ports are unreachable, the port can be specified via a command line option. If port 8000 is unreachable, a registration by proxy can be performed through other hosts in the monitoring.
3. Distributed monitoring
3.1. Remote sites
The following ports on remote sites must be accessible from the Checkmk server operating as the central site.
| Port | Protocol | Name | Supplementary information |
|---|---|---|---|
80 |
TCP |
HTTPS (Hypertext Transfer Protocol) |
Synchronization in distributed monitoring |
443 |
TCP |
Hypertext Transfer Protocol over SSL/TLS (HTTPS) |
Synchronization in distributed monitoring, with transport encryption |
5671 |
TCP |
Advanced Message Queuing Protocol (AMQP) |
A message broker is used to forward Piggyback data in distributed monitoring. The port number is incremented for each newly integrated remote instance. |
6555 |
TCP |
Notification spooler |
The notification spooler is used to send notifications centrally, here when a connection is established by the central site (can be optionally enabled) |
6557 |
TCP |
If multiple sites are running on the Checkmk server, additional ports may be required (can be optionally enabled). The port number is incremented for each newly integrated remote instance. |
|
6558 |
TCP |
Event Console status port (can be optionally enabled) |
3.2. The central site
In principle, distributed monitoring is already possible without further aids such as tunneling if the central site can establish a connection to the remote sites. Accessibility of the central site by remote sites is only required for optional functionalities (e.g. Agent Bakery).
The following ports on the Checkmk server operating as a central site must be accessible by the associated remote sites to provide the described functionality.
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
80 |
TCP |
Hypertext Transfer Protocol (HTTP) |
For Agent Bakery and dynamic host management |
443 |
TCP |
Hypertext Transfer Protocol over SSL/TLS (HTTPS) |
For Agent Bakery and dynamic host management, with transport encryption |
5671 |
TCP |
Advanced Message Queuing Protocol (AMQP) |
A message broker is used to forward Piggyback data in distributed monitoring. The port number is incremented for each newly integrated remote instance. |
6555 |
TCP |
Notification spooler |
The notification spooler is used to send notifications centrally, here when a connection is established by a remote site (can be optionally enabled) |
|
If the message broker RabbitMQ is used (currently only required for forwarding piggyback data in distributed monitoring), ensure star-shaped mutual accessibility of port 5671: Each remote site must be able to reach the central site and the central site must be able to reach each remote site. If meshed accessibility is also possible, where remote sites can reach each other directly, messages are transmitted via this direct route. |
4. Local ports on the Checkmk server
The following ports are used by the Checkmk server on the local loopback interface. If you use a very strict firewall configuration on your Checkmk server, these ports must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
5000 |
TCP |
HTTP Site Apache |
Each Checkmk site has its own Apache, which is accessed by the externally callable Apache as a reverse proxy. Additional sites use port 5001, etc. |
6558 |
TCP |
Event Console status port (can be optionally enabled) |
|
14317 |
TCP |
OpenTelemetry management |
Access to the management interface of the OpenTelemetry collector (can be optionally enabled on Checkmk Cloud and higher) is required for monitoring the collector. |
15671 |
TCP |
RabbitMQ Management |
This port is used internally for the administration of the RabbitMQ message broker (currently only required for the forwarding of piggyback data in distributed monitoring). |
25672 |
TCP |
RabbitMQ Management |
This port is used internally for the administration of the RabbitMQ message broker (see above). |
5. Local port on Windows hosts
The following port is used on Windows hosts in monitoring for communication of the two components, agent program and Agent Controller. If you use a very strict firewall configuration on the monitored host, this port must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
28250 |
TCP |
Checkmk agent |
The agent program opens the port. The |
6. The Checkmk appliance cluster
You can combine two Checkmk appliances ('nodes') into a cluster. All configurations and data will then be synchronized between the two devices.
The following ports must be enabled for inbound and outbound communication for both nodes.
Attention! Since the communication between both appliances is unencrypted, you might need to take some measures to prevent unauthorized persons from intercepting the network traffic. For example, this could be a direct connection if both appliances are in a rack, or the use of an encrypted VLAN if physical proximity is not desired.
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
3121 |
TCP |
Pacemaker |
Pacemaker cluster resource manager |
4321 |
UDP |
Corosync |
Corosync cluster engine |
4323 |
UDP |
Corosync |
Corosync cluster engine |
7789 |
TCP |
DRBD |
Synchronization of DRBD (Distributed Replicated Block Device) |
7. Accessible ports (outgoing)
You may need some additional ports reachable from the Checkmk server:
| Port | Protocol | Designation | Supplementary information |
|---|---|---|---|
53 |
UDP |
DNS |
Name servers specified in the system settings must be reachable |
123 |
UDP |
NTP |
Time synchronization |
25/465/587 |
TCP |
SMTP |
Transmission of notifications from the Checkmk server via email (ports depending on the mail server configuration) |
443 |
TCP |
HTTPS |
Communication with the license server (only commercial editions, Server: |
389/636 |
TCP |
LDAP |
LDAP authentication (port 389 TCP, as LDAPS on port 636 TCP) |