Checkmk
to checkmk.com

1. Overview

For monitoring hosts and services as well as communication between different components of a Checkmk installation, Checkmk in many cases uses data transmission over TCP/IP or UDP/IP.

This article will give you an overview of which ports are needed for each type of communication. These ports must be enabled in the firewall configuration or bound to a container when Checkmk is used in that container.

The communication direction is incoming to the component mentioned in the chapter heading, unless otherwise mentioned.

Note: The majority of port numbers listed here are standard ports. These can be manually changed to other ports at any time. Those ports that are not active by default, but instead must be enabled as needed, are additionally marked with a note.

2. Monitoring of hosts (agent, SNMP)

2.1. Monitored host

The following ports on monitored hosts must be accessible from the Checkmk server.

PortProtocolDesignationSupplementary Information

161

UDP

Simple Network Management Protocol (SNMP)

Hosts monitored via SNMP receive the GET-REQUEST via this port.

6556

TCP

Agent

Hosts monitored via the Checkmk agent are queried over this port. Communication is TLS encrypted or in plain text (as for the Linux agent in legacy mode).

-

ICMP

Ping

Checkmk monitors the accessibility of hosts via ping. If this is not possible, the host state determination must be specified with the Host Check Command rule.

Active checks directly access the ports of the monitored services, which must therefore also be accessible from the Checkmk server. Monitoring with special agents may require opening other/additional ports. For example, the special agent for VMware ESXi (as well as NetApp and many others) requires the opening of port 443 on the ESXi server.

2.2. The Checkmk server

The following ports on the Checkmk server must be accessible to the hosts in the monitoring.

PortProtocolDesignationSupplementary information

80

TCP

Hypertext Transfer Protocol (HTTP)

Agent Updater (Agent Bakery), Agent Controller port discovery

162

UDP

Simple Network Management Protocol Trap (SNMPTRAP) EC

Receive SNMP traps via Event Console (can be optionally enabled)

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

Agent Updater (Agent Bakery), Agent Controller port discovery, with transport encryption

514

TCP and UDP

Syslog (EC)

Receive syslog messages via the Event Console (can be optionally enabled)

6559

UDP

Real-time checks

Receive UDP packets for real-time checks of individual services (rarely used, can be optionally enabled)

8000

TCP

Agent Controller TLS registration

If multiple sites are running on the Checkmk server, additional ports (8001, 8002…​) may be needed.

The TLS registration of agents uses the REST API on port 80/443 to discover the port to register (normally 8000 TCP). If both ports are unreachable, the port can be specified via a command line option. If port 8000 is unreachable, a registration by proxy can be performed through other hosts in the monitoring.

3. Distributed monitoring

3.1. Remote sites

The following ports on remote sites must be accessible from the Checkmk server operating as the central site.

PortProtocolNameSupplementary information

80

TCP

HTTPS (Hypertext Transfer Protocol)

Synchronization in distributed monitoring

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

Synchronization in distributed monitoring, with transport encryption

6555

TCP

Notification spooler

The notification spooler is used to send notifications centrally, here when a connection is established by the central site (can be optionally enabled)

6557

TCP

Livestatus

If multiple sites are running on the Checkmk server, additional ports may be required (can be optionally enabled)

6558

TCP

Event Console status port (can be optionally enabled)

3.2. The central site

In principle, distributed monitoring is already possible without further aids such as tunneling if the central site can establish a connection to the remote sites. Accessibility of the central site by remote sites is only required for optional functionalities (e.g. Agent Bakery).

The following ports on the Checkmk server operating as a central site must be accessible by the associated remote sites to provide the described functionality.

PortProtocolDesignationSupplementary information

80

TCP

Hypertext Transfer Protocol (HTTP)

For Agent Bakery and dynamic host configuration

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

For Agent Bakery and dynamic host configuration, with transport encryption

6555

TCP

Notification spooler

The notification spooler is used to send notifications centrally, here when a connection is established by a remote site (can be optionally enabled)

4. Local ports on the Checkmk server

The following ports are used by the Checkmk server on the local loopback interface. If you use a very strict firewall configuration on your Checkmk server, these ports must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).

PortProtocolDesignationSupplementary information

5000

TCP

HTTP Site Apache

Each Checkmk site has its own Apache, which is accessed by the externally callable Apache as a reverse proxy. Additional sites use port 5001, etc.

6558

TCP

Event Console status port (can be optionally enabled)

5. Local port on Windows hosts

The following port is used on Windows hosts in monitoring for communication of the two components, agent program and Agent Controller. If you use a very strict firewall configuration on the monitored host, this port must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).

PortProtocolDesignationSupplementary information

28250

TCP

Checkmk agent

The agent program opens the port. The cmk-agent-ctl.exe Agent Controller responsible for encrypted communication with the Checkmk server accesses it.

6. The Checkmk appliance cluster

You can combine two Checkmk appliances ('nodes') into a failover cluster. All configurations and data will then be synchronized between the two devices.

The following ports must be enabled for inbound and outbound communication for both nodes.

PortProtocolDesignationSupplementary information

3121

TCP

Pacemaker

Pacemaker cluster resource manager

4321

UDP

Corosync

Corosync cluster engine

4323

UDP

Corosync

Corosync cluster engine

7789

TCP

DRBD

Synchronization of DRDB (Distributed Replicated Block Device)

7. Outgoing ports

You may need some additional outgoing ports from the Checkmk server:

  • SMTP to send notifications from the Checkmk server via email (port 25, 465 or 587 TCP depending on the mail server configuration)

  • NTP time synchronization (port 123 UDP)

  • DNS (port 53 UDP)

  • LDAP authentication (port 389 TCP, as LDAPS on port 636 TCP)

On this page