Checkmk
to checkmk.com

1. Overview

For monitoring hosts and services as well as communication between different components of a Checkmk installation, Checkmk in many cases uses data transmission over TCP/IP or UDP/IP.

This article will give you an overview of which ports are needed for each type of communication. These ports must be enabled in the firewall configuration or bound to a container when Checkmk is used in that container.

The communication direction is incoming to the component mentioned in the chapter heading, unless otherwise mentioned.

Tip

The majority of port numbers listed here are standard ports. These can be manually changed to other ports at any time. Those ports that are not active by default, but instead must be enabled as needed, are additionally marked with a note.

2. Monitoring of hosts (agent, SNMP)

2.1. Monitored host

The following ports on monitored hosts must be accessible from the Checkmk server.

Port Protocol Designation Supplementary Information

161

UDP

Simple Network Management Protocol (SNMP)

Hosts monitored via SNMP receive the GET-REQUEST via this port.

6556

TCP

Agent

Hosts monitored via the Checkmk agent are queried over this port. Communication is TLS encrypted or in plain text (as for the Linux agent in legacy mode).

-

ICMP

Ping

Checkmk monitors the accessibility of hosts via ping. If this is not possible, the host state determination must be specified with the Host Check Command rule.

Active checks directly access the ports of the monitored services, which must therefore also be accessible from the Checkmk server. Monitoring with special agents may require opening other/additional ports. For example, the special agent for VMware ESXi (as well as NetApp and many others) requires the opening of port 443 on the ESXi server.

2.2. The Checkmk server

The following ports on the Checkmk server must be accessible to the hosts in the monitoring.

Port Protocol Designation Supplementary information

80

TCP

Hypertext Transfer Protocol (HTTP)

Agent Updater (Agent Bakery), Agent Controller port discovery

162

UDP

Simple Network Management Protocol Trap (SNMPTRAP) EC

Receive SNMP traps via Event Console (can be optionally enabled)

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

Agent Updater (Agent Bakery), Agent Controller port discovery, with transport encryption

514

TCP and UDP

Syslog (EC)

Receive syslog messages via the Event Console (can be optionally enabled)

4317

TCP

OpenTelemetry (over gRPC)

Receive OpenTelemetry metrics (can be optionally enabled on Checkmk Cloud and higher)

4318

TCP

OpenTelemetry (over HTTP/HTTPS)

Receive OpenTelemetry metrics (can be optionally enabled on Checkmk Cloud and higher)

6559

UDP

Real-time checks

Receive UDP packets for real-time checks of individual services (rarely used, can be optionally enabled)

8000

TCP

Agent Controller TLS registration, agents in push mode

If multiple sites are running on the Checkmk server, additional ports (8001, 8002…​) may be needed.

The TLS registration of agents uses the REST API on port 80/443 to discover the port to register (normally 8000 TCP). If both ports are unreachable, the port can be specified via a command line option. If port 8000 is unreachable, a registration by proxy can be performed through other hosts in the monitoring.

3. Distributed monitoring

3.1. Remote sites

The following ports on remote sites must be accessible from the Checkmk server operating as the central site.

Port Protocol Name Supplementary information

80

TCP

HTTPS (Hypertext Transfer Protocol)

Synchronization in distributed monitoring

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

Synchronization in distributed monitoring, with transport encryption

5671

TCP

Advanced Message Queuing Protocol (AMQP)

A message broker is used to forward Piggyback data in distributed monitoring. The port number is incremented for each newly integrated remote instance.

6555

TCP

Notification spooler

The notification spooler is used to send notifications centrally, here when a connection is established by the central site (can be optionally enabled)

6557

TCP

Livestatus

If multiple sites are running on the Checkmk server, additional ports may be required (can be optionally enabled). The port number is incremented for each newly integrated remote instance.

6558

TCP

Event Console status port (can be optionally enabled)

3.2. The central site

In principle, distributed monitoring is already possible without further aids such as tunneling if the central site can establish a connection to the remote sites. Accessibility of the central site by remote sites is only required for optional functionalities (e.g. Agent Bakery).

The following ports on the Checkmk server operating as a central site must be accessible by the associated remote sites to provide the described functionality.

Port Protocol Designation Supplementary information

80

TCP

Hypertext Transfer Protocol (HTTP)

For Agent Bakery and dynamic host management

443

TCP

Hypertext Transfer Protocol over SSL/TLS (HTTPS)

For Agent Bakery and dynamic host management, with transport encryption

5671

TCP

Advanced Message Queuing Protocol (AMQP)

A message broker is used to forward Piggyback data in distributed monitoring. The port number is incremented for each newly integrated remote instance.

6555

TCP

Notification spooler

The notification spooler is used to send notifications centrally, here when a connection is established by a remote site (can be optionally enabled)

Tip

If the message broker RabbitMQ is used (currently only required for forwarding piggyback data in distributed monitoring), ensure star-shaped mutual accessibility of port 5671: Each remote site must be able to reach the central site and the central site must be able to reach each remote site. If meshed accessibility is also possible, where remote sites can reach each other directly, messages are transmitted via this direct route.

4. Local ports on the Checkmk server

The following ports are used by the Checkmk server on the local loopback interface. If you use a very strict firewall configuration on your Checkmk server, these ports must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).

Port Protocol Designation Supplementary information

5000

TCP

HTTP Site Apache

Each Checkmk site has its own Apache, which is accessed by the externally callable Apache as a reverse proxy. Additional sites use port 5001, etc.

6558

TCP

Event Console status port (can be optionally enabled)

14317

TCP

OpenTelemetry management

Access to the management interface of the OpenTelemetry collector (can be optionally enabled on Checkmk Cloud and higher) is required for monitoring the collector.

15671

TCP

RabbitMQ Management

This port is used internally for the administration of the RabbitMQ message broker (currently only required for the forwarding of piggyback data in distributed monitoring).

25672

TCP

RabbitMQ Management

This port is used internally for the administration of the RabbitMQ message broker (see above).

5. Local port on Windows hosts

The following port is used on Windows hosts in monitoring for communication of the two components, agent program and Agent Controller. If you use a very strict firewall configuration on the monitored host, this port must be enabled for incoming and outgoing communication on the IP address 127.0.0.1 (IPv4), respectively ::1 (IPv6).

Port Protocol Designation Supplementary information

28250

TCP

Checkmk agent

The agent program opens the port. The cmk-agent-ctl.exe Agent Controller responsible for encrypted communication with the Checkmk server accesses it.

6. The Checkmk appliance cluster

You can combine two Checkmk appliances ('nodes') into a cluster. All configurations and data will then be synchronized between the two devices.

The following ports must be enabled for inbound and outbound communication for both nodes.

Attention! Since the communication between both appliances is unencrypted, you might need to take some measures to prevent unauthorized persons from intercepting the network traffic. For example, this could be a direct connection if both appliances are in a rack, or the use of an encrypted VLAN if physical proximity is not desired.

Port Protocol Designation Supplementary information

3121

TCP

Pacemaker

Pacemaker cluster resource manager

4321

UDP

Corosync

Corosync cluster engine

4323

UDP

Corosync

Corosync cluster engine

7789

TCP

DRBD

Synchronization of DRBD (Distributed Replicated Block Device)

7. Accessible ports (outgoing)

You may need some additional ports reachable from the Checkmk server:

Port Protocol Designation Supplementary information

53

UDP

DNS

Name servers specified in the system settings must be reachable

123

UDP

NTP

Time synchronization

25/465/587

TCP

SMTP

Transmission of notifications from the Checkmk server via email (ports depending on the mail server configuration)

443

TCP

HTTPS

Communication with the license server (only commercial editions, Server: license.checkmk.com, alternative: manual submission)

389/636

TCP

LDAP

LDAP authentication (port 389 TCP, as LDAPS on port 636 TCP)

On this page