When planning discovery, consider the following network security-related features:
-
Firewall ports: If a firewall exists between any portions of the management infrastructure, certain TCP and UDP ports in the firewall must be opened for proper communications during discovery and for other communications:
-
SNMP polls: port 161
-
SNMP traps: port 162
-
Broker: port 426
-
License Manager: port 1744
-
Domain Manager: One port each, which can be configured
-
Adapters, including the Syslog Adapter and the SNMP Trap Adapter (Receiver). “Deploying Syslog Processing” on page 85 and “Deploy trap processing” on page 133 provide more information about the Syslog Adapter and the SNMP Trap Adapter.
Document the opened ports in the deployment build guide.
-
-
Use of access lists. If access lists are used, the IP addresses of servers that are running products must be added to the access list of devices that will communicate with the products.
-
Use of SNMP versions and their respective security capabilities. The version of SNMP that is used to communicate with the network devices can provide dramatically different levels of security. With SNMPv1 or v2c, the security is provided through the use of SNMP community strings. To properly configure the , you must know the SNMP read community strings for all SNMPv1/v2c devices that will be managed.
For communications to devices using SNMPv3, the requirements are much greater. Obtain values for these configuration parameters for each SNMPv3 device:
-
SNMPv3 username
-
SNMP engine ID (optional)
-
Authentication protocol and password
-
Privacy protocol and password
-
Context name, if used
-