D.2 Firewall passage direction
- Organization of this subsection
-
-
(2) Setting up the firewall passage direction (in a logical host operation)
-
(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware
-
(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V
-
(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM
(1) Setting up the firewall passage direction
When PFM - Manager and PFM - RM for Virtual Machine are installed across a firewall, set up fixed port numbers for all services of PFM - Manager and PFM - RM for Virtual Machine Furthermore. For more details, see the section describing the firewall passage direction in the manual JP1/Performance Management Reference.
(2) Setting up the firewall passage direction (in a logical host operation)
When PFM - Manager and PFM - RM for Virtual Machine are installed across a firewall, set fixed port numbers for all services of PFM - Manager and PFM - RM for Virtual Machine. Furthermore, set each port number in the direction shown in the table below to allow all services to pass through the firewall.
|
Service name |
Parameter |
Passage direction |
|---|---|---|
|
Remote Monitor Store service (logical host) |
jp1pcsto8[nnn]# |
RM (logical host) ← Manager |
|
Remote Monitor Collector service (logical host) |
jp1pcagt8[nnn]# |
RM (logical host) ← Manager |
- Legend:
-
Manager: PFM - Manager host
RM (logical host): PFM - RM host
←: Direction for starting communication (connection) from the item on the right to the item on the left
- #
-
When multiple instances are created, serial numbers (nnn) are added to the second and subsequent instances. No serial number is added to the first instance created.
When communication (connection) is started, the side receiving the connection (the side to which the arrow points) uses the port number in Table D-1 as the receiving port. The connecting side uses a free port number assigned by the OS. The range of port numbers used in this case varies according to the OS.
For RM (logical host) ← Manager, set up the firewall such that the sending port temporarily used by Manager can pass through the receiving port of the logical host of RM.
(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware
To collect VMware information, PFM - RM for Virtual Machine needs to communicate with VMware. Therefore, if there is a firewall between PFM - RM for Virtual Machine and VMware, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and VMware is shown below.
|
Passage direction |
|---|
|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → VMware |
- Legend:
-
→: Direction for starting communication (connection) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(5) Setting up monitoring targets.
|
Description |
Setting item |
Value that can be set |
Default |
|---|---|---|---|
|
VMware target port number |
Port |
0-65,535 |
Port = 0# |
- #
-
When Port = 0, use the following port number according to the Security value:
-
When the Security value is 0:
Port = 80
-
When the Security value is not 0:
Port = 443
-
(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V
To collect Hyper-V information, it is necessary for PFM - RM for Virtual Machine to use WMI to communicate with Hyper-V. Therefore, when PFM - RM for Virtual Machine and Hyper-V are installed across a firewall, passage through the firewall must be enabled.
|
Passage direction |
|---|
|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Hyper-V |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
WMI uses DCOM. Because DCOM uses dynamic port allocation, the port used for DCOM must pass through the firewall. For details about the setup method, see the firewall product's documentation or check with the firewall product's developer.
Operation via a firewall is not suitable because individual WMI and DCOM requests cannot be separated. The following figure shows a recommended configuration.
|
|
![[Figure]](GRAPHICS/ZU990010.GIF)
(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM
To collect KVM information, it is necessary for PFM - RM for Virtual Machine to communicate via SSH. Therefore, when PFM - RM for Virtual Machine and KVM are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and KVM is shown below.
|
Passage direction |
|---|
|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → KVM |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(5) Setting up monitoring targets.
|
Description |
Setting item |
Value that can be set |
Default |
|---|---|---|---|
|
KVM port number for an SSH connection |
Port |
0-65,535 |
Port = 0# |
- #
-
When Port = 0, the system will actually use port number 22, which is the default port number for SSH communication.
(6) Firewall passage direction during communication between PFM - RM for Virtual Machine and logical partitioning feature
To collect information from logical partitioning feature, PFM - RM for Virtual Machine communicates with hosts with logical partitioning feature through the UDP protocol. Therefore, if PFM - RM for Virtual Machine and hosts with logical partitioning feature are deployed across a firewall, the firewall must be configured to allow passage of such communication.
|
Port Numbers |
Protocol type |
Transmission type |
Passage direction |
|---|---|---|---|
|
623 |
UDP |
Unicast |
LPAR Manager management command for logical partitioning feature → logical partitioning feature |
|
Automatic (Any port) |
LPAR Manager management command for logical partitioning feature ← logical partitioning feature |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
←: Direction for starting communication (connection) from the item on the right to the item on the left
(7) Firewall passage direction during communication between PFM - RM for Virtual Machine and Docker Engine
To collect Docker environment information, it is necessary for PFM - RM for Virtual Machine to communicate via Docker Engine. Therefore, when PFM - RM for Virtual Machine and Docker environment are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and Docker Engine is shown below.
|
Passage direction |
|---|
|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Docker Engine |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(5) Setting up monitoring targets.
|
Description |
Setting item |
Value that can be set |
Default |
|---|---|---|---|
|
Docker Engine target port number |
Port |
0~65,535 |
Port= 0# |
- #
-
When Port=0, the Docker environment information cannot be collected. The port number of Docker Engine must be specified.