D.2 Firewall passage direction
- Organization of this subsection
(1) Setting up the firewall passage direction
When PFM - Manager and PFM - RM for Virtual Machine are installed across a firewall, set up fixed port numbers for all services of PFM - Manager and PFM - RM for Virtual Machine Furthermore. For more details, see the section describing the firewall passage direction in the manual JP1/Performance Management Reference.
(2) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware
To collect VMware information, PFM - RM for Virtual Machine needs to communicate with VMware. Therefore, if there is a firewall between PFM - RM for Virtual Machine and VMware, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and VMware is shown below.
Passage direction |
---|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → VMware |
- Legend:
-
→: Direction for starting communication (connection) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.
Description |
Setting item |
Value that can be set |
Default |
---|---|---|---|
VMware target port number |
Port |
0-65,535 |
Port = 0# |
- #
-
When Port = 0, the system will actually use port number 443, which is the default port number for HTTPS communication.
(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V
To collect Hyper-V information, it is necessary for PFM - RM for Virtual Machine to use WMI to communicate with Hyper-V. Therefore, when PFM - RM for Virtual Machine and Hyper-V are installed across a firewall, passage through the firewall must be enabled.
Passage direction |
---|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Hyper-V |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
WMI uses DCOM. Because DCOM uses dynamic port allocation, the port used for DCOM must pass through the firewall. For details about the setup method, see the firewall product's documentation or check with the firewall product's developer.
Operation via a firewall is not suitable because individual WMI and DCOM requests cannot be separated. The following figure shows a recommended configuration.
(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM
To collect KVM information, it is necessary for PFM - RM for Virtual Machine to communicate via SSH. Therefore, when PFM - RM for Virtual Machine and KVM are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and KVM is shown below.
Passage direction |
---|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → KVM |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.
Description |
Setting item |
Value that can be set |
Default |
---|---|---|---|
KVM port number for an SSH connection |
Port |
0-65,535 |
Port = 0# |
- #
-
When Port = 0, the system will actually use port number 22, which is the default port number for SSH communication.
(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and Docker Engine
To collect Docker environment information, it is necessary for PFM - RM for Virtual Machine to communicate via Docker Engine. Therefore, when PFM - RM for Virtual Machine and Docker environment are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and Docker Engine is shown below.
Passage direction |
---|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Docker Engine |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.
Description |
Setting item |
Value that can be set |
Default |
---|---|---|---|
Docker Engine target port number |
Port |
0~65,535 |
Port= 0# |
- #
-
When Port=0, the Docker environment information cannot be collected. The port number of Docker Engine must be specified.
(6) Firewall passage direction during communication between PFM - RM for Virtual Machine and Podman environment
To collect Podman environment information, it is necessary for PFM - RM for Virtual Machine to communicate via SSH. Therefore, when PFM - RM for Virtual Machine and Podman environment are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and Podman environment is shown below.
Passage direction |
---|
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Podman environment |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.
Description |
Setting item |
Value that can be set |
Default |
---|---|---|---|
Podman environment port number for an SSH connection |
Port |
0-65,535 |
Port = 0# |
- #
-
When Port = 0, the system will actually use port number 22, which is the default port number for SSH communication.
(7) Firewall passage direction during communication between PFM - RM for Virtual Machine and logical partitioning feature
To collect information from logical partitioning feature, PFM - RM for Virtual Machine communicates with hosts with logical partitioning feature through the UDP protocol. Therefore, if PFM - RM for Virtual Machine and hosts with logical partitioning feature are deployed across a firewall, the firewall must be configured to allow passage of such communication.
Port Numbers |
Protocol type |
Transmission type |
Passage direction |
---|---|---|---|
623 |
UDP |
Unicast |
LPAR Manager management command for logical partitioning feature → logical partitioning feature |
Automatic (Any port) |
LPAR Manager management command for logical partitioning feature ← logical partitioning feature |
- Legend:
-
→: Direction for starting communication (for connecting) from the item on the left to the item on the right
←: Direction for starting communication (connection) from the item on the right to the item on the left