D.2 Firewall passage direction

Organization of this subsection

(1) Setting up the firewall passage direction
(2) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware
(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V
(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM
(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and Docker Engine
(6) Firewall passage direction during communication between PFM - RM for Virtual Machine and Podman environment
(7) Firewall passage direction during communication between PFM - RM for Virtual Machine and logical partitioning feature

(1) Setting up the firewall passage direction

When PFM - Manager and PFM - RM for Virtual Machine are installed across a firewall, set up fixed port numbers for all services of PFM - Manager and PFM - RM for Virtual Machine Furthermore. For more details, see the section describing the firewall passage direction in the manual JP1/Performance Management Reference.

To Page Top

(2) Firewall passage direction during communication between PFM - RM for Virtual Machine and VMware

To collect VMware information, PFM - RM for Virtual Machine needs to communicate with VMware. Therefore, if there is a firewall between PFM - RM for Virtual Machine and VMware, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and VMware is shown below.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) → VMware

Legend:: →: Direction for starting communication (connection) from the item on the left to the item on the right

The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.

Table D‒2: Port numbers that can be used for communication with a monitoring target
Description	Setting item	Value that can be set	Default
VMware target port number	`Port`	0-65,535	Port = `0`^#

#: When Port = 0, the system will actually use port number 443, which is the default port number for HTTPS communication.

To Page Top

(3) Firewall passage direction during communication between PFM - RM for Virtual Machine and Hyper-V

To collect Hyper-V information, it is necessary for PFM - RM for Virtual Machine to use WMI to communicate with Hyper-V. Therefore, when PFM - RM for Virtual Machine and Hyper-V are installed across a firewall, passage through the firewall must be enabled.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Hyper-V

Legend:: →: Direction for starting communication (for connecting) from the item on the left to the item on the right

WMI uses DCOM. Because DCOM uses dynamic port allocation, the port used for DCOM must pass through the firewall. For details about the setup method, see the firewall product's documentation or check with the firewall product's developer.

Operation via a firewall is not suitable because individual WMI and DCOM requests cannot be separated. The following figure shows a recommended configuration.

Figure D‒1: Example of configuration where the port used for DCOM passes through a firewall

To Page Top

(4) Firewall passage direction during communication between PFM - RM for Virtual Machine and KVM

To collect KVM information, it is necessary for PFM - RM for Virtual Machine to communicate via SSH. Therefore, when PFM - RM for Virtual Machine and KVM are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and KVM is shown below.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) → KVM

Legend:: →: Direction for starting communication (for connecting) from the item on the left to the item on the right

The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.

Table D‒3: Port numbers that can be used for communication with a monitoring target
Description	Setting item	Value that can be set	Default
KVM port number for an SSH connection	`Port`	0-65,535	`Port` = `0`^#

#: When Port = 0, the system will actually use port number 22, which is the default port number for SSH communication.

To Page Top

(5) Firewall passage direction during communication between PFM - RM for Virtual Machine and Docker Engine

To collect Docker environment information, it is necessary for PFM - RM for Virtual Machine to communicate via Docker Engine. Therefore, when PFM - RM for Virtual Machine and Docker environment are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and Docker Engine is shown below.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Docker Engine

Legend:: →: Direction for starting communication (for connecting) from the item on the left to the item on the right

The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.

Table D‒4: Port numbers that can be used for communication with a monitoring target
Description	Setting item	Value that can be set	Default
Docker Engine target port number	Port	0~65,535	Port= `0`^#

#: When Port=0, the Docker environment information cannot be collected. The port number of Docker Engine must be specified.

To Page Top

(6) Firewall passage direction during communication between PFM - RM for Virtual Machine and Podman environment

To collect Podman environment information, it is necessary for PFM - RM for Virtual Machine to communicate via SSH. Therefore, when PFM - RM for Virtual Machine and Podman environment are installed across a firewall, set the firewall to permit communication over the port of the monitoring target set on the PFM - RM for Virtual Machine host. The communication direction between PFM - RM for Virtual Machine and Podman environment is shown below.

Passage direction
PFM - RM for Virtual Machine (Remote Monitor Collector service) → Podman environment

Legend:: →: Direction for starting communication (for connecting) from the item on the left to the item on the right

The table below shows port numbers that can be used for communication with a monitoring target. For details, see 2.1.4(4) Setting up monitoring targets.

Table D‒5: Port numbers that can be used for communication with a monitoring target
Description	Setting item	Value that can be set	Default
Podman environment port number for an SSH connection	`Port`	0-65,535	`Port` = `0`^#

#: When Port = 0, the system will actually use port number 22, which is the default port number for SSH communication.

To Page Top

(7) Firewall passage direction during communication between PFM - RM for Virtual Machine and logical partitioning feature

To collect information from logical partitioning feature, PFM - RM for Virtual Machine communicates with hosts with logical partitioning feature through the UDP protocol. Therefore, if PFM - RM for Virtual Machine and hosts with logical partitioning feature are deployed across a firewall, the firewall must be configured to allow passage of such communication.

Port Numbers	Protocol type	Transmission type	Passage direction
623	UDP	Unicast	LPAR Manager management command for logical partitioning feature → logical partitioning feature
Automatic (Any port)	UDP	Unicast	LPAR Manager management command for logical partitioning feature ← logical partitioning feature

Legend:

→: Direction for starting communication (for connecting) from the item on the left to the item on the right

←: Direction for starting communication (connection) from the item on the right to the item on the left

To Page Top