What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

another question about remote probes; ports/firewall

Votes:

0

Hi,

This article suggests the remote probe uses TCP/23560 only. https://kb.paessler.com/en/topic/61462-which-ports-does-prtg-use-on-my-system

However, this discussion suggests the remote probe will communicate on a dynamic high port https://kb.paessler.com/en/topic/69754-remote-probe-connection

I have read other discussions which suggest the probe-to-core connection is both ways. So the first KB article appears to be incorrect? Or at least not explaining the requirements fully?

Assuming I have core server on my corporate LAN, and a remote probe on a public internet IP, I would need the following rule on the corporate firewall

Allow, inbound, from probe_public_ip, from any port (then NAT to TCP/23560)

...And a similar rule on my remote probe...

Allow, inbound, from corporate_WAN_IP, from any port, to TCP/2350

This all seems a bit open to me. Is there any way to lock it down further?

firewall ports remote-probe

Created on Feb 19, 2019 12:36:01 PM



3 Replies

Votes:

0

Hello,

thank you for using PRTG and for the KB Post. Remote Probes connect to TCP Port 23560 (on the core service side), and to do this, they use a dynamic high port on their side (outgoing connection).
Usually it's not necessary to configure the firewall on the Remote Probe side because of it being an outgoing connection. The Core Side needs to be configured of course with the likes of NAT/PAT/etc..

best regards.

Created on Feb 20, 2019 9:49:07 AM by Torsten Lindner [Paessler Support]



Votes:

0

Thanks Torsten for the reply. Your answer makes perfect sense.

What was confusing to me was this post by another Paessler employee suggesting communication is "both ways" https://kb.paessler.com/en/topic/11313-do-i-need-to-open-port-23560-to-use-remote-probe-which-direction

This made me query whether port 23560 needed to be open on BOTH the probe and the core. You have confirmed that only the core needs this port open, not the remote probe. So thanks!

Created on Feb 20, 2019 9:57:52 AM



Votes:

0

23560 needs to be open on the Core side of things. Both firewalls need to allow bi-directional connections of course (Core Side 23560 and Probe Side the dynamic high port, which again is the usual default behaviour).

Created on Feb 20, 2019 11:47:22 AM by Torsten Lindner [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.