Skip to main content
NetApp Knowledgebase

Which ports are needed to run Virus Scan / FPolicy through a firewall?

Views:
163
Visibility:
Public
Votes:
0
Category:
data-ontap-7
Specialty:
nas
Last Updated:

Applies to

  • Data ONTAP 7 and earlier

Answer

Warning: Consider the motivation in regards to the firewall under the following aspect:

Per definition, the Vscan service needs to be part of the Backup Operator group. That makes the SCAN-host the only system that has unfiltered and unchecked access to ALL files stored on the attached filers. If you put your Vscan server behind a firewall due to a potential threat (e.g. a service sharing the same hardware/OS is connected to the Internet), you might consider splitting the Vscan host off to a separate system to prevent extensive damage after a security breach.

It is not recommended to run Vscan or FPolicy through a firewall as this might add additional latency to the service causing the client access to slow down.

For FPolicy or Vscan to function properly, the following ports need to be open on the firewall for Data ONTAP 7-Mode releases:

Filer Direction Vscan / FPolicy Server
ANY ->

NETBIOS Name Service (TCP:137)

NETBIOS Datagram Service (TCP:138)

NETBIOS Session Service (TCP:139)

SMB over IP (TCP:445)

HTTP (TCP:80)

HTTPS (TCP:443)

NETBIOS Name Service (TCP:137)

NETBIOS Datagram Service (TCP:138)

NETBIOS Session Service (TCP:139)

SMB over IP (TCP:445)

HTTP (TCP:80)

HTTPS (TCP:443)

<- ANY

Additional ports may need to be opened from the filer to its Active Directory domain controller for the purpose of authenticating the Windows service account running the Vscan or FPolicy software.

Additional Information

For Clustered Data Ontap firewall configuration see the relevant articles for fpolicy and vscan