> CommCell Console > Commvault HyperScale > HyperScale X > Additional Configurations

Enabling Firewall on HyperScale X

You can enable a firewall on the HyperScale nodes to automatically open the required ports and secure communication between nodes.

Firewall configuration divides the network into zones. A zone is a group of interfaces and services that share common rules to define secure boundaries within the network and manage access between nodes.

When the firewall is enabled:

  • The CS registration and data protection interfaces are added to the default blocked zone.

  • The storage pool interface is added to a private zone named cv_storage_zone.

Note

The firewall is automatically enabled on new installations of the Commvault HyperScale X cluster.

Procedure

Follow these steps to enable and configure the firewall on all nodes in the HyperScale cluster

  1. Set the MediaAgents associated with the cluster to maintenance mode.

    For more information, see Setting the MediaAgent on Maintenance Mode.

  2. Login to any one of the nodes in the cluster.

    Note

    You can enable the firewall on all nodes in the cluster from a single node. It is not necessary to repeat these steps on each node.

  3. Navigate to the following directory:

    cd /opt/commvault/MediaAgent/task_manager

  4. Run the following command to enable the firewall and automatically open the required ports:

    ./cvmanager.py -t Configure_Firewall

    This command enables all necessary ports for the cluster, depending on your environment. For more information about required ports, see Firewall Port Requirements forCommvault HyperScale X.

    You can also use the following command variations as needed:

    Purpose Command
    Configure the firewall without restarting CVFS services ./cvmanager.py -t Configure_Firewall origin="'install'"
    Configure the firewall and include additional ports ./cvmanager.py -t Configure_Firewall origin="'install'" additional_ports=["'8800-8900','9808','10000-10531','1000'"]

  5. (Optional) If ICMP (ping) requests are blocked and need to be enabled, run the following commands:

    firewall-cmd zone=block add-icmp-block-inversion permanent

firewall-cmd zone=block add-icmp-block=echo-reply permanent

firewall-cmd zone=block add-icmp-block=echo-request permanent

firewall-cmd reload

  6. Verify that the firewall is running using the following command:

    firewall-cmd --state

    The expected output is: running.

  7. Verify that the MediaAgent services are active:

    commvault list

    For more details about managing services, see Commands to Control Services on UNIX Clients.

  8. Verify the readiness of the MediaAgents on the HyperScale nodes to ensure they are operational.

    For more information, see Checking Readiness.

  9. Disable Maintenance mode for the MediaAgents associated with the cluster.

    For instructions, see Setting the MediaAgent on Maintenance Mode.

Result

After completing these steps, the firewall is enabled on all nodes in the cluster.

The appropriate ports are automatically configured, ensuring secure communication between HyperScale nodes while maintaining connectivity required for cluster operations.

×

Loading...