When agent version 10.1 or earlier was installed on Linux, it disabled the iptables
service to avoid firewall conflicts unless you added a configuration file that prevented
that change. However, the iptables service is used for more than just firewall (for
example, Docker manages iptables rules as part of its normal operation), so disabling
it
sometimes had negative consequences.
With agent version 10.2 and higher, the functionality around iptables has changed.
The
agent no longer disables iptables. (If iptables is enabled, it stays enabled after
the
agent installation. If iptables is disabled, it stays disabled.) However, if the
iptables service is running, the agent requires certain iptables rules, as described
below.
Rules required by the agent
If iptables is enabled on the computer where the agent is being installed, iptables
may require additional rules. By default, these rules are added when the agent
starts up and removed when the agent is stopped or uninstalled. Alternatively, you
can Prevent the
agent from automatically adding iptables rules and add them manually
instead:
- Allow incoming traffic on port 4118. This is required when the agent uses manager-initiated or bidirectional communication. (For more information, see Agent-manager communication.)
- Allow incoming traffic on port 4122. This is required when the agent is acting as a relay, so that the relay can distribute software updates. (For more information, see Distribute security and software updates with relays.)
 |
NoteThese are the default port numbers - yours may be different. For a complete list of
ports used in
Server & Workload Protection, see Port numbers.
|
Prevent the agent from automatically adding iptables rules
You can prevent the agent from modifying iptables if you would rather add the
required rules manually. To prevent the automatic modification of iptables, create
the following file on the computers where you plan to install the agent:
/etc/do_not_open_ports_on_iptables