Ad Widget

**PmGs** · 11-12-2024, 00:10

I had a wrong template.

See https://www.zabbix.com/forum/zabbix-...-does-not-work

**solution** · 01-12-2024, 19:05

For clients/hosts/devices with Zabbix Agent/Agent2, the firewall rules are:

Passive Mode (Zabbix Server --> Zabbix Agent)
Port: 10050
Direction: INBOUND
Source: **from Zabbix Server**

Active Mode (Agent --> Zabbix Server)
Port: 10051
Direction: OUTBOUND
Destinnation: **IP Zabbix Server**

2 Requirements

https://www.zabbix.com/documentation/7.0/en/manual/installation/requirements?hl=default%2CDefault%2Cport%2CPort#default-port-numbers

Wellington

**PmGs** · 01-12-2024, 22:06

Thanks for your answer solution

The link you shared does not specified the mode.

You wrote only port 10051 in active mode, but as I wrote in my initial post, if I reject port 10050 (Agent firewall) it does not work.
Are you sure? Can you do the same test? What can be wrong in my config,agent or server?

**solution** · 02-12-2024, 15:18

If you use Passive Mode (templates xxxxx by Zabbix Agent)
Test the communication from Zabbix Server to HostDevice.
On Zabbix Server:
ping ip/hostname of host/device
telnet/nmap ip/hostname 10050

If you use Active Mode (templates xxxxxx by Zabbix Agent (Active))
On Windows/Linux Host:
ping ip/hostname of Zabbix Server
telnet/nmap ip/hostname zabbix server 10051
- Server: If you have a firewall on the zabbix server, open port 10051 if necessary
- Windows/Linux Host: in the zabbix_agentd.conf file make sure that the line "ServerActive=" has the IP/Hostname of the Zabbix Server

Active vs. Active Documentation Passive:

2 Agent

https://www.zabbix.com/documentation/7.0/en/manual/concepts/agent#passive-and-active-checks

Agentd.conf

4 Zabbix agent 2 (UNIX)

https://www.zabbix.com/documentation/7.0/en/manual/appendix/config/zabbix_agent2#server

Wellington

**PmGs** · 03-12-2024, 09:16

Sorry solution, you did not answer may main question.

In active mode , if you reject port 10050 by agent firewall ( iptables -A INPUT -p tcp --dport 10050 -j REJECT ) should it work? Does it work by you?

**ISiroshtan** · 03-12-2024, 11:39

Can you give more information about what you mean by "Not working"?

In active mode Zabbix agent does not need any incoming connections, instead the agent would initiate connection to Zabbix server/proxy to port 10051, will get all configuration data it needs and will be reporting metrics same exact way. For it to work you need:

set in agent configuration file the ServerActive directive
ensure that agent -> server/proxy tcp:10051 communication is open and successful
ensure that in Zabbix server the host is configured with items of "agent(active)" type checks

The image below is a good representation of how communication flows look based on active/passive settings

**PmGs** · 06-12-2024, 00:36

Thank you ISiroshtan for your detailed reply. I will take more time tomorrow to answer you.
Having said that, didn't you make a typo in the server link to passive proxy, the port shouldn't be 10050?

**cyber** · 06-12-2024, 11:17

10050 is AGENT port.. if server talks to proxy, it will connect to 10051 on proxy. Same port where active agent will send data on proxy...

**PmGs** · 06-12-2024, 12:36

Hello @Isiroshtan

First some questions I don’t understanf on you drawing

Server → Passive Prox 10051 ? Typing mistake ? Should be 10050 ?
Active Proxy : Server=192.168.1.1 ? Should be public IP of server?
Zabbix Agent not the local network than Active Proxy ?

My config

Everything works with this config

On my proxy I reject port 10050 in input

iptables -A INPUT -p tcp --dport 10050 -j REJECT (comand done yesterday)

My proxy agent2 does not work anymore

I see this with this 2 sreens
- Avaibility : green → red

Last data time

So, my main question, port 10050 seems to be mandatory even in active mode, except, of course, if I did mistakes in my config, but I don’t see where ?

And I have a second question regarding the agent (P1) connected to the proxy

It works ! Without the proxy working !
- Avaibility in green (see previous image)
- Last data time Ok

Attached Files

**cyber** · 06-12-2024, 13:13

Originally posted by PmGs

Hello @Isiroshtan

First some questions I don’t understanf on you drawing

Server → Passive Prox 10051 ? Typing mistake ? Should be 10050 ?
Active Proxy : Server=192.168.1.1 ? Should be public IP of server?
Zabbix Agent not the local network than Active Proxy ?

yeah... And what did I just wrote?

10050 is AGENT (listening) port..No typing mistakes by ISiroshtan above... server/proxy use port 10051 for incoming connections...

**PmGs** · 06-12-2024, 13:34

cyber, I saw what you wrote, but did you look my initial post?

I read in this doc https://www.zabbix.com/documentation...sive?hl=active
If an agent is behind the firewall you might consider using only Active checks because in this case you wouldn't need to modify the firewall to allow initial incoming connections.

**cyber** · 06-12-2024, 15:21

Originally posted by PmGs

cyber, I saw what you wrote, but did you look my initial post?

I read in this doc https://www.zabbix.com/documentation...sive?hl=active
If an agent is behind the firewall you might consider using only Active checks because in this case you wouldn't need to modify the firewall to allow initial incoming connections.

I was just correcting your suspicions about typos..

There was not any...

But.. to answer your question ..

On my proxy I reject port 10050 in input

iptables -A INPUT -p tcp --dport 10050 -j REJECT (comand done yesterday)

and after that the agent of your PROXY host turned to red... right..

But you denied connection to agent on your proxy...Is your proxy monitored by server or by that proxy itself? In either way, if one or another tries to ask something from agent, it fails, as you denied access... It is enough, if you have just one passive item and it fails..

If you really want to use just active agents and never passive, you can get same results without any FW mods if you just set StartAgents parameter to 0.

StartAgents
The number of pre-forked instances of zabbix_agentd that process passive checks. If set to 0, passive checks are disabled and the agent will not listen on any TCP port.

It should then not even open any port, so you do not have to deny any connection in FW..

**PmGs** · 06-12-2024, 18:03

I did not find StartAgents but
- StartAgentsPollers & StartHTTPAgentPollers on the Server
- StartAgentsPollers on the Proxy

Set these to 0, but for the moment non change.

Anyway thank a lot for this information, new to Zabbix, there is probably other parameter, obvious for you, but not for me. To be continued.

**cyber** · 09-12-2024, 13:07

3 Zabbix agent (UNIX)

https://www.zabbix.com/documentation/current/en/manual/appendix/config/zabbix_agentd#startagents

It is agent side parameter, not in server or proxy config.

StartAgentPollers parameter in proxy sets the value of those pollers, which do passive polls towards the agents... If no passive items used, this can be 0 also..
StartHTTPAgentPollers is the number of agents that do http polls. If you do not do any http polls, I guess it can be 0.

But I think both of those you can leave as they were and not set them to 0...

**PmGs** · 11-12-2024, 00:10

I had a wrong template.

See https://www.zabbix.com/forum/zabbix-...-does-not-work

Ad Widget

Zabbix agent active does not work without port 10050 opened ?

Zabbix agent active does not work without port 10050 opened ?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment