port 8777 open on gateway 9.x

Document ID : KB000110278
Last Modified Date : 17/08/2018
Show Technical Document Details
On Gateway 9.x there is a firewall rule, that open port 8777. This port is used for internode communication in a clustered environment. See also https://docops.ca.com/ca-api-gateway/9-3/en/install-configure-upgrade/configure-the-appliance-gateway/prepare-the-network-appliance

Can this port be blocked in a non clustered gateway?
Each SSG, and/or each SSG cluster at first startup determines a random multicast address and continually broadcasts message-id's and other information on eth0 (the network interface designed to be the private or high-side of the SSG). These multicast messages are used by other SSG's on the same Layer 2 network to prevent message replay-attacks; in that if one SSG processes a message, it immediately sends out a broadcast on the wire to other listening (port 8777) ssg's and they will use the message ID's as a black-list for the next few minutes to prevent that same message from being played back and routed through another SSG in a cluster. 

If you are not running in a clustered mode you can turn off this chatty traffic by setting the cluster property cluster.replayProtection.multicast.enabled to false and restarting the SSG node(s). 

This will not prevent the TCP/UDP listener on port 8777 from firing up; but will lessen the traffic on the Layer 2 network connected to eth0 if you are not running in cluster mode.