I have had a number of systems set up with a splunk forwarder. The forwarders are sending data, and our main splunk instance is happily indexing it. But today the person who runs the firewall that sits in front of these systems asked my why splunk would be trying to establish a TCP connection with these systems. These are being denied. Splunk tries it twice (TCP) on port 80, then twice on 443, then twice again on 8089.
Why is it doing that, and what is it trying to do? More importantly, should we be granting access to the splunk indexer to these machines on those ports, or is it not important?