Veeam B&R 12.x upgrades and Port 6160/TCP destiny

[Parnassus]

Hi all, I'm searching a confirmantion about the Port 6160/TCP destiny on a (Linux) hardened Backup Repository just after a Veeam B&R upgrade (say moving from 12.2 to 12.3, as example).

I noticed that on our Linux hosts the configured firewall set or rules change after the upgrade (say upgrading from 12.2.0.334 to 12.3.0.310, done today).

The set changes from having those ports permanently opened:

2500-3300/tcp <--- Default range of ports used as transmission channels
6160/tcp <---------- Veeam Installer Service for Linux
6162/tcp <---------- Veeam Data Mover Service

to this set:

2500-3300/tcp
6162/tcp

losing every time the 6160/TCP (and every time I manually add it permanently again).

Is it that behaviour expected?
Is permanently opening the 6160/TCP port back again a correct action to perform on the Host firewall or I should expect that, during a next upgrade, having the previous upgrade procedure closed it, the next invoked upgrade procedure will open automatically it again (for the sole duration required by the agent update procedure)?

[Mildur]

Hi Davide

You don't have to open it manually. The backup server will request to open it automatically when required.

This change was introduced in v12.1: Whats New - Veeam Backup & Replication v12.1 - Page 9

Reduced number of active ports — to further reduce attack surface, hardened repositories will now
continuously listen to the single Transport port (TCP 6162) only, instead of two ports. The Deployer port
(TCP 6160) will be automatically opened and closed only for the duration of the hardened repository
components upgrade

Best,
Fabian

[Parnassus]

Thanks Fabian, great! I totally missed that explicative note despite I've read here and there on the forum about the "famous" 6160/tcp and what happened, at some point, with Veeam B&R 12.1.1...thank you! Davide.