# Configuring a firewall and opening ports
You can enable the firewall on each node on the cluster. You can customize which ports are open on the firewall on a node.
**Where to perform the configuration**
****
| Node | Work on this node? |
| --- | --- |
| Primary Conductor Live node | Yes |
| Secondary Conductor Live node | Yes |
| Each worker node | Yes |
**Topics**
+ [Firewall recommendation](#firewall-recommendation)
+ [Enabling or disabling the product firewall](#firewall-enable-disable)
+ [Working with ports on the product firewall](#firewall-open-ports)
## Firewall recommendation
**Your organization's firewall**
We recommend that you always deploy all the nodes behind your organization's firewall, on a private network.
**AWS Elemental product firewall**
Each AWS Elemental product has a built-in firewall.
We recommend that you enable this *product firewall* on the entire cluster.
+ If your nodes are appliances, then the software was already installed on delivery, with the product firewall enabled.
+ If your nodes are on qualified hardware or on VMs, you specified whether to enable the product firewall when you installed the software. We recommend that you enable the firewall. If you didn't enable the firewall when you installed, you can enable it now. You must do this individually, on each node.
**Rules for firewall configuration on the Conductor Live nodes**
Both Conductor Live nodes must have the same firewall settings. If they don't, you won't be able to add the secondary node to the cluster.
Port 5432 (TCP) must be open (accepted) on both nodes.
## Enabling or disabling the product firewall
Make sure that all the nodes in the cluster are configured in the same way—with the firewall enabled (recommended) or with the firewall disabled.
**To enable or disable the firewall**
1. If you are enabling or disabling the firewall on a Conductor Live node that has HA enabled, [disable it](conductor-live-config-ha-chg.md) now.
1. On the web interface for Conductor Live, go to the **Settings** page and choose **Firewall**.
Or on the web interface for the worker node, choose **Settings**, then choose the **Firewall** tab.
1. For Conductor Live, choose **Start Firewall** or **Stop Firewall**.
For a worker node, choose **Firewall On** or **Firewall Off**. Then choose **Save**.
## Working with ports on the product firewall
Every node is configured by default with a list of ports that can be opened or closed. When you enable the product firewall on each node, each port is automatically configured with an open or closed state.
+ Some ports are configured as open by default, and you can't change the state. These configurations are read-only because these ports must be open in order for the cluster nodes to work.
+ Other ports are configured as closed by default, but you can change the state.
+ You can also add custom ports and open them.
**To add more incoming ports on the node firewall**
1. Display the **Firewall Settings** page.
1. If necessary, choose **Firewall On** (on a worker node) or **Start Firewall** (on Conductor Live). The list of ports appears.
1. Display the dialog:
+ On Conductor Live, choose **Add Incoming Port** on the right side of the page.
+ On a worker node, go to **Add Incoming Port** at the end of the list.
1. Select **Accept**, choose the **Type** (TCP or UDP), and enter the port number. Choose **Save**.
**To open or close ports on the node firewall**
1. On the node web interface, go to the **Settings** page and choose **Firewall**.
1. Decide if you really want to close a port that is currently open. Look at the description, which describes the port's purpose. Some ports must be open.
1. Conductor Live: Click the edit (pencil) button. On the dialog, choose **OK** to toggle the port configuration.
A worker node: In the row for the port, choose **Accept** to open the port. Or clear the check box in **Accept** to close the port.
1. Choose **Save**.
**To remove a port**
You can't remove a port. Instead, clear the **Accept** field and choose **Save**.