https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297329#M4698 <P>Hi,</P><P>A client is insisting they do not use local (operating system) firewalls in their environment and is questioning the need for firewalld and nftables for Managed. We've explained that it is used to make the Managed setup as secure as possible, incl. traffic between nodes, but they are adament that without any firewall blocking ports, we should be able to run Managed without firewalld and nft present.</P><P>Can Managed be installed and run without issues without those present?</P><P>The installer checks for this and warns that neither are present, but the question is whether the warning can be ignored without any future impact?<BR />I know Managed has a firewall component, which I assume relies on nft/firewalld to operate correctly...but that really is the question: why is the firewall component critical when these systems are typically placed inside the client network (LAN), behind perimeter firewalls?</P> Tue, 07 Apr 2026 12:07:23 GMT andre_vdveen 2026-04-07T12:07:23Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297329#M4698 <P>Hi,</P><P>A client is insisting they do not use local (operating system) firewalls in their environment and is questioning the need for firewalld and nftables for Managed. We've explained that it is used to make the Managed setup as secure as possible, incl. traffic between nodes, but they are adament that without any firewall blocking ports, we should be able to run Managed without firewalld and nft present.</P><P>Can Managed be installed and run without issues without those present?</P><P>The installer checks for this and warns that neither are present, but the question is whether the warning can be ignored without any future impact?<BR />I know Managed has a firewall component, which I assume relies on nft/firewalld to operate correctly...but that really is the question: why is the firewall component critical when these systems are typically placed inside the client network (LAN), behind perimeter firewalls?</P> Tue, 07 Apr 2026 12:07:23 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297329#M4698 andre_vdveen 2026-04-07T12:07:23Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297330#M4699 <P>Hi,</P><P>Dynatrace Managed can run without firewalld or nftables, and the installer warning is not blocking.</P><P>However, documentation shows that firewall rules are used for traffic routing and access control.</P><P>Here you have some related topisc:</P><UL><LI><A href="https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/How-to-change-the-port-for-Dynatrace-Managed/m-p/120465" target="_self">How to change the port for Dynatrace Managed</A>&nbsp;</LI><LI><A href="https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Installing-Dynatrace-cluster-on-hardened-CIS-image-Ubuntu-22-04/m-p/200726" target="_self">Installing Dynatrace cluster on hardened CIS image</A><SPAN>&nbsp;</SPAN></LI></UL><P><SPAN>So It is possible to disable the firewall, but then all network configuration and security must be handled manually.</SPAN></P> Tue, 07 Apr 2026 12:35:54 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297330#M4699 t_pawlak 2026-04-07T12:35:54Z https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297455#M4701 <P>So, we can run Managed without firewalld active - tested that and it seems to be working as expected.</P><P>However, when the hosts are rebooted, the nftables ruleset is cleared and the Dynatrace firewall.sh script fails to load the nftables rules back (timeout), as it seemingly relies on firewalld - see output of firewall.sh status below.</P><PRE>./dynatrace.sh status<BR />Redirecting to /bin/systemctl status dynatrace-firewall.service<BR />× dynatrace-firewall.service - Dynatrace Firewall settings<BR />Loaded: loaded (/etc/systemd/system/dynatrace-firewall.service; enabled; preset: disabled)<BR />Active: failed (Result: timeout) since Thu 2026-04-09 15:28:55 SAST; 2min 15s ago<BR />Main PID: 1617<BR />CPU: 259ms<BR /><BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18570]: Error: Could not process rule: No such file or directory<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18570]: insert rule inet <FONT color="#FF0000"><STRONG>firewalld</STRONG></FONT> mangle_PREROUTING jump dt_mangle_PREROUTING<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18570]: ^^^^^^^^^<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18576]: Error: Could not process rule: No such file or directory<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18576]: insert rule inet <STRONG><FONT color="#FF0000">firewalld</FONT></STRONG> filter_INPUT jump dt_filter_INPUT<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18576]: ^^^^^^^^^<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18578]: Error: Could not process rule: No such file or directory<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18578]: insert rule inet <STRONG><FONT color="#FF0000">firewalld</FONT></STRONG> filter_FORWARD jump dt_filter_FORWARD<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[18578]: ^^^^^^^^^<BR />Apr 09 15:29:01 redacted.co.za firewall.sh[1617]: Adding rules ... failed.</PRE><P>&nbsp;How do we get around this, and future proof it so that when Managed updates are applied, we do not have to redo all of the work manually again?</P><P>The current /etc/dynatrace.conf lists the following re: firewall</P><PRE>FIREWALL_ENABLED = true<BR />FIREWALL_TYPE_DETECTION = on<BR />FIREWALL_TYPE = nftables</PRE><P>&nbsp;</P> Thu, 09 Apr 2026 13:47:46 GMT https://community.dynatrace.com/t5/Dynatrace-Managed-Q-A/Can-Managed-be-installed-or-run-without-firewalld-and-nft/m-p/297455#M4701 andre_vdveen 2026-04-09T13:47:46Z