Thanks. I understand what the picture is meaning.

* PSN --------> TCP/1521 on External Servers

However still want to know what the table2 means.

Table.2 shows not PSN but MnT has TCP/1521 connection.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24…

The connection (TCP/1521 on Mnt -----> XXXX server) doesn't appear on the picture.

Is the connection really required for MnT operation? And What is the destination of the 1521 connection from Mnt?

Understand,thanks! The information is needed for upstream firewall requirement. I'll forward the info to my customer.

Sorry for bothering you again. But I got new question from my customer.

Could you tell me the purpose of the TCP1521 connection from PAN to MnT?

They wants to know why all interfaces on MnT must open the port so asked me the purpose of the TCP connection.

* The guide shows not only g0/Bond0 but also others(g1-5/bond1-2) have to open the port.

You are correct that usually this is going PPAN (g0/bond0) -> MnT (g0/bond0). The table 2 shows it open but not actually used.

Thanks. Usually I and my customer refer the port list to consider upstream firewall policy, so it would be great if we can find only necessary TCP/UDP ports for ISE correct operation. Anyway I'll transfer the info to my end customer.