TL;DR
- Passive: Zabbix Server pulls from the agent on 10050/TCP (inbound to the host).
- Active: The agent pushes to Server by connecting to 10051/TCP (outbound from the host).
- If your Zabbix lives on a corporate/home network and you monitor internet hosts, prefer Active to avoid opening inbound ports on those hosts.
How Active Works
- Direction:
agent → server :10051(outbound). - Flow: the agent connects and matches host name (optionally authenticates with TLS), downloads an active item list (based on the host name), schedules checks locally, and batches results back.
- Refresh: the agent refreshes the list periodically (default ~120 s).
- Great for: hosts behind NAT/firewalls, large fleets (lighter on server pollers), and log monitoring (
log[],logrt[], Windowseventlog[]), which requires Active.
How Passive Works
- Direction:
server → agent :10050(inbound). - Flow: server pollers dial the agent to retrieve values on demand.
- Great for: quick ad-hoc testing with
zabbix_get, certain long-running custom checks you prefer to pull.
Quick Comparison
| Aspect | Active | Passive |
|---|---|---|
| Connection | Agent → Server :10051 | Server → Agent :10050 |
| Firewall/NAT | Outbound only | Inbound to each host |
| Item types | All common metrics; required for log[]/logrt[]/eventlog[] | All common metrics |
| Scale | Push/batching; fewer pollers | Polling grows with hosts/items |
| Debugging | Agent logs, zabbix_sender | zabbix_get -s <ip> -k <key> |
Typical Topologies
Active (recommended for internet/cloud VMs)
[Monitored Host: zabbix-agent2]
| outbound TCP 10051
v
[Zabbix Server]
Passive (classic on LAN/VPN)
[Zabbix Server] --inbound 10050--> [Monitored Host: zabbix-agent2]
Minimal Active-Only Setup
Goal: a monitored host that doesn’t need to expose 10050/TCP. The agent only dials out to your server on 10051/TCP.
Scenario: The monitored host is an AWS EC2 instance in a private subnet with no public IP.
- Install the agent (Ubuntu example)
- Configure the agent
/etc/zabbix/zabbix_agent2.conf:
# Must exactly match the host name defined in the Zabbix frontend
Hostname=app.maksonlee.com
# Active target: your Zabbix Server
ServerActive=zabbix.maksonlee.com:10051
# Passive allowlist (irrelevant if you block/ignore 10050)
Server=127.0.0.1
Restart:
sudo systemctl restart zabbix-agent2
- Frontend steps
- Create host named
app.maksonlee.com(exactly matchesHostname=). - Link an active template (e.g., Linux by Zabbix agent (active)).
- Agent interface IP/DNS: set a meaningful value for inventory/macros, but note that Active data flow doesn’t use it.
“Do I need a reachable Agent IP if I use Active?”
- No for data collection: Active doesn’t use the host’s “Agent interface” IP at all. The agent connects outbound to 10051 and pushes results.
- Yes for anything the server must reach: If templates use
{HOST.IP}(maps, notifications) or you keep ICMP/web checks and the server can’t reach that address, those items will fail.
Two easy patterns:
- Pure Active: stick to active items only; don’t rely on
{HOST.IP}. - Macro-override targets: for ping/web checks, use macros instead of
{HOST.IP}. Example:- Change
icmpping→icmpping[{$PING_TARGET}] - Set
{$PING_TARGET}on the host to a reachable public/VPN address.
- Change
When to Use Which
- Default to Active for hosts behind NAT/firewalls or on the public internet.
- Keep some Passive only if you need
zabbix_getor server-initiated pulls.