Also I’m seeing k2 appear to connect to hosts on port 9?

Our servers (K2) don't actually initiate any connections to hosts, the hosts poll the servers over standard TLS/HTTPs ports via TCP. You should see traffic over 443. I can confirm that IP address is our k2device load balancer. This IP only listens to 80/443. I'm not aware of any explicit code in our agent that would cause the agent to attempt to connect on port 9. That being said, Port 9 is sometimes used to active Wake-On-LAN on a remote server. It can also be used to troubleshoot connectivity (since it's the TCP/UDP equivalent of

dev/null

) My theory, is that our agent's TCP library may attempt to send traffic over this port as part of a series of steps to troubleshoot connectivity issues. I will speak more to our agent engineers to validate that theory, but I wouldn't be alarmed. If you'd rather block that port, feel free our agent works correctly with just outbound 443 enabled. See https://help.kolide.com/en/articles/4252704-kolide-agent-to-servers-connectivity for more details.

I don’t know how to read that — is that udp or tcp?