Due to internal secure policies the mgmPort must be disabled: I don't want anything to be able to talk through any port of my Light Forwarder, instead I want it to be an output-only box.
In term of security, if you don't use a component, always better to disable it.
Is it possible to suppress this functionality?
In the file:
$SPLUNK_HOME/etc/system/local/server.conf
add the entry:
[httpServer]
disableDefaultPort = true
Then restart Splunk.
can forwarders still receive updates from the deployment server if the daemon is off?
Yes, because it is a pull-type of connection.
In addition once you set 'disableDefaultPort=true' you will notice that upon start/restart Splunk will still check on the availability of the management port. This does NOT mean that it will use the port eventually.
Note: You will not be able to run successfully CLI admin commands as they retrieve information from Splunk's endpoint using the management port.
In the file:
$SPLUNK_HOME/etc/system/local/server.conf
add the entry:
[httpServer]
disableDefaultPort = true
Then restart Splunk.