diff --git a/doc/ports.md b/doc/ports.md
index 89c93d3d9f6219b104f64f7cc72d4eee648defaa..92753f7a7de6dc96582ace2bdd2766a8e6567ac8 100644
--- a/doc/ports.md
+++ b/doc/ports.md
@@ -10,7 +10,7 @@ The list of TCP ports used in SOCtools, as available from the outside:
 |  6443 | MISP |
 |  8888 | haproxy-stats (login: `haproxy`, password is in `secrets/passwords/haproxy`)
 |  9000 | TheHive |
-|  9001   | Cortex |
+|  9001 | Cortex |
 |  9443 | NiFi web GUI |
 | 12443 | Keycloak |
 
@@ -23,13 +23,33 @@ The following port ranges are opened by haproxy to allow receiving data from ext
 
 TODO
 
-Notes: According to haproxy.cfg, the followng ports are forwarded to NiFi:
+NOTES-1: According to haproxy.cfg, the followng ports are forwarded to NiFi:
 - 7750-7760 (tcp)
 - 7771 (tcp)
 - 5000-5020 (http)
 - 6000-6020 (tcp)
 In fact, I can connect (using `nc`) to these ports 7750, 5000-5099, 6000-6099 (i.e. not 7751-7760, 7771; on the other hand, the 50??,60?? ranges are wider, I don't know where they are pointed to).
 
+NOTES-2: haproxy container is listening on following ports:
+- 0.0.0.0:443->443/tcp
+- 0.0.0.0:5000-5099->5000-5099/tcp
+- 0.0.0.0:6000-6099->6000-6099/tcp
+- 0.0.0.0:7750->7750/tcp
+- 0.0.0.0:8443->8443/tcp
+- 0.0.0.0:8888->8888/tcp
+- 0.0.0.0:9000-9001->9000-9001/tcp
+- 0.0.0.0:9200->9200/tcp
+- 0.0.0.0:9443->9443/tcp
+
+NOTES-3: From haproxy.cfg, following ports should go through haproxy, but are actually only monitored from haproxy container:
+|  8888 | haproxy-stats |
+|  9000 | TheHive |
+|  9001 | Cortex |
+|  9200 | ODFEES |
+|  9443 | NiFi web GUI |
+| 12443 | Keycloak | - incorectly configured frontend on port 10443
+
+
 
 Ports already used or reserved for ingesting specific data into the system via NiFi: