Network Firewall Requirement for GigaVUE Cloud Suite
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite:
Note: When using dual stack network, open the below mentioned ports for both IPv4 and IPv6.
|
GigaVUE‑FM |
||||||||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to accept Management connection using REST API. Allows users to access GigaVUE-FM UI securely through an HTTPS connection. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access to user-initiated management and diagnostics. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used. |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API. |
||||||
|
Inbound |
TCP |
443 |
UCT-C Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-C Controller using REST API. |
||||||
|
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
||||||
|
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-V Controllers. |
||||||
|
Inbound |
TCP |
9600 |
UCT-V Controller |
Allows GigaVUE‑FM to receive certificate requests from UCT-V Controller. |
||||||
|
Inbound |
TCP |
9600 |
GigaVUE V Series Proxy |
Allows GigaVUE‑FM to receive certificate requests from GigaVUE V Series Proxy. |
||||||
|
Inbound |
TCP |
9600 |
GigaVUE V Series Node |
Allows GigaVUE‑FM to receive certificate requests from GigaVUE V Series Node. |
||||||
|
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-C Controllers. |
||||||
|
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller. |
||||||
|
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy. |
||||||
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node. |
||||||
|
Outbound |
TCP |
8443 (default) |
UCT-C Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to UCT-C Controller. |
||||||
|
Outbound |
TCP |
80 |
UCT-V Controller IP |
Allows GigaVUE‑FM to send ACME challenge requests to UCT-V Controller. |
||||||
|
Outbound |
TCP |
80 |
GigaVUE V Series Node |
Allows GigaVUE‑FM to send ACME challenge requests to GigaVUE V Series Node. |
||||||
|
Outbound |
TCP |
80 |
GigaVUE V Series Proxy |
Allows GigaVUE‑FM to send ACME challenge requests to GigaVUE V Series Proxy. |
||||||
|
Outbound |
TCP |
443 |
Any IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
||||||
|
UCT-V Controller |
||||||||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM |
||||||
|
Inbound |
TCP |
9900 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive traffic health updates from UCT-V. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Inbound |
TCP |
80 |
GigaVUE-FM
|
Allows UCT-V Controller to receive the ACME challenge requests from the GigaVUE-FM |
||||||
|
Inbound |
TCP |
8300 |
UCT-V Subnet
|
Allows UCT-V Controller to receive the certificate requests from the UCT-V |
||||||
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8892 |
UCT-V Subnet
|
Allows UCT-V Controller to receive the registration requests and heartbeat from UCT-V. |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API. |
||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
9600 |
GigaVUE‑FM IP |
Allows GigaVUE-FM to receive certificate requests from the UCT-V Controller. |
||||||
|
Outbound |
TCP |
9902 |
UCT-V Subnet |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs for UCT-Vs with version greater than 6.10.00. |
||||||
|
Outbound |
TCP |
8301 |
UCT-V Subnet |
Allows ACME validation flow from UCT-V Controller to UCT-V. |
||||||
|
UCT-V |
||||||||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
9902 |
UCT-V Controller IP |
Allows UCT-V to receive control and management plane traffic from UCT-V Controller |
||||||
|
Inbound |
TCP |
8301 |
UCT-V Controller IP |
Allows UCT-V to receive the ACME challenge requests from the UCT-V Controller |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes |
||||||
|
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes |
||||||
|
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
GigaVUE V Series Node IP |
Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node |
||||||
|
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8892 |
UCT-V Controller IP |
Allows UCT-V to receive the registration requests and heartbeat to UCT-V Controller. |
||||||
|
Outbound |
TCP |
8300 |
UCT-V Controller IP |
Allows UCT-V to receive ACME validation flow from UCT-V Controller |
||||||
|
GigaVUE V Series Node |
||||||||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM |
||||||
|
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
|
Inbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V |
||||||
|
Inbound |
IP Protocol (L2GRE) |
L2GRE |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V |
||||||
|
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Inbound |
TCP |
80 |
GigaVUE-FM
|
Allows GigaVUE V Series Node to receive the ACME challenge requests from GigaVUE-FM |
||||||
|
Inbound |
TCP |
80 |
GigaVUE V Series Proxy IP |
Allows UCT-V to receive the ACME challenge requests from the GigaVUE V Series Proxy |
||||||
|
Inbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows to securely transfer the traffic to GigaVUE V Series Nodes. |
||||||
|
Inbound (Optional - This port is used only for configuring AWS Gateway Load Balancer) |
UDP (GENEVE) |
6081 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from AWS Gateway Load Balancer. |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE-FM. |
||||||
|
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
|
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
|
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM. |
||||||
|
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow Generation traffic to an external tool. |
||||||
|
Outbound |
UDP |
8892 |
GigaVUE V Series Proxy |
Allows GigaVUE V Series Node to send certificate request to GigaVUE V Series Proxy IP. |
||||||
|
Outbound |
TCP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools. |
||||||
|
Bidirectional (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||
|
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
Tool IP |
Allows to securely transfer the traffic to an external tool. |
||||||
|
GigaVUE V Series Proxy (optional) |
||||||||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Inbound |
TCP |
80 |
GigaVUE‑FM
|
Allows GigaVUE V Series Proxy to receive the ACME challenge requests from the GigaVUE‑FM |
||||||
|
Inbound |
TCP |
8300 |
GigaVUE V Series Node
|
Allows GigaVUE V Series Proxy to receive certificate requests from GigaVUE V Series Node for the configured params and provides the certificate using those parameters. |
||||||
|
Inbound |
TCP |
8892 |
GigaVUE V Series Node IP
|
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM |
||||||
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node |
||||||
|
Universal Cloud Tap - Container deployed inside Kubernetes worker node |
||||||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
TCP |
42042 |
Any IP address |
Allows UCT-C to send statistical information to UCT-C Controller. |
||||||
|
Outbound |
UDP |
VXLAN (default 4789) |
Any IP address |
Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination. |
||||||
|
UCT-C Controller deployed inside Kubernetes worker node |
||||||||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
8443 (configurable) |
GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C Controller to send statistics to GigaVUE‑FM. |
||||||
|
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows UCT-C Controller to communicate with GigaVUE‑FM. |
||||||
Ports to be opened for Backward Compatibility:
These ports must be opened for backward compatibility when GigaVUE-FM is running version 6.10 or later, and the fabric components are on (n-1) or (n-2) versions.
|
UCT-V Controller |
||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs. |
|
UCT-V |
||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V Controller IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
|
GigaVUE V Series Node |
||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
|
GigaVUE V Series Proxy (optional) |
||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive security parameter requests from GigaVUE V Series Node. |
