Network Firewall Requirement
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite:
Note: When using dual stack network, open the below mentioned ports for both IPv4 and IPv6.
GigaVUE FM
The following table specifies the inbound and outbound communication parameters—protocols, ports, and CIDRs—required for GigaVUE-FM to support secure access, registration, certificate exchange, and control-plane communication with associated components.
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to accept Management connection using REST API. Allows users to access GigaVUE-FM UI securely through an HTTPS connection. |
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access to user-initiated management and diagnostics. |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API. |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used. |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API. |
|
Inbound |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-C Controller using REST API. |
|
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
|
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-V Controllers. |
|
Inbound |
TCP |
9600 |
UCT-V Controller |
Allows GigaVUE‑FM to receive certificate requests from UCT-V Controller. |
|
Inbound |
TCP |
9600 |
GigaVUE V Series Proxy |
Allows GigaVUE‑FM to receive certificate requests from GigaVUE V Series Proxy. |
|
Inbound |
TCP |
9600 |
GigaVUE V Series Node |
Allows GigaVUE‑FM to receive certificate requests from GigaVUE V Series Node. |
|
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-C Controllers. |
|
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller. |
|
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy. |
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node. |
|
Outbound |
TCP |
8443 (default) |
UCT-C Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to UCT-C Controller. |
|
Outbound |
TCP |
80 |
UCT-V Controller IP |
Allows GigaVUE‑FM to send ACME challenge requests to UCT-V Controller. |
|
Outbound |
TCP |
80 |
GigaVUE V Series Node |
Allows GigaVUE‑FM to send ACME challenge requests to GigaVUE V Series Node. |
|
Outbound |
TCP |
80 |
GigaVUE V Series Proxy |
Allows GigaVUE‑FM to send ACME challenge requests to GigaVUE V Series Proxy. |
|
Outbound |
TCP |
443 |
Any IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
UCT-V Controller
The following table defines the network communication parameters—protocols, ports, and CIDRs—required for UCT-V Controller to interact with GigaVUE-FM and UCT-V components, supporting registration, diagnostics, certificate exchange, and control-plane operations including third-party orchestration..
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM. |
|
Inbound |
TCP |
9900 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive traffic health updates from UCT-V. |
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
|
Inbound |
TCP |
80 |
GigaVUE‑FM
|
Allows UCT-V Controller to receive the ACME challenge requests from GigaVUE‑FM. |
|
Inbound |
TCP |
8300 |
UCT-VSubnet |
Allows UCT-V Controller to receive the certificate requests from the UCT-V. |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8892 |
UCT-V Subnet
|
Allows UCT-V Controller to receive the registration requests and heartbeat from UCT-V. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API. |
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE-FM. |
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
9600 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to receive certificate requests from the UCT-V Controller. |
|
Outbound |
TCP |
9902 |
UCT-V Subnet |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs for UCT-Vs with version greater than 6.10.00. |
|
Outbound |
TCP |
8301 |
UCT-V Subnet |
Allows ACME validation flow from UCT-V Controller to UCT-V. |
UCT-V
The following table outlines UCT-V Controller’s network communication requirements with GigaVUE-FM, detailing essential ports, protocols, and CIDRs for registration, diagnostics, certificate exchange, and orchestration traffic.
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound |
TCP |
9902 |
UCT-V Controller IP |
Allows UCT-V to receive control and management plane traffic from UCT-V Controller. |
|
Inbound |
TCP |
8301 |
UCT-V Controller IP |
Allows UCT-V to receive the ACME challenge requests from the UCT-V Controller. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes. |
|
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes. |
|
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
GigaVUE V Series Node IP |
Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node. |
|
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8892 |
UCT-V Controller IP |
Allows UCT-V to receive the registration requests and heartbeat to UCT-V Controller. |
|
Outbound |
TCP |
8300 |
UCT-V Controller IP |
Allows UCT-V to receive ACME validation flow from UCT-V Controller. |
GigaVUE V Series Node
The following table outlines GigaVUE V Series Node’s network communication requirements, detailing protocols, ports, and CIDRs necessary for tunneling, management, diagnostics, and secure data transfer across connected components
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
|
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM. |
||||||
|
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
|
Inbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V. |
||||||
|
Inbound |
IP Protocol (L2GRE) |
L2GRE |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V. |
||||||
|
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel. |
||||||
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
|
Inbound |
TCP |
80 |
GigaVUE-FM
|
Allows GigaVUE V Series Node to receive the ACME challenge requests from GigaVUE-FM. |
||||||
|
Inbound |
TCP |
80 |
GigaVUE V Series Proxy IP |
Allows UCT-V to receive the ACME challenge requests from the GigaVUE V Series Proxy. |
||||||
|
Inbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows to securely transfer the traffic to GigaVUE V Series Nodes. |
||||||
|
Inbound (Optional - This port is used only for configuring AWS Gateway Load Balancer) |
UDP (GENEVE) |
6081 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from AWS Gateway Load Balancer. |
||||||
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
|
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE-FM. |
||||||
|
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
|
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
|
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM. |
||||||
|
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow Generation traffic to an external tool. |
||||||
|
Outbound |
UDP |
8892 |
GigaVUE V Series Proxy |
Allows GigaVUE V Series Node to send certificate request to GigaVUE V Series Proxy IP. |
||||||
|
Outbound |
TCP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools. |
||||||
|
Bidirectional (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic. |
||||||
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||
|
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
Tool IP |
Allows to securely transfer the traffic to an external tool. |
Giga VUE V Series Proxy(Optional)
The following table defines GigaVUE V Series Proxy’s network communication parameters, listing essential protocols, ports, and CIDRs for registration, certificate exchange, diagnostics, and control-plane traffic with GigaVUE-FM and V Series Nodes.
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with GigaVUE V Series Proxy. |
|
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
|
Inbound |
TCP |
80 |
GigaVUE‑FM
|
Allows GigaVUE V Series Proxy to receive the ACME challenge requests from the GigaVUE‑FM. |
|
Inbound |
TCP |
8300 |
GigaVUE V Series Node
|
Allows GigaVUE V Series Proxy to receive certificate requests from GigaVUE V Series Node for the configured params and provides the certificate using those parameters. |
|
Inbound |
TCP |
8892 |
GigaVUE V Series Node IP
|
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM. |
|
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node. |
UCT-C Controller - deployed in Kubernetes worker mode
The following table outlines UCT-C Controller’s network communication parameters in Kubernetes worker mode, specifying TCP ports and CIDRs required for management, statistics exchange, and secure connectivity with GigaVUE-FM.
|
UCT-C Controller deployed inside Kubernetes worker node |
||||
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound |
TCP |
8443 (configurable) |
GigaVUE-FM IP |
Allows GigaVUE‑FM to communicate with UCT-C Controller. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C Controller to send statistics to GigaVUE‑FM. |
|
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows UCT-C Controller to communicate with GigaVUE‑FM. |
Ports for Backward Compatibility
Ensure to open these ports for backward compatibility when GigaVUE‑FM is running version 6.10 or later, and the fabric components are on (n-1) or (n-2) versions.
UCT-V Controller
The following table specifies the communication parameters required for third-party orchestration, detailing the TCP ports and CIDRs used by UCT-V Controller to manage registration and control-plane traffic with UCT-V components.
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
|
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
|
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs. |
GigaVUE V Series Node
The following table specifies the outbound communication requirement for GigaVUE V Series Node, detailing the protocol, port, and source CIDR used to send registration and heartbeat messages to the GigaVUE V Series Proxy during third-party orchestration.
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
GigaVUE V Series Proxy(Optional)
The following table specifies the optional inbound communication parameter for GigaVUE V Series Proxy, detailing the protocol, port, and source CIDR required to receive security parameter requests from GigaVUE V Series Node during third-party orchestration.
|
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
|
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive security parameter requests from GigaVUE V Series Node. |
