Network Firewall Requirement for GigaVUE Cloud Suite

The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.

Note:  When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.

Direction

Protocol

Port

CIDR

Purpose

GigaVUE‑FM

Inbound

TCP

443

Administrator Subnet

Allows GigaVUE-FM to accept Management connection using REST API.

Allows users to access GigaVUE-FM UI securely through HTTPS connection.

Inbound

TCP

22

Administrator Subnet

Allows CLI access to user-initiated management and diagnostics.

Inbound

(This is the port used for Third Party Orchestration)

TCP

443

UCT-V Controller IP

Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API.

Inbound

(This is the port used for Third Party Orchestration)

TCP

443

GigaVUE V Series Node IP

Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used.

Inbound

(This is the port used for Third Party Orchestration)

TCP

443

GigaVUE V Series Proxy IP

Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API.

Inbound

TCP

5671

GigaVUE V Series Node IP

Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes.

Inbound

TCP

5671

UCT-V or Subnet IP

Allows GigaVUE‑FM to receive statistics from Next Generation UCT-V.

Inbound

UDP

2056

GigaVUE V Series Node IP

Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node.

Outbound

TCP

9900

GigaVUE‑FM IP

Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller

Outbound (optional)

TCP

8890

GigaVUE V Series Proxy IP

Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy

Outbound

TCP

8889

GigaVUE V Series Node IP

Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node

Outbound

TCP

443

Any IP Address

Allows GigaVUE‑FM to reach the Public Cloud Platform APIs.

UCT-V Controller

Inbound

TCP

9900

GigaVUE‑FM IP

Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM

Inbound

(This is the port used for Third Party Orchestration)

TCP

8891

UCT-V or Subnet IP

Allows UCT-V Controller to receive the registration requests from UCT-V.

Inbound

TCP

22

Administrator Subnet

Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration.

Outbound

(This is the port used for Third Party Orchestration)

TCP

443

GigaVUE‑FM IP

Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API.

Outbound

TCP

9901

UCT-V Controller IP

Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs.

Outbound

TCP

5671

GigaVUE-FM IP

Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM.

UCT-V

Inbound

TCP

9901

UCT-V Controller IP

Allows UCT-V to receive control and management plane traffic from UCT-V Controller

Outbound

(This is the port used for Third Party Orchestration)

TCP

8891

UCT-V Subnet IP

Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat

Outbound

UDP (VXLAN)

VXLAN (default 4789)

UCT-V Subnet IP

Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes

Outbound

IP Protocol (L2GRE)

VXLAN (default 4789)

UCT-V Subnet IP

Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes

Outbound

(Optional - This port is used only for Secure Tunnels)

TCP

11443

UCT-V subnet

Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node

Outbound

TCP

9900

UCT-V Controller IP

Allows UCT-V to send traffic health updates to UCT-V Controller.

GigaVUE V Series Proxy (optional)

Inbound

TCP

8890

GigaVUE‑FM IP

Allows GigaVUE‑FM  to communicate control and management plane traffic with GigaVUE V Series Proxy.

Inbound

(This is the port used for Third Party Orchestration)

TCP

8891

GigaVUE V Series Node IP

Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node.

Inbound

TCP

22

Administrator Subnet

Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration.

Outbound

TCP

443

GigaVUE-FM IP

Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM

Outbound

TCP

8889

GigaVUE V Series Node IP

Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node

GigaVUE V Series Node

Inbound

TCP

8889

GigaVUE-FM IP

Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM

Inbound

TCP

8889

GigaVUE V Series Proxy IP

Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy.

Inbound

UDP (VXLAN)

VXLAN (default 4789)

UCT-V Subnet IP

Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V

Inbound

IP Protocol (L2GRE)

L2GRE

UCT-V Subnet IP

Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V

Inbound

UDPGRE

4754

Ingress Tunnel

Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel

Inbound

TCP

22

Administrator Subnet

Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration.

Inbound

(Optional - This port is used only for Secure Tunnels)

TCP

11443

UCT-V subnet

Allows to securely transfer the traffic to GigaVUE V Series Nodes.

Outbound

TCP

5671

GigaVUE-FM IP

Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM.

Outbound

UDP (VXLAN)

VXLAN (default 4789)

Tool IP

Allows GigaVUE V Series Node to tunnel output to the tool.

Outbound

IP Protocol (L2GRE)

VXLAN (default 4789)

Tool IP

Allows GigaVUE V Series Node to tunnel output to the tool.

Outbound

UDP

2056

GigaVUE-FM IP

Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM.

Outbound

UDP

2055

Tool IP

Allows GigaVUE V Series Node to send NetFlow traffic to an external tool.

Outbound

UDP

514

Tool IP

Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools.

Bidirectional (optional)

ICMP
echo request
echo reply

Tool IP

Allows GigaVUE V Series Node to send health check tunnel destination traffic.

Outbound

(This is the port used for Third Party Orchestration)

TCP

8891

GigaVUE V Series Proxy IP

Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used.

Outbound

(This is the port used for Third Party Orchestration)

TCP

443

GigaVUE-FM IP

Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used.

Outbound

(Optional - This port is used only for Secure Tunnels)

TCP

11443

Tool IP

Allows to securely transfer the traffic to an external tool.

Universal Cloud Tap - Container deployed inside Kubernetes worker node

Outbound

TCP

42042

Any IP address

Allows UCT-C to send statistics information to UCT-C Controller.

Outbound

UDP

VXLAN (default 4789)

Any IP address

Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination.

UCT-C Controller deployed inside Kubernetes worker node

Inbound

TCP

8443 (configurable)

Load Balancer IP Address

Allows GigaVUE-FM to communicate with UCT-C Controller.

Outbound

TCP

5671

Any IP address

Allows UCT-C Controller to send statistics to GigaVUE-FM.

Outbound

TCP

443

GigaVUE-FM IP address

Allows UCT-C Controller to communicate with GigaVUE-FM.