Network Firewall Requirements
The following table lists the Network Firewall / Security Group requirements for GigaVUE Cloud Suite.
Note: When using dual stack network, the below mentioned ports must be opened for both IPv4 and IPv6.
GigaVUE‑FM |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
443 |
Administrator Subnet |
Allows GigaVUE-FM to accept Management connection using REST API. Allows users to access GigaVUE-FM UI securely through an HTTPS connection. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access to user-initiated management and diagnostics. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
UCT-V Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-V Controller using REST API. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Node IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Node using REST API when GigaVUE V Series Proxy is not used. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE V Series Proxy IP |
Allows GigaVUE-FM to receive registration requests from GigaVUE V Series Proxy using REST API. |
||||||
Inbound |
TCP |
443 |
UCT-C Controller IP |
Allows GigaVUE-FM to receive registration requests from UCT-C Controller using REST API. |
||||||
Inbound |
TCP |
5671 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive traffic health updates from GigaVUE V Series Nodes. |
||||||
Inbound |
TCP |
5671 |
UCT-V Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-V Controllers. |
||||||
Inbound |
TCP |
5671 |
UCT-C Controller IP |
Allows GigaVUE‑FM to receive statistics from UCT-C Controllers. |
||||||
Inbound |
UDP |
2056 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to receive Application Intelligence and Application Visualization reports from GigaVUE V Series Node. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with UCT-V Controller. |
||||||
Outbound (optional) |
TCP |
8890 |
GigaVUE V Series Proxy IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Proxy. |
||||||
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to GigaVUE V Series Node. |
||||||
Outbound |
TCP |
8443 (default) |
UCT-C Controller IP |
Allows GigaVUE‑FM to communicate control and management plane traffic to UCT-C Controller. |
||||||
Outbound |
TCP |
443 |
Any IP Address |
Allows GigaVUE‑FM to reach the Public Cloud Platform APIs. |
||||||
UCT-V Controller |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
9900 |
GigaVUE‑FM IP |
Allows UCT-V Controller to communicate control and management plane traffic with GigaVUE‑FM |
||||||
Inbound |
TCP |
9900 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive traffic health updates from UCT-V. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V or Subnet IP |
Allows UCT-V Controller to receive the registration requests from UCT-V. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE‑FM IP |
Allows UCT-V Controller to send the registration requests to GigaVUE-FM using REST API. |
||||||
Outbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V Controller to communicate control and management plane traffic with UCT-Vs. |
||||||
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows UCT-V Controller to send traffic health updates to GigaVUE‑FM. |
||||||
UCT-V |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
9901 |
UCT-V Controller IP |
Allows UCT-V to receive control and management plane traffic from UCT-V Controller |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
UCT-V Controller IP |
Allows UCT-V to communicate with UCT-V Controller for registration and Heartbeat |
||||||
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel VXLAN traffic to GigaVUE V Series Nodes |
||||||
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
GigaVUE V Series Node IP |
Allows UCT-V to tunnel L2GRE traffic to GigaVUE V Series Nodes |
||||||
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
GigaVUE V Series Node IP |
Allows UCT-V to securely transfer the traffic to the GigaVUE V Series Node |
||||||
Outbound |
TCP |
9900 |
UCT-V Controller IP |
Allows UCT-V to send traffic health updates to UCT-V Controller. |
||||||
GigaVUE V Series Node |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8889 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE-FM |
||||||
Inbound |
TCP |
8889 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
Inbound |
UDP (VXLAN) |
VXLAN (default 4789) |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive VXLAN tunnel traffic to UCT-V |
||||||
Inbound |
IP Protocol (L2GRE) |
L2GRE |
UCT-V Subnet IP |
Allows GigaVUE V Series Nodes to receive L2GRE tunnel traffic to UCT-V |
||||||
Inbound |
UDPGRE |
4754 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from UDPGRE Tunnel |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Inbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
UCT-V subnet |
Allows to securely transfer the traffic to GigaVUE V Series Nodes. |
||||||
Inbound (Optional - This port is used only for configuring AWS Gateway Load Balancer) |
UDP (GENEVE) |
6081 |
Ingress Tunnel |
Allows GigaVUE V Series Node to receive tunnel traffic from AWS Gateway Load Balancer. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
5671 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send traffic health updates to GigaVUE‑FM. |
||||||
Outbound |
UDP (VXLAN) |
VXLAN (default 4789) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
Outbound |
IP Protocol (L2GRE) |
L2GRE (IP 47) |
Tool IP |
Allows GigaVUE V Series Node to tunnel output to the tool. |
||||||
Outbound |
UDP |
2056 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send Application Intelligence and Application Visualization reports to GigaVUE-FM. |
||||||
Outbound |
UDP |
2055 |
Tool IP |
Allows GigaVUE V Series Node to send NetFlow Generation traffic to an external tool. |
||||||
Outbound |
UDP |
514 |
Tool IP |
Allows GigaVUE V Series Node to send Application Metadata Intelligence log messages to external tools. |
||||||
Bidirectional (optional) |
ICMP |
|
Tool IP |
Allows GigaVUE V Series Node to send health check tunnel destination traffic. |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Proxy IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE V Series Proxy when GigaVUE V Series Proxy is used. |
||||||
Outbound (This is the port used for Third Party Orchestration) |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Node to send registration requests and heartbeat messages to GigaVUE-FM when GigaVUE V Series Proxy is not used. |
||||||
Outbound (Optional - This port is used only for Secure Tunnels) |
TCP |
11443 |
Tool IP |
Allows to securely transfer the traffic to an external tool. |
||||||
GigaVUE V Series Proxy (optional) |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8890 |
GigaVUE‑FM IP |
Allows GigaVUE‑FM to communicate control and management plane traffic with GigaVUE V Series Proxy. |
||||||
Inbound (This is the port used for Third Party Orchestration) |
TCP |
8891 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to receive registration requests and heartbeat messages from GigaVUE V Series Node. |
||||||
Inbound |
TCP |
22 |
Administrator Subnet |
Allows CLI access for user-initiated management and diagnostics, specifically when using third party orchestration. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows GigaVUE V Series Proxy to communicate the registration requests to GigaVUE-FM |
||||||
Outbound |
TCP |
8889 |
GigaVUE V Series Node IP |
Allows GigaVUE V Series Proxy to communicate control and management plane traffic with GigaVUE V Series Node |
||||||
Universal Cloud Tap - Container deployed inside Kubernetes worker node |
||||||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
42042 |
Any IP address |
Allows UCT-C to send statistical information to UCT-C Controller. |
||||||
Outbound |
UDP |
VXLAN (default 4789) |
Any IP address |
Allows UCT-C to tunnel traffic to the GigaVUE V Series Node or other destination. |
||||||
UCT-C Controller deployed inside Kubernetes worker node |
||||||||||
Direction |
Protocol |
Port |
Source CIDR |
Purpose |
||||||
Inbound |
TCP |
8443 (configurable) |
GigaVUE-FM IP |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
||||||
Direction |
Protocol |
Port |
Destination CIDR |
Purpose |
||||||
Outbound |
TCP |
5671 |
Any IP address |
Allows UCT-C Controller to send statistics to GigaVUE-FM. |
||||||
Outbound |
TCP |
443 |
GigaVUE-FM IP |
Allows UCT-C Controller to communicate with GigaVUE-FM. |
The following table describes the ports that should be opened on GigaVUE-FM:
Direction |
Port |
Purpose |
Inbound |
443 |
GigaVUE-FM REST service port. |
Outbound |
4433 |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
Outbound |
8443 |
Allows GigaVUE-FM to communicate with UCT-C Controller. |
Inbound | 5671 | Allows UCT-C to send statistics to GigaVUE-FM through Rabbit-MQ port. |