Firewall Requirements
For supported software information, click here.
The functions of the Versa Networks solution are fully distributed among the headend devices—Director, Analytics, and Controller—and the Versa Operating SystemTM (VOSTM) hub and branch devices. The headend devices might be colocated within a single data center or they might be distributed among multiple data centers. If your network has firewall devices, you must ensure that the ports required for the Versa Networks solution to operate are open so that the Versa components can communicate with each other. If you use security zoning for the headend components, you must design your security policies so that they do not interfere with these communication channels.
This article lists the firewall requirements for Director, Analytics, Controller, and VOS (branch) devices, and for Versa Concerto, which is a component of the Versa self-service portal for secure SD-WAN and SASE users.
When discussing the firewall requirements for headend and VOS devices, the following terminology is used to describe the traffic direction:
- Inbound—Traffic flows from the network into the Versa headend or VOS device using the specified protocol and through the specified port or ports.
- Outbound—Traffic flows out from the Versa headend or VOS device to the network using the specified protocol and through the specified port or ports
When discussing the firewall requirements for headend devices, the following terminology is used to describe interfaces:
- Northbound network—Interface connects to the management network. You can use this interface to integrate with external services such as third-party orchestrators, automation tools, and OSS/BSS applications. On Analytics and Director nodes, the northbound interface is eth0.
- Southbound network—Interface connects to the network that is used to send control traffic for communication between the headend components and the VOS branch devices. On Analytics and Director nodes, the southbound interface is eth1.
The following topology shows an example of the northbound and southbound networks, illustrating how the interfaces on Versa Director, Analytics, and Controller nodes connect to these two networks. These interfaces are used for control traffic. The VOS branch devices and the Controller nodes connect to one or more transport networks, and these networks are used for data traffic.
Analytics Firewall Requirements
Analytics nodes use the following ports to communicate with other devices in the network. On an Analytics node, the northbound interface is eth0, which is the management interface, and the southbound interface is eth1.
Note that Versa Director and Versa Analytics nodes are management devices and thus send only control plane traffic. They do not route any data plane traffic. Only a VOS device can be configured as a router to route data traffic among its interfaces.
| Purpose | Traffic Direction | Interface | Protocol | Port Numbers |
|---|---|---|---|---|
| Application port for REST access | Inbound | Northbound network | TCP | 443 (Releases 21.1 and later), 8080 (before Release 21.1.0), 8443 |
| Communication with Director node | Outbound | Southbound network | TCP, UDP | 9182, 9183 |
| DNS server, for reverse lookup | Outbound | Northbound or southbound, depending on location of DNS server | UDP | 53 |
| Intercluster database and client communication | — | Southbound network | TCP | 7000, 7001, 7199, 8983, 9042, 9160 Release 20.x Fusion-specific: 2181, 2888, 3888 |
| Log collector health monitor | Inbound | Southbound network | ICMP | |
| Log collector port where logs are received | Inbound | Southbound network | TCP | User configurable |
|
Monitoring agent ports to retrieve health status and statistics about Analytics nodes |
Inbound | Northbound network | TCP | 8010, 8020 |
| REST access port configuration and diagnostics of various services running on Analytics nodes | Inbound | Southbound network | TCP |
5000, 5010, 5020, 5030, 8008 |
| SMTP mail server, for reporting | Outbound | Northbound network | TCP | User configurable |
| Standard NTP, for time synchronization | Inbound | Northbound or southbound, depending on location of NTP server | UDP | 123 |
| Standard SSH | Inbound | Northbound network | TCP | 22 |
| Troubleshooting and debugging of search engine using web portal | Inbound | Northbound network | TCP | 8983 |
Concerto Firewall Requirements
Concerto orchestrator uses the following ports to access and communicate with other devices in the network.
| Purpose | Traffic Direction | Protocol | Port Numbers |
|---|---|---|---|
| Docker control plane communication, for communication between nodes within the Concerto cluster | Inbound | TCP, UDP | 7946 |
|
Docker swarm cluster |
Inbound | TCP | 2377 |
| Encapsulating Security Payload (ESP) for Docker overlay | Inbound | IP | — |
|
GlusterFS cluster |
Inbound | TCP | 24007 |
|
GlusterFS rpcbind |
Inbound | TCP | 111 |
| GlusterFS service port corresponding to brick | Inbound | TCP | 49152 |
|
HTTP |
Inbound | TCP |
80 |
|
HTTPS |
Inbound | TCP | 443 |
|
Kafka brokers client for Concerto cluster |
Inbound | TCP | 9092 - (9091 + i), where i is the number of Concerto nodes in the cluster |
| Overlay network traffic | Inbound | UDP | 4789 |
|
SSH |
Inbound | TCP | 22 |
Director Firewall Requirements
To allow seamless connectivity among the devices across intermediary firewalls and routing elements, ensure that the ports listed in the following table are open on the Director node. On a Director node, the northbound interface is eth0, which is the management interface, and the southbound interface is eth1.
Note that Versa Director and Versa Analytics nodes are management devices and thus send only control plane traffic. They do not route any data plane traffic. Only a VOS device can be configured as a router to route data traffic among its interfaces.
| Purpose | Traffic Direction | Interface | Protocol | Port Numbers |
|---|---|---|---|---|
| Access between active and standby Director nodes, to share HA-related information from the NCS database—Open only between the active and standby Director nodes; block the ports to other systems. | Inbound | Northbound or southbound network, but preferably southbound | TCP | 4566, 4570 |
| Access between active and standby Director nodes, to share HA-related information from the PostgreSQL database—Open only between the active and standby Director nodes; block the ports to other systems. | Inbound | Southbound network, especially if Northbound network is public-facing | TCP |
5432 |
|
Access between active and standby Director nodes, secure HA channel is enabled by default (from Releases 22.1.4 - Service Release dated 2025-08-18) in Director using Encapsulating Security Payload (ESP) |
Inbound | Northbound or southbound network, but preferably southbound or, interface or IP address on which high availability is enabled by default. | IP (protocol 50) | — |
|
Access between active and standby Director nodes, secure HA channel is enabled by default (from Releases 22.1.4 - Service Release dated 2025-08-18) in Director for IPsec IKE—Open only between the active and standby Director nodes; block the ports to other systems. |
Inbound |
Northbound or southbound network, but preferably southbound or, interface or IP address on which high availability is enabled by default. |
UDP |
500, 4500 |
| HTTPS access to Director GUI from any host | Inbound | Northbound network | TCP | 443 |
| HTTPS REST API—Access from Analytics node, Concerto nodes, VMS nodes, and peer Directors. Additionally, if the Director acts as a central authentication server, allow access from central-auth client. | Inbound | Northbound or southbound, depending on topology | TCP | 9182, 9183 |
| If central authentication method is used, allow HTTPS REST API access to the central authentication server. | Outbound | Northbound or southbound, depending on the API access interface | TCP | 9182, 9183 |
| Netconf communication with CPE devices over the overlay network | Outbound | Southbound network | TCP | 2022 |
| Receive alarms from Analytics node | Inbound | Northbound or southbound, depending on topology | TCP, UDP | 20514 |
| REST API communication with CPE devices over the overly network | Outbound | Southbound network | TCP | 8443 |
| SSH access between the Analytics and Director nodes, and communication between HA-enabled Director nodes for replication; required for access from Director node to VOS branch, for ZTP | Inbound | Northbound or southbound, | TCP | 22 |
|
uCPE VNF HTTP/HTTPS access from Director GUI—Open only if you need uCPE access; otherwise, block the port. (For Release 22.1.4, dated February 8, 2025 and later, and higher release numbers) Opening port 6080 (TCP) for uCPE VM console access to the Director GUI is no longer required. Ensure this port remains blocked unless explicitly needed for older Director releases. |
Inbound | Northbound network | TCP |
6080 |
| uCPE VNF console access from Director GUI—Open only if you need uCPE access; otherwise, block the port. | Inbound | Northbound network | TCP |
9090 |
VOS Device Firewall Requirements
VOS devices use the following WAN network ports to communicate with Director, Analytics, and Controller nodes, as well as with other devices in the network. Note that a Versa Controller device is simply a VOS instance.
Controllers and Hub Controllers
| Purpose | Traffic Direction | Interface | Protocol | Port Numbers |
|---|---|---|---|---|
| Analytics port | Outbound | Southbound | TCP | User configured collector port |
| Certificate access | Inbound | WAN | TCP | 8080 |
| Encapsulating Security Payload (ESP) | Both | WAN | IP (protocol 50) | — |
| IPsec IKE | Both | WAN | UDP | 500, 4500 |
| Netconf from Director node | Inbound | Eth0 and Southbound | TCP | 2022 |
| Resolve FQDN of branch nodes | Outbound | WAN | TCP | 53 |
| REST port, for fetching operational information | Inbound | Eth0 and Southbound | TCP | 8443 |
| SSH access | Both | Eth0 and Southbound | TCP | 22 |
| URL-based ZTP | Both | WAN | ICMP | — |
| VXLAN communication between controller and branch/hub devices | Both | WAN | UDP | 4790 |
Branch and Hub Devices
| Purpose | Traffic Direction | Interface | Protocol | Port Numbers |
|---|---|---|---|---|
| Certificate access | Inbound | WAN | TCP | 8080 |
| Encapsulating Security Payload (ESP) | Both | WAN | IP (protocol 50) | — |
| High availability (HA) between HA-enabled VOS nodes | Both | HA cross-connect link | TCP and UDP |
TCP ports: 1024 through 1120, 3000 through 3003, 9878 UDP ports: 3002, 3003 |
| IPsec IKE | Both | WAN | UDP | 500, 4500 |
|
Management interface that has the public IP address, for CMS-based cloud deployment. Note that after deploying the cloud VOS branch/hub-controller with the CMS connector, you must remove the public IP address of eth0 from the cloud instance portal. The Director node will manage the VOS branch/hub-controller using the SD-WAN overlay IP address, and will not use the eth0 public IP address. Additionally, you must change the default passwords for all cloud-hosted VOS nodes, for admin and versa accounts. |
Inbound Both Both |
Eth0 | TCP TCP ICMP |
2022, 8443 22 — |
| Resolve FQDN of staging Controller node | Outbound | WAN | TCP | 53 |
| Speed test | Both | WAN | TCP | 5201 |
| URL-based ZTP | Both | WAN | ICMP | — |
| VXLAN communication between VOS hub, VOS branch, and Controller device | Both | WAN | UDP | 4790 |
| VXLAN communication between VOS hub, VOS branch, and Controller devices for HA setups that have cross-connect links (failover pool created using CGNAT) | Both | WAN | UDP | Default port range: 1024 through 32000 |
VMS Firewall Requirements
For Releases 5.1.1 and later.
Versa Messaging Service (VMS) uses the following control node and worker node ports to access and communicate with other devices in the network.
VMS Control Nodes
| Purpose | Traffic Direction | Protocol | Port Numbers | Used By | Interfaces |
|---|---|---|---|---|---|
|
Chrony for time synchronization |
Bi-directional |
UDP |
323,123 |
All |
Management |
|
DNS server, for reverse lookup |
Outbound |
UDP |
53 |
All |
Management or where the DNS is present |
|
etcd server client API |
Inbound |
TCP |
2379-2380 |
kube-apiserver, etcd |
Management and interservice |
|
Health probes for Cloud Load Balancers |
Inbound |
TCP |
8443 |
Cloud Load Balancer |
Management and interservice |
|
HTTPS for management |
Inbound |
TCP |
8091 |
Versa Director and Concerto |
Management |
|
Ingress/LB Traffic |
Inbound |
TCP |
7000 |
Internal network only |
Management and interservice |
|
Ingress/LB Traffic |
Inbound |
TCP |
443 |
All traffic to VMS |
Traffic |
|
Ingress/LB Traffic |
Inbound |
UDP |
1813 |
SSE Radius accounting traffic to VMS |
Traffic |
|
kube-controller-manager |
Inbound |
TCP |
10257 |
Self |
Management and interservice |
|
Kubelet API |
Inbound |
TCP |
10250 |
Self, control plane |
Management and interservice |
|
Kubernetes API server |
Inbound |
TCP |
6443 |
All |
Management and interservice |
|
kube-scheduler |
Inbound |
TCP |
10259 |
Self |
Management and interservice |
|
MessageServer traffic |
Inbound |
TCP |
3102 |
ADC for high availability (HA) |
Southbound |
|
MessageServer traffic |
Inbound |
TCP |
3101 |
KPIs for internal debug |
Southbound |
|
MessageServer traffic |
Inbound |
TCP |
1376 |
All |
Southbound |
|
MessageServer traffic |
Outbound |
TCP |
1376 |
All |
Southbound |
|
NodePort services+ |
Inbound |
TCP |
30000-32767 |
All |
Management and interservice |
|
Northbound network, SMTP mail server, for reporting |
Outbound |
TCP |
(587 - default) User configurable option is currently not supported |
Control node |
Management |
|
SSH access for shell management and configuration |
Inbound and outbound |
TCP |
22 |
VMS customer |
All |
VMS Worker Nodes
| Purpose | Traffic Direction | Protocol | Port Numbers | Used By | Interfaces |
|---|---|---|---|---|---|
|
Chrony for time synchronization |
Bi-directional |
UDP |
323,123 |
All nodes |
Management |
|
Health probes for Cloud Load Balancers |
Inbound |
TCP |
8443 |
Cloud Load Balancer |
Management and interservice |
|
Ingress/LB Traffic |
Inbound |
TCP |
443 |
All Traffic to VMS |
Traffic |
|
Ingress/LB Traffic |
Inbound |
UDP |
1813 |
SSE Radius accounting traffic to VMS |
Traffic |
|
Kubelet API |
Inbound |
TCP |
10250 |
Self, control plane |
Management and interservice |
|
kube-proxy |
Inbound |
TCP |
10256 |
Self, Load balancers |
Management and interservice |
|
MessageServer traffic |
Inbound |
TCP |
3102 |
ADC for high availability (HA) |
Southbound |
|
MessageServer traffic |
Inbound |
TCP |
3101 |
KPIs for internal debug |
Southbound |
|
MessageServer traffic |
Inbound |
TCP |
1376 |
All |
Southbound |
|
MessageServer traffic |
Outbound |
TCP |
443 |
All |
Southbound |
|
NodePort services+ |
Inbound |
TCP |
30000-32767 |
All |
Management and interservice |
|
SSH access for shell management and configuration |
Inbound |
TCP |
22 |
VMS customer |
All |
Additional Security Hardening
For security reasons, Versa recommends that you allow inbound traffic from authorized IP addresses only. The following two examples illustrate types of inbound traffic to allow:
- You should open port 22 (for TCP) only for the IP addresses of devices from which you connect to the Versa component for management purposes.
- You should allow communication between headend components, such two Versa Directors in a high availability (HA) deployment, only from the IP addresses of the headend components. For example, if the southbound IP addresses are 10.0.0.1 for the active Director node and 20.0.0.1 for the standby Director node, the standby Director node should allow access to its ports 4566, 4570 and 5432 only from the IP address of the active Director node (10.0.0.1).
Supported Software Information
Releases 20.2 and later support all content described in this article, except:
- Releases 21.2.1 and later support Versa Messaging Service (VMS).
- Releases 22.1.4 and later allow inbound access to ports 9182 and 9183 between HA pair Directors.
- Releases 22.1.4 (Service Release dated 2025-08-18) enables secure HA channel by default.
Additional Information
Enable Secure Mode
Install Concerto
Perform Initial Software Configuration