Skip to main content
Versa Networks

Firewall Requirements

Versa-logo-release-icon.pngFor supported software information, click here.

The functions of the Versa Networks solution are fully distributed among the headend devices—Director, Analytics, and Controller—and the Versa Operating SystemTM (VOSTM) hub and branch devices. The headend devices might be colocated within a single data center or they might be distributed among multiple data centers. If your network has firewall devices, you must ensure that the ports required for the Versa Networks solution to operate are open so that the Versa components can communicate with each other. If you use security zoning for the headend components, you must design your security policies so that they do not interfere with these communication channels.

This article lists the firewall requirements for Director, Analytics, Controller, and VOS (branch) devices, and for Versa Concerto, which is a component of the Versa self-service portal for secure SD-WAN and SASE users.

When discussing the firewall requirements for headend and VOS devices, the following terminology is used to describe the traffic direction:

  • Inbound—Traffic flows from the network into the Versa headend or VOS device using the specified protocol and through the specified port or ports.
  • Outbound—Traffic flows out from the Versa headend or VOS device to the network using the specified protocol and through the specified port or ports

When discussing the firewall requirements for headend devices, the following terminology is used to describe interfaces:

  • Northbound network—Interface connects to the management network. You can use this interface to integrate with external services such as third-party orchestrators, automation tools, and OSS/BSS applications. On Analytics and Director nodes, the northbound interface is eth0.
  • Southbound network—Interface connects to the network that is used to send control traffic for communication between the headend components and the VOS branch devices. On Analytics and Director nodes, the southbound interface is eth1.

The following topology shows an example of the northbound and southbound networks, illustrating how the interfaces on Versa Director, Analytics, and Controller nodes connect to these two networks. These interfaces are used for control traffic. The VOS branch devices and the Controller nodes connect to one or more transport networks, and these networks are used for data traffic.

northbound-southbound-network.png

Analytics Firewall Requirements

Analytics nodes use the following ports to communicate with other devices in the network. On an Analytics node, the northbound interface is eth0, which is the management interface, and the southbound interface is eth1.

Note that Versa Director and Versa Analytics nodes are management devices and thus send only control plane traffic. They do not route any data plane traffic. Only a VOS device can be configured as a router to route data traffic among its interfaces.

Purpose Traffic Direction Interface Protocol Port Numbers
Application port for REST access Inbound Northbound network TCP 443 (Releases 21.1 and later),
8080 (before Release 21.1.0),
8443
Communication with Director node Outbound Southbound network TCP, UDP 9182, 9183
DNS server, for reverse lookup Outbound Northbound or southbound, depending on location of DNS server UDP 53
Intercluster database and client communication Southbound network TCP 7000, 7001, 7199, 8983, 9042, 9160
Release 20.x Fusion-specific: 2181, 2888, 3888
Log collector health monitor Inbound Southbound network ICMP  
Log collector port where logs are received Inbound Southbound network TCP User configurable

Monitoring agent ports to retrieve health status and statistics about Analytics nodes

Inbound Northbound network TCP 8010, 8020
REST access port configuration and diagnostics of various services running on Analytics nodes Inbound Southbound network TCP

5000, 5010, 5020, 5030, 8008

SMTP mail server, for reporting Outbound Northbound network TCP User configurable
Standard NTP, for time synchronization Inbound Northbound or southbound, depending on location of NTP server UDP 123
Standard SSH Inbound Northbound network TCP 22
Troubleshooting and debugging of search engine using web portal Inbound Northbound network TCP 8983

Concerto Firewall Requirements

Concerto orchestrator uses the following ports to access and communicate with other devices in the network.

Purpose Traffic Direction Protocol Port Numbers
Docker control plane communication, for communication between nodes within the Concerto cluster Inbound TCP, UDP 7946

Docker swarm cluster

Inbound TCP 2377
Encapsulating Security Payload (ESP) for Docker overlay Inbound IP

GlusterFS cluster

Inbound TCP 24007

GlusterFS rpcbind

Inbound TCP 111
GlusterFS service port corresponding to brick Inbound TCP 49152

HTTP

Inbound TCP

80

HTTPS

Inbound TCP 443

Kafka brokers client for Concerto cluster

Inbound TCP 9092 - (9091 + i), where i is the number of Concerto nodes in the cluster
Overlay network traffic Inbound UDP 4789

SSH

Inbound TCP 22

Director Firewall Requirements

To allow seamless connectivity among the devices across intermediary firewalls and routing elements, ensure that the ports listed in the following table are open on the Director node. On a Director node, the northbound interface is eth0, which is the management interface, and the southbound interface is eth1.

Note that Versa Director and Versa Analytics nodes are management devices and thus send only control plane traffic. They do not route any data plane traffic. Only a VOS device can be configured as a router to route data traffic among its interfaces.

Purpose Traffic Direction Interface Protocol Port Numbers
Access between active and standby Director nodes, to share HA-related information from the NCS database—Open only between the active and standby Director nodes; block the ports to other systems. Inbound Northbound or southbound network, but preferably southbound TCP 4566, 4570
Access between active and standby Director nodes, to share HA-related information from the PostgreSQL database—Open only between the active and standby Director nodes; block the ports to other systems. Inbound Southbound network, especially if Northbound network is public-facing TCP

5432

Access between active and standby Director nodes, secure HA channel is enabled by default (from  Releases 22.1.4 - Service Release dated 2025-08-18) in Director using Encapsulating Security Payload (ESP)

Inbound Northbound or southbound network, but preferably southbound or, interface or IP address on which high availability is enabled by default. IP (protocol 50)

Access between active and standby Director nodes, secure HA channel is enabled by default (from  Releases 22.1.4 - Service Release dated 2025-08-18) in Director for IPsec IKE—Open only between the active and standby Director nodes; block the ports to other systems.

Inbound

Northbound or southbound network, but preferably southbound or, interface or IP address on which high availability is enabled by default.

UDP

500, 4500

HTTPS access to Director GUI from any host Inbound Northbound network TCP 443
HTTPS REST API—Access from Analytics node, Concerto nodes, VMS nodes, and peer Directors. Additionally, if the Director acts as a central authentication server, allow access from central-auth client. Inbound Northbound or southbound, depending on topology TCP 9182, 9183
If central authentication method is used, allow HTTPS REST API access to the central authentication server. Outbound Northbound or southbound, depending on the API access interface TCP 9182, 9183
Netconf communication with CPE devices over the overlay network Outbound Southbound network TCP 2022
Receive alarms from Analytics node Inbound Northbound or southbound, depending on topology TCP, UDP 20514
REST API communication with CPE devices over the overly network Outbound Southbound network TCP 8443
SSH access between the Analytics and Director nodes, and communication between HA-enabled Director nodes for replication; required for access from Director node to VOS branch, for ZTP Inbound Northbound or southbound, TCP 22

uCPE VNF HTTP/HTTPS access from Director GUI—Open only if you need uCPE access; otherwise, block the port.

(For Release 22.1.4, dated February 8, 2025 and later, and higher release numbers) Opening port 6080 (TCP) for uCPE VM console access to the Director GUI is no longer required.  Ensure this port remains blocked unless explicitly needed for older Director releases.

Inbound Northbound network TCP

6080

uCPE VNF console access from Director GUI—Open only if you need uCPE access; otherwise, block the port. Inbound Northbound network TCP

9090

VOS Device Firewall Requirements

VOS devices use the following WAN network ports to communicate with Director, Analytics, and Controller nodes, as well as with other devices in the network. Note that a Versa Controller device is simply a VOS instance.

Controllers and Hub Controllers

Purpose Traffic Direction Interface Protocol Port Numbers
Analytics port Outbound Southbound TCP User configured collector port
Certificate access Inbound WAN TCP 8080
Encapsulating Security Payload (ESP) Both WAN IP (protocol 50)
IPsec IKE Both WAN UDP 500, 4500
Netconf from Director node Inbound Eth0 and Southbound TCP 2022
Resolve FQDN of branch nodes Outbound WAN TCP 53
REST port, for fetching operational information Inbound Eth0 and Southbound TCP 8443
SSH access Both Eth0 and Southbound TCP 22
URL-based ZTP Both WAN ICMP
VXLAN communication between controller and branch/hub devices Both WAN UDP 4790

Branch and Hub Devices

Purpose Traffic Direction Interface Protocol Port Numbers
Certificate access Inbound WAN TCP 8080
Encapsulating Security Payload (ESP) Both WAN IP (protocol 50)
High availability (HA) between HA-enabled VOS nodes Both HA cross-connect link TCP and UDP

TCP ports: 1024 through 1120, 3000 through 3003, 9878

UDP ports: 3002, 3003

IPsec IKE Both WAN UDP 500, 4500

Management interface that has the public IP address, for CMS-based cloud deployment.

Note that after deploying the cloud VOS branch/hub-controller with the CMS connector, you must remove the public IP address of eth0 from the cloud instance portal. The Director node will manage the VOS branch/hub-controller using the SD-WAN overlay IP address, and will not use the eth0 public IP address. Additionally, you must change the default passwords for all cloud-hosted VOS nodes, for admin and versa accounts. 

Inbound
Both
Both
Eth0 TCP
TCP
ICMP
2022, 8443
22
Resolve FQDN of staging Controller node Outbound WAN TCP 53
Speed test Both WAN TCP 5201
URL-based ZTP Both WAN ICMP
VXLAN communication between VOS hub, VOS branch, and Controller device Both WAN UDP 4790
VXLAN communication between VOS hub, VOS branch, and Controller devices for HA setups that have cross-connect links (failover pool created using CGNAT) Both WAN UDP Default port range: 1024 through 32000

VMS Firewall Requirements

For Releases 5.1.1 and later.

Versa Messaging Service (VMS) uses the following control node and worker node ports to access and communicate with other devices in the network.

VMS Control Nodes

Purpose Traffic Direction Protocol Port Numbers Used By Interfaces

Chrony for time synchronization

Bi-directional

UDP

323,123

All

Management 

DNS server, for reverse lookup

Outbound 

 UDP

 53

 All

Management or where the DNS is present

etcd server client API

Inbound

TCP

2379-2380

kube-apiserver, etcd

Management and interservice

Health probes for Cloud Load Balancers

Inbound

TCP

8443

Cloud Load Balancer

Management and interservice

HTTPS for management

Inbound

TCP

8091

Versa Director and Concerto

Management

Ingress/LB Traffic

Inbound

TCP

7000

Internal network only

Management and interservice

Ingress/LB Traffic

Inbound

TCP

443

All traffic to VMS

Traffic

Ingress/LB Traffic

Inbound

UDP

1813

SSE Radius accounting traffic to VMS

Traffic

kube-controller-manager

Inbound

TCP

10257

Self

Management and interservice

Kubelet API

Inbound

TCP

10250

Self, control plane

Management and interservice

Kubernetes API server

Inbound

TCP

6443

All

Management and interservice

kube-scheduler

Inbound

TCP

10259

Self

Management and interservice

MessageServer traffic

Inbound

TCP

3102

ADC for high availability (HA)

Southbound

MessageServer traffic

Inbound

TCP

3101

KPIs for internal debug

Southbound

MessageServer traffic

Inbound

TCP

1376

All

Southbound

MessageServer traffic

Outbound

TCP

1376

All

Southbound

NodePort services+

Inbound

TCP

30000-32767

All

Management and interservice

Northbound network, SMTP mail server, for reporting

Outbound

TCP

(587 - default) User configurable option is currently not supported

Control node

Management

SSH access for shell management and configuration

Inbound and outbound 

TCP

22

 VMS customer

All

VMS Worker Nodes

Purpose Traffic Direction Protocol Port Numbers Used By Interfaces

Chrony for time synchronization

Bi-directional

UDP

323,123

All nodes

Management

Health probes for Cloud Load Balancers

Inbound

TCP

8443

Cloud Load Balancer

Management and interservice

Ingress/LB Traffic

Inbound

TCP

443

All Traffic to VMS

Traffic

Ingress/LB Traffic

Inbound

UDP

1813

SSE Radius accounting traffic to VMS

Traffic

Kubelet API

Inbound

TCP

10250

Self, control plane

Management and interservice

kube-proxy

Inbound

TCP

10256

Self, Load balancers

Management and interservice

MessageServer traffic

Inbound

TCP

3102

ADC for high availability (HA)

Southbound

MessageServer traffic

Inbound

TCP

3101

KPIs for internal debug

Southbound

MessageServer traffic

Inbound

TCP

1376

All

Southbound

MessageServer traffic

Outbound

TCP

443

All

Southbound

NodePort services+

Inbound

TCP

30000-32767

All

Management and interservice

SSH access for shell management and configuration

Inbound

TCP

22

 VMS customer

All

Additional Security Hardening

For security reasons, Versa recommends that you allow inbound traffic from authorized IP addresses only. The following two examples illustrate types of inbound traffic to allow:

  • You should open port 22 (for TCP) only for the IP addresses of devices from which you connect to the Versa component for management purposes.
  • You should allow communication between headend components, such two Versa Directors in a high availability (HA) deployment, only from the IP addresses of the headend components. For example, if the southbound IP addresses are 10.0.0.1 for the active Director node and 20.0.0.1 for the standby Director node, the standby Director node should allow access to its ports 4566, 4570 and 5432 only from the IP address of the active Director node (10.0.0.1).

Supported Software Information

Releases 20.2 and later support all content described in this article, except:

  • Releases 21.2.1 and later support Versa Messaging Service (VMS).
  • Releases 22.1.4 and later allow inbound access to ports 9182 and 9183 between HA pair Directors.
  • Releases 22.1.4 (Service Release dated 2025-08-18) enables secure HA channel by default.
  • Was this article helpful?