Overview
Use this guide to understand the firewall rules and port requirements for various Cisco Crosswork Assurance components including Sensor Agents, Sensor Collector, and the Crosswork Assurance platform.
Sensor Agent Port Requirements
| Direction | Protocol | Port | Destination | Purpose | Required? |
|---|---|---|---|---|---|
| Outbound | TCP | 55777 | Sensor Collector | Agent management (WebSocket) | Yes |
| Outbound | TCP | 55888 | Sensor Collector | Performance data (WebSocket) | Yes |
| Outbound | TCP | 443 | Crosswork Assurance | Sensor Collector to cloud/on-prem | Yes |
| Outbound | UDP/TCP | 53 | DNS server | Name resolution | If using FQDNs |
| Outbound | UDP | 123 | NTP server | Time synchronization | Recommended |
| Inbound | UDP | 862 | Agent host | TWAMP (Two-Way Active Measurement Protocol) reflector | If reflector enabled |
| Inbound | UDP | 7 | Agent host | UDP Echo reflector | If reflector enabled |
| Inbound | TCP/UDP | 5201 | Agent host | iPerf3 throughput reflector | If reflector enabled |
Note: Reflector ports (862, 7, 5201) are defaults. Different ports can be specified via the orchestration API and Docker port mapping.
Sensor Collector Port Requirements
| Direction | Protocol | Port | Purpose | Required? |
|---|---|---|---|---|
| Inbound | TCP | 55777 | Management of connected sensor agents | When in Gateway mode |
| Inbound | TCP | 55888 | Performance data via sensor agents | When in Gateway mode |
| Outbound | TCP | 53 | DNS Name Resolution | If using FQDNs |
| Outbound | TCP | 123 | NTP Time synchronization | Recommended |
| Inbound | TCP | 7070 | Debugging with pprof | No |
| Inbound | TCP | 7071 | Collecting tech support reports | Recommended |
Key Connectivity Notes
- All connections from agent to Sensor Collector are initiated outbound
- All connections from Sensor Collector to Crosswork Assurance are initiated outbound
- NAT/PAT (Network/Port Address Translation) firewalls are supported between all components
- Both IPv4 and IPv6 are supported
Verifying Port Connectivity
Test Outbound Connectivity
# Test management port
curl -k -vvv https://<sensor-collector-host>:55777
# Test data port
curl -k -vvv https://<sensor-collector-host>:55888
# Test Crosswork Assurance connectivity
curl -fv https://<your-instance>.crossworkassurance.cisco.com
Check Exposed Docker Ports
docker ps
Expected output should show:
0.0.0.0:55777->55777/tcp, :::55777->55777/tcp
0.0.0.0:55888->55888/tcp, :::55888->55888/tcp
Firewall Rule Examples
iptables (Linux)
# Allow outbound to Sensor Collector
iptables -A OUTPUT -p tcp --dport 55777 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 55888 -j ACCEPT
# Allow inbound for reflectors (if enabled)
iptables -A INPUT -p udp --dport 862 -j ACCEPT
iptables -A INPUT -p tcp --dport 5201 -j ACCEPT
iptables -A INPUT -p udp --dport 5201 -j ACCEPT
firewalld (RHEL/CentOS)
# Allow outbound ports
firewall-cmd --permanent --add-port=55777/tcp
firewall-cmd --permanent --add-port=55888/tcp
# Allow inbound for reflectors
firewall-cmd --permanent --add-port=862/udp
firewall-cmd --permanent --add-port=5201/tcp
firewall-cmd --permanent --add-port=5201/udp
# Reload firewall
firewall-cmd --reload
Related Documentation
- Agent Installation Guidelines - Complete port requirements
- Sensor Collector System Requirements - Collector requirements
- Network Requirements - TCP/UDP Ports - Full port matrix for Crosswork Assurance Sensors
© 2026 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms