Documentation Index

Fetch the complete documentation index at: https://docs.crossworkassurance.cisco.com/llms.txt

Use this file to discover all available pages before exploring further.

New: Try our AI‑powered Search (Ctrl + K) — Read more

Firewall and Port Requirements

Prev Next

Overview

Use this guide to understand the firewall rules and port requirements for various Cisco Crosswork Assurance components including Sensor Agents, Sensor Collector, and the Crosswork Assurance platform.

Sensor Agent Port Requirements

Direction Protocol Port Destination Purpose Required?
Outbound TCP 55777 Sensor Collector Agent management (WebSocket) Yes
Outbound TCP 55888 Sensor Collector Performance data (WebSocket) Yes
Outbound TCP 443 Crosswork Assurance Sensor Collector to cloud/on-prem Yes
Outbound UDP/TCP 53 DNS server Name resolution If using FQDNs
Outbound UDP 123 NTP server Time synchronization Recommended
Inbound UDP 862 Agent host TWAMP (Two-Way Active Measurement Protocol) reflector If reflector enabled
Inbound UDP 7 Agent host UDP Echo reflector If reflector enabled
Inbound TCP/UDP 5201 Agent host iPerf3 throughput reflector If reflector enabled

Note: Reflector ports (862, 7, 5201) are defaults. Different ports can be specified via the orchestration API and Docker port mapping.

Sensor Collector Port Requirements

Direction Protocol Port Purpose Required?
Inbound TCP 55777 Management of connected sensor agents When in Gateway mode
Inbound TCP 55888 Performance data via sensor agents When in Gateway mode
Outbound TCP 53 DNS Name Resolution If using FQDNs
Outbound TCP 123 NTP Time synchronization Recommended
Inbound TCP 7070 Debugging with pprof No
Inbound TCP 7071 Collecting tech support reports Recommended

Key Connectivity Notes

  • All connections from agent to Sensor Collector are initiated outbound
  • All connections from Sensor Collector to Crosswork Assurance are initiated outbound
  • NAT/PAT (Network/Port Address Translation) firewalls are supported between all components
  • Both IPv4 and IPv6 are supported

Verifying Port Connectivity

Test Outbound Connectivity

# Test management port
curl -k -vvv https://<sensor-collector-host>:55777

# Test data port
curl -k -vvv https://<sensor-collector-host>:55888

# Test Crosswork Assurance connectivity
curl -fv https://<your-instance>.crossworkassurance.cisco.com

Check Exposed Docker Ports

docker ps

Expected output should show:

0.0.0.0:55777->55777/tcp, :::55777->55777/tcp
0.0.0.0:55888->55888/tcp, :::55888->55888/tcp

Firewall Rule Examples

iptables (Linux)

# Allow outbound to Sensor Collector
iptables -A OUTPUT -p tcp --dport 55777 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 55888 -j ACCEPT

# Allow inbound for reflectors (if enabled)
iptables -A INPUT -p udp --dport 862 -j ACCEPT
iptables -A INPUT -p tcp --dport 5201 -j ACCEPT
iptables -A INPUT -p udp --dport 5201 -j ACCEPT

firewalld (RHEL/CentOS)

# Allow outbound ports
firewall-cmd --permanent --add-port=55777/tcp
firewall-cmd --permanent --add-port=55888/tcp

# Allow inbound for reflectors
firewall-cmd --permanent --add-port=862/udp
firewall-cmd --permanent --add-port=5201/tcp
firewall-cmd --permanent --add-port=5201/udp

# Reload firewall
firewall-cmd --reload

Related Documentation


© 2026 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit:
Cisco trademarks 
For more information about legal terms, please visit:
Cisco legal terms