When traffic is sent to VOS WAN or LAN or tunnel or any other interfaces IP, it gets dropped if there is no explicit services enabled on those interfaces such as BGP, IPsec, DHCP, DNS etc.

When any of services enabled on VOS interfaces, those interfaces will allow packets destined them and specific port where those services are configured. 

Any other packets destined to VOS WAN or LAN or tunnel interface or any other interface IP gets dropped unless there no Destination NAT or static NAT configured for those interface IP addresses along with firewall policy to allow this traffic. By default any transit traffic including destination NAT or static NAT from untrust zone such as WAN/Internet to trust zone is blocked implicitly.

If you want to look at ports opened on VOS interfaces, you can run following vty command:

$ vsh connect vsmd

vsm-vcsn0> show filter global table

VOS also has default control plane protection starting from 22.1. Prior to 22.1, we recommended customers to explicitly configure control plane and management protection using explicit qos policies - https://docs.versa-networks.com/Secure_SD-WAN/01_Configuration_from_Director/Common_Configuration/Configure_Control_and_Management_Plane_Protection

Following is VOS default control plane protection starting from 22.1 which is disabled by default:

To enable control plane protection and change above default control plane protection values based on your requirement from director, go to Others -> System -> Configuration -> Configuration -> Service Options -> Control Plane Protection -> Click Edit -> Control Plane Protection