United Kingdom and European Union Firewall Rules
Before installing Alert Logic products, you need to adjust your firewall rules so that data can be securely transferred to and from Alert Logic, along with allowing product updates to occur.
IDS appliance firewall rule requirements
IDS appliance inbound rules
Depending on your environment and default firewall rules, additional rules may be required to allow the Alert Logic EU data center to communicate with the Alert Logic appliances.
| Source | Destination | Protocol | Port | Product Function | Description |
|---|---|---|---|---|---|
| Accessible CIDR Range/IP Address | Appliance | TCP | 80 | Network IDS | Required for claiming only (can be removed once claiming has completed). |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Network IDS | Agent Network data transport (between agent and appliance on local network) Note: Not required If Span/Port mirroring is configured. |
| 185.54.124.0/24 | Appliance | TCP | 22 | Network IDS | TROUBLESHOOTING. DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning. |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Network IDS | (Optional) For when the appliance is being used as a single point of egress for agent updates, agent routing, or log collection. |
IDS appliance outbound rules
Depending on your environment and default outbound firewall rules, additional rules may be required to allow the Alert Logic appliances to communicate with the Alert Logic EU data center.
| Source | Destination | Protocol | Port | Product Function | Description |
|---|---|---|---|---|---|
| Appliance | 8.8.4.4 8.8.8.8 |
TCP/UDP | 53 | Network IDS | DNS (default DNS servers and alternative DNS servers can be used). |
| Appliance | 185.54.124.0/24 | TCP | 443 | Network IDS | Updates and appliance management. |
| Appliance | 185.54.124.0/24 | TCP | 4138 | Network IDS | Event transport. |
| Appliance | Internal Network CIDRs | All | All | Network IDS | Scanning for Azure and Data Center deployments; completely scans all hosts within an environment. |
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.
Log Manager Appliance Firewall Rule requirements
You must add the following rules to allow the Log Manager to communicate with the Alert Logic EU data center. Note that some inbound rules are optional.
Log appliance inbound rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Accessible CIDR Range/IP Address | Appliance | TCP | 80 | Required for claiming only (can be removed once claiming has completed). |
| Remote source IP | Appliance | TCP/UDP | 514 | Log collection from remote source. |
| 185.54.124.0/24 | Appliance | TCP | 22 | TROUBLESHOOTING. DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning. |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | (Optional) For when the appliance is being used as a single point of egress for agent updates, agent routing, or log collection. |
Log appliance outbound rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 8.8.4.4 8.8.8.8 |
TCP/UDP | 53 | DNS (default DNS servers and alternative DNS servers can be used). |
| Appliance | 185.54.124.0/24 | TCP | 443 | Data transport, updates, and appliance management. |
AWS scanner firewall rule requirements
The following outbound firewall rules are required for AWS scanning instances. These are configured automatically by the Cloud Formation template, but you must ensure that the scan targets are reachable.
Scan outbound rules
| Type | Protocol | Port | Destination | Description |
|---|---|---|---|---|
| HTTP/s | TCP | 80 443 |
0.0.0.0/0 | Data transport and appliance updates. |
| All traffic | All | All | VCP network addresses | Access to scan targets. |
| DNS | UDP/TCP | 53 | 0.0.0.0/0 | DNS |
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.
Agent firewall rule requirements
You must add the following rules to allow agents to communicate with the Alert Logic EU data center.
Agent outbound rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Protected host |
185.54.124.0/24 |
TCP | 443 | Agent updates (direct) and data transport. |
| Protected host | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network). |
| Protected host | Appliance | TCP | 443 | (Optional) Agent updates (single point of egress). |
Remote collector firewall rule requirements
The following rules are required to allow remote collectors to communicate with the Alert Logic EU data center and for remote sources to reach the collector.
Remote collector inbound rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Remote source IP address | Remote collector | TCP/UDP | 1515 | Remote collector listening port. Forward remote syslog to this port. Note: 1515 is the default port but you can change it within the Alert Logic console. To edit the Linux Remote System Log policy, see System Logs for Syslog Collection. |
Remote collector outbound rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Remote collector | 185.54.124.0/24 | TCP | 443 | Data transport and remote collector updates (direct). |
Alert Logic Managed Web Application Firewall (WAF)
Depending on your environment and default firewall rules, additional rules may be required for the WAF add-on.
WAF inbound rules
TCP ports 80 (HTTP) and 443 (HTTPS) must be open to the WAF VIP or load balancer frontend. Custom HTTP/HTTPS ports are also configurable. Additional rules vary depending on your environment.
High availability and cloud rules
These rules apply to AWS high availability deployments with two or more WAF instances running in parallel behind Elastic Load Balancing. They also apply to non-AWS cloud deployments.
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 185.54.124.0/24 | Appliance | TCP | 4849 | Appliance user interface. |
| 185.54.124.0/24 | Appliance | TCP | 22 | Management SSH access from Alert Logic Data Center. |
| Load Balancer | Appliance | TCP | 4848 | From load balance for health checking WAF instances. |
| Appliance | Appliance | TCP | 2000 | Open between the pair for WAF sync. |
| Appliance | Appliance | TCP | 5555-5556 | Open between the pair for WAF sync. |
AWS Auto Scaling rules
These rules apply to AWS Auto Scaling configurations.
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Management WAF AWS Load Balancer | Management WAF instance | TCP | 4848 | From load balancer for health check. |
| Worker | Management WAF | TCP | 5555-5556 | Open between Management and Workers for WAF sync. |
| Worker | Management WAF | TCP | 5559-5560 | Open between Management and Workers for WAF sync. |
| 185.54.124.0/24 | Appliance | TCP | 2222 | SSH access. |
| 185.54.124.0/24 | Appliance | TCP | 4849 | Appliance user interface. |
| Management WAF Load Balancer | Management WAF instance | TCP | 22 | Open from Management Load Balancer to Management WAF instance for SSH access. |
| Master instance | Worker instances | TCP | 22 | Open between Management and Workers for SSH access. |
| Worker instances | Management WAF instance | TCP | 2625 | Open between Management and Workers for statistics transfer. |
| Worker instances | Management WAF instance | UDP | 514 | Open between Management and Workers for data transfer. |
| Worker instances | Management WAF instance | UDP | 123 | Open between Management and Workers for NTP. |
WAF outbound rules
| Source | Destination | Protocol | Port | Product Function | Description |
|---|---|---|---|---|---|
| Appliance | DNS servers | TCP/UDP | 53 | WAF | DNS |
| Appliance | 204.110.218.96/27 | UDP | 123 | WAF | Chronyc (WAF) |
| Appliance | 0.0.0.0/0 | TCP | 443 | WAF | S3 access (optional for non-AWS customers) |
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.