United Kingdom and European Union Firewall Rules

Before installing Alert Logic products, you need to adjust your firewall rules so that data can be securely transferred to and from Alert Logic, along with allowing product updates to occur.

Communication with Alert Logic Network IDS appliances

Appliance inbound

Depending on your environment and default firewall rules, additional rules may be required to allow the Alert Logic EU data center to communicate with the Alert Logic appliances.

Source Destination Protocol Port Product Function Description
Agent(s) CIDR- network subnet range for the agent(s) Appliance TCP 443 Network IDS Agent updates, agent routing, log collection
Agent(s) CIDR- network subnet range for the agent(s) Appliance TCP 7777 Network IDS Agent data transport (between agent and appliance on local network)
Accessible CIDR Range/IP Address Appliance TCP 80 Network IDS For virtual appliance claim only.
185.54.124.0/24 Appliance TCP 5666 Network IDS Appliance monitoring (Debian only)
185.54.124.0/24 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.

Appliance outbound

Depending on your environment and default outbound firewall rules, additional rules may be required to allow the Alert Logic appliances to communicate with the Alert Logic EU data center.

Source Destination Protocol Port Product Function Description
Appliance 8.8.8.8 TCP/UDP 53 Network IDS DNS (default DNS servers, alternative DNS servers can be used)
Appliance 8.8.4.4 TCP/UDP 53 Network IDS DNS (default DNS servers, alternative DNS servers can be used)
Appliance 185.54.124.0/24 TCP 443 Network IDS Updates, data transport, and appliance management
Appliance 185.54.124.0/24 TCP 4138 Network IDS Event transport
Appliance 185.54.124.0/24 UDP/TCP All Network IDS Debian only

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Agent or remote collector outbound rules

You must add the following rules to allow agents or remote collectors to communicate with the EU data center.

Source Destination Protocol Port Description
Source host Appliance TCP 7777 Data transport
Protected host 185.54.124.0/24 TCP 443 Agent updates (direct)
Protected host Appliance TCP 443 Agent updates (single point egress)

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Scanning

The following outbound firewall rules are required for AWS scanning instances.

Type Protocol Port Range Destination Description
HTTP TCP 80 0.0.0.0/0 Appliance updates
All traffic All All VPC network addresses Access to scan targets
DNS (UDP) UDP 53 0.0.0.0/0 DNS
DNS (TCP) TCP 53 0.0.0.0/0 DNS
HTTPS TCP 443 0.0.0.0/0 Appliance updates and data transport

Alert Logic Managed Web Application Firewall (WAF)

Depending on your environment and default firewall rules, additional rules may be required for the WAF add-on.

WAF inbound

High availability and cloud

These rules apply to AWS high availability deployments with two or more WAF instances running in parallel behind Elastic Load Balancing. They also apply to non-AWS cloud deployments.

Source Destination Protocol Port Description
185.54.124.0/24 Appliance TCP 4849 Appliance user interface
185.54.124.0/24 Appliance TCP 22 Management SSH access from Alert Logic Data Center
Load Balancer Appliance TCP 4848 From load balance for health checking WAF instances
Appliance Appliance TCP 2000 Open between the pair for WAF sync
Appliance Appliance TCP 5555-5556 Open between the pair for WAF sync

AWS Auto Scaling

These rules apply to AWS Auto Scaling configurations.

Source Destination Protocol Port Description
Management WAF AWS Load Balancer Management WAF instance TCP 4848 From load balancer for health check
Worker Management WAF TCP 5555-5556 Open between Management and Workers for WAF sync
Worker Management WAF TCP 5559-5560 Open between Management and Workers for WAF sync
185.54.124.0/24 Appliance TCP 2222 SSH access
185.54.124.0/24 Appliance TCP 4849 Appliance user interface
Management WAF Load Balancer Management WAF TCP 22 Open from Management Load Balancer to Management WAF instance for SSH access
Management WAF instance Worker instances TCP 22 Open between Management and Workers for SSH access
Worker instances Management WAF instance TCP 2625 Open between Management and Workers for statistics transfer
Worker instances Management WAF instance UDP 514 Open between Management and Workers for data transfer
Worker instances Management WAF instance UDP 123 Open between Management and Workers for NTP

WAF outbound

Source Destination Protocol Port Product Function Description
Appliance DNS servers TCP/UDP 53 WAF DNS
Appliance 204.110.218.96/27 UDP 123   Chronyc (WAF)
Appliance 0.0.0.0/0 TCP 443 WAF S3 access (optional for non-AWS customers)

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Platform-specific information

AWS marketplace customers

If you select a default security group in the AWS marketplace, AWS automatically configures firewall rules. The default rules are acceptable, but you can change them to the recommended rules.

Outbound firewall rules for AWS pertain only to VPC customers. By default, the outbound rules open any port to any destination.

The CloudFormation template or Terraform template Alert Logic provided to you sets up the firewall rules when it creates your instances.

Google Cloud Platform customers

The Terraform template that Alert Logic provided to you sets up the firewall rules when it creates your instances in Google Cloud Platform (GCP).

Azure customers

The Terraform template Alert Logic provided to you sets up the firewall rules when it creates your instances.