United States Firewall Rules

Before you install Alert Logic products, you need to adjust your firewall rules so that data can be securely transferred to and from Alert Logic, along with allowing product updates to occur.

Communication with Alert Logic Network IDS appliances

Appliance inbound

Depending on your environment and default firewall rules, additional rules may be required to allow the Alert Logic US data center to communicate with the Alert Logic appliances.

Source Destination Protocol Port Product Function Description
Accessible CIDR Range/IP Address Appliance TCP 80 Network IDS For virtual appliance claim only. Remove the rule after you claim the appliance.
Agent(s) CIDR- network subnet range for the agent(s) Appliance TCP 443 Network IDS Agent updates, agent routing, log collection
Agent(s) CIDR- network subnet range for the agent(s) Appliance TCP 7777 Network IDS Agent data transport (between agent and appliance on local network)
204.110.218.96/27 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.
204.110.219.96/27 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.
208.71.209.32/27 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.

Appliance outbound

Depending on your environment and default outbound firewall rules, additional rules may be required to allow the Alert Logic appliances to communicate with the Alert Logic US data center.

Source Destination Protocol Port Product Function Description
Appliance 8.8.4.4 TCP/UDP 53 Network IDS DNS (default DNS servers, alternative DNS servers can be used)
Appliance 8.8.8.8 TCP/UDP 53 Network IDS DNS (default DNS servers, alternative DNS servers can be used)
Appliance 204.110.218.96/27 TCP 443 Network IDS Updates and appliance management
Appliance 204.110.219.96/27 TCP 443 Network IDS Updates and appliance management
Appliance 208.71.209.32/27 TCP 443 Network IDS Updates and appliance management
Appliance 204.110.218.96/27 TCP 4138 Network IDS Event transport
Appliance 204.110.219.96/27 TCP 4138 Network IDS Event transport
Appliance 208.71.209.32/27 TCP 4138 Network IDS Event transport

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Agent or remote collector outbound rules

You must add the following rules to allow agents or remote collectors to communicate with the US data center.

Source Destination Protocol Port Description
Protected host 208.71.209.32/27 TCP 443 Agent updates (direct), data transport
Protected host 204.110.218.96/27 TCP 443 Agent updates (direct), data transport
Protected host 204.110.219.96/27 TCP 443 Agent updates (direct), data transport
Protected host Appliance TCP 443 Agent updates (single point egress)
Protected host Appliance TCP 7777 Agent data transport (between agent and appliance on local network)

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Scanning

The following outbound firewall rules are required for AWS scanning instances.

Type Protocol Port Range Destination Description
HTTP TCP 80 0.0.0.0/0 Appliance updates
All traffic All All VPC network addresses Access to scan targets
DNS (UDP) UDP 53 0.0.0.0/0 DNS
DNS (TCP) TCP 53 0.0.0.0/0 DNS
HTTPS TCP 443 0.0.0.0/0 Appliance updates and data transport

Alert Logic Managed Web Application Firewall (WAF)

Depending on your environment and default firewall rules, additional rules may be required for the WAF add-on.

WAF inbound

TCP port 80 (HTTP) and TCP port 443 (HTTPS) must be open to the WAF, and custom HTTP/HTTPS ports are also configurable. Additional rules vary depending on your environment.

High availability and cloud

These rules apply to AWS high availability deployments with two or more WAF instances running in parallel behind Elastic Load Balancing. They also apply to non-AWS cloud deployments.

Source Destination Protocol Port Product Function Description
Load Balancer Appliance TCP 4848 WAF From load balancer for health check (applies only if using AWS Elastic Load Balancing)
Appliance Appliance TCP 2000 WAF Open between the pair for WAF sync
Appliance Appliance TCP 5556 WAF Open between the pair for WAF sync
204.110.218.96/27 Appliance TCP 4849 WAF Appliance user interface
204.110.219.96/27 Appliance TCP 4849 WAF Appliance user interface
208.71.209.96/27 Appliance TCP 4849 WAF Appliance user interface
204.110.218.96/27 Appliance TCP 22   Management SSH access from Alert Logic Data Center
204.110.219.96/27 Appliance TCP 22   Management SSH access from Alert Logic Data Center
208.71.209.96/27 Appliance TCP 22   Management SSH access from Alert Logic Data Center

AWS Auto Scaling

These rules apply to AWS Auto Scaling configurations.

Source Destination Protocol Port Product Function Description
Master AWS Elastic Load Balancer Master instance TCP 4848 WAF From load balancer for health check

Worker

Master TCP 5556 WAF Open between Master and Workers for WAF sync
Worker Master TCP 5559-5560 WAF Open between Master and Workers for WAF sync
204.110.218.96/27 Appliance TCP 2222 WAF SSH access
204.110.219.96/27 Appliance TCP 2222 WAF SSH access
208.71.209.96/27 Appliance TCP 2222 WAF SSH access
204.110.218.96/27 Appliance TCP 4849 WAF Appliance user interface
204.110.219.96/27 Appliance TCP 4849 WAF Appliance user interface
208.71.209.96/27 Appliance TCP 4849 WAF Appliance user interface
Master Elastic Load Balancer Master instance TCP 22 WAF Open from Master Elastic Load Balancer to Master instance for SSH access
Master instance Worker instances TCP 22 WAF Open between Master and Workers for SSH access
Worker instances Master instance TCP 2625 WAF Open between Master and Workers for statistics transfer
Worker instances Master instance UDP 514 WAF Open between Master and Workers for data transfer
Worker instances Master instance UDP 123 WAF Open between Master and Workers for NTP

WAF outbound

Source Destination Protocol Port Product Function Description
Appliance DNS Servers TCP/UDP 53 WAF DNS
Appliance 204.110.218.96/27 UDP 123 WAF Chronyc (WAF)
Appliance 0.0.0.0/0 TCP 443 WAF S3 access (optional for non-AWS customers)

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Platform-specific information

AWS marketplace customers

If you select a default security group in the AWS marketplace, AWS automatically configures firewall rules. The default rules are acceptable, but you can change them to the recommended rules.

Outbound firewall rules for AWS pertain only to VPC customers. By default, the outbound rules open any port to any destination.

The CloudFormation template or Terraform template Alert Logic provided to you sets up the firewall rules when it creates your instances.

Google Cloud Platform customers

The Terraform template that Alert Logic provided to you sets up the firewall rules when it creates your instances in Google Cloud Platform (GCP).

Azure customers

The Terraform template Alert Logic provided to you sets up the firewall rules when it creates your instances.