United States Firewall Rules

Before you install Alert Logic products, you need to adjust your firewall rules so that data can be securely transferred to and from Alert Logic, along with allowing product updates to occur.

Communication with Alert Logic Network IDS appliances

Appliance inbound

Depending on your environment and default firewall rules, additional rules may be required to allow the Alert Logic US data center to communicate with the Alert Logic appliances.

Source Destination Protocol Port Product Function Description
Accessible CIDR Range/IP Address Appliance TCP 80 Network IDS For virtual appliance claim only. Remove the rule after you claim the appliance.
Agent(s) CIDR- network subnet range for the agent(s) Appliance TCP 443 Network IDS Agent updates, agent routing, log collection
Agent(s) CIDR- network subnet range for the agent(s) Appliance TCP 7777 Network IDS Agent data transport (between agent and appliance on local network)
204.110.218.96/27 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.
204.110.219.96/27 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.
208.71.209.32/27 Appliance TCP 22   DO NOT open port 22 unless an Alert Logic support personnel requests it for troubleshooting or provisioning.

Appliance outbound

Depending on your environment and default outbound firewall rules, additional rules may be required to allow the Alert Logic appliances to communicate with the Alert Logic US data center.

Source Destination Protocol Port Product Function Description
Appliance 8.8.4.4 TCP/UDP 53 Network IDS DNS (default DNS servers, alternative DNS servers can be used)
Appliance 8.8.8.8 TCP/UDP 53 Network IDS DNS (default DNS servers, alternative DNS servers can be used)
Appliance 204.110.218.96/27 TCP 443 Network IDS Updates and appliance management
Appliance 204.110.219.96/27 TCP 443 Network IDS Updates and appliance management
Appliance 208.71.209.32/27 TCP 443 Network IDS Updates and appliance management
Appliance 204.110.218.96/27 TCP 4138 Network IDS Event transport
Appliance 204.110.219.96/27 TCP 4138 Network IDS Event transport
Appliance 208.71.209.32/27 TCP 4138 Network IDS Event transport

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Agent or remote collector outbound rules

You must add the following rules to allow agents or remote collectors to communicate with the US data center.

Source Destination Protocol Port Description
Protected host 208.71.209.32/27 TCP 443 Agent updates (direct), data transport
Protected host 204.110.218.96/27 TCP 443 Agent updates (direct), data transport
Protected host 204.110.219.96/27 TCP 443 Agent updates (direct), data transport
Protected host Appliance TCP 443 Agent updates (single point egress)
Protected host Appliance TCP 7777 Agent data transport (between agent and appliance on local network)

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Scanning

The following outbound firewall rules are required for AWS scanning instances.

Type Protocol Port Range Destination Description
HTTP TCP 80 0.0.0.0/0 Appliance updates
All traffic All All VPC network addresses Access to scan targets
DNS (UDP) UDP 53 0.0.0.0/0 DNS
DNS (TCP) TCP 53 0.0.0.0/0 DNS
HTTPS TCP 443 0.0.0.0/0 Appliance updates and data transport

Alert Logic Managed Web Application Firewall (WAF)

Depending on your environment and default firewall rules, additional rules may be required for the WAF add-on.

WAF inbound

TCP port 80 (HTTP) and TCP port 443 (HTTPS) must be open to the WAF VIP or Load Balancer Frontend, and custom HTTP/HTTPS ports are also configurable. Additional rules vary depending on your environment.

High availability and cloud

These rules apply to AWS high availability deployments with two or more WAF instances running in parallel behind Elastic Load Balancing. They also apply to non-AWS cloud deployments.

Source Destination Protocol Port Description
204.110.218.96/27 Appliance TCP 4849 Appliance user interface
204.110.219.96/27 Appliance TCP 4849 Appliance user interface
208.71.209.32/27 Appliance TCP 4849 Appliance user interface
204.110.218.96/27 Appliance TCP 22 Management SSH access from Alert Logic Data Center
204.110.219.96/27 Appliance TCP 22 Management SSH access from Alert Logic Data Center
208.71.209.32/27 Appliance TCP 22 Management SSH access from Alert Logic Data Center
Load Balancer Appliance TCP 4848 From load balancer for health checking WAF instances
Appliance Appliance TCP 2000 Open between the pair for WAF sync
Appliance Appliance TCP 5555-5556 Open between the pair for WAF sync

AWS Auto Scaling

These rules apply to AWS Auto Scaling configurations.

Source Destination Protocol Port Description
Management WAF AWS Load Balancer Management WAF TCP 4848 From load balancer for health check

Worker

Management WAF TCP 5555-5556 Open between Management and Workers for WAF sync
Worker Management WAF TCP 5559-5560 Open between Management and Workers for WAF sync
204.110.218.96/27 Appliance TCP 2222 SSH access
204.110.219.96/27 Appliance TCP 2222 SSH access
208.71.209.32/27 Appliance TCP 2222 SSH access
204.110.218.96/27 Appliance TCP 4849 Appliance user interface
204.110.219.96/27 Appliance TCP 4849 Appliance user interface
208.71.209.32/27 Appliance TCP 4849 Appliance user interface
Management WAF Load Balancer Management WAF instance TCP 22 Open from Management Load Balancer to Management WAF instance for SSH access
Master instance Worker instances TCP 22 Open between Management and Workers for SSH access
Worker instances Management WAF instance TCP 2625 Open between Management and Workers for statistics transfer
Worker instances Management WAF instance UDP 514 Open between Management and Workers for data transfer
Worker instances Management WAF instance UDP 123 Open between Management and Workers for NTP

WAF outbound

Source Destination Protocol Port Description
Appliance DNS Servers TCP/UDP 53 DNS
Appliance 204.110.218.96/27 UDP 123 Chronyc (WAF)
Appliance 0.0.0.0/0 TCP 443 S3 access (optional for non-AWS customers)

You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource. If that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.

Platform-specific information

AWS marketplace customers

If you select a default security group in the AWS marketplace, AWS automatically configures firewall rules. The default rules are acceptable, but you can change them to the recommended rules.

Outbound firewall rules for AWS pertain only to VPC customers. By default, the outbound rules open any port to any destination.

The CloudFormation template or Terraform template Alert Logic provided to you sets up the firewall rules when it creates your instances.

Google Cloud Platform customers

The Terraform template that Alert Logic provided to you sets up the firewall rules when it creates your instances in Google Cloud Platform (GCP).

Azure customers

The Terraform template Alert Logic provided to you sets up the firewall rules when it creates your instances.