Professional Documents
Culture Documents
GSEC FirewallandProxyRulesforSecurityAgentEgress 241123 0918 1518
GSEC FirewallandProxyRulesforSecurityAgentEgress 241123 0918 1518
Reference
However, for laptop devices which may roam and stay outside of a group-managed network for extended periods of time, it is critical that access to the cloud-based control servers for that agent are maintained. As
a result, Proxy servers - including Zscaler - must not be used for connecting to these security servers on laptop devices and a proxy-bypass needs to be in effect.
Inconsistent Proxy The three security agents we have deployed all handle and use proxy servers differently. Whilst proxies are a fact of life, for any device which roams and leaves a desk (i.e. laptop PCs),
support in agents we need to ensure that there will never be a proxy detection failure which causes the agent to stop reporting in to the cloud servers.
Communication is Group Information Security Services will be heavily relying on real-time data from our security agents to ensure that we meet our compliance obligations to NTT and can detect &
critical respond to incidents as quickly as possible. Anything which jeopardises that real-time communication is a problem we must avoid.
Proxy servers are excellent tools. However, they are one more control which could be accidentally mis-configured, or go offline. Losing the ability to browse the web is not a critical
event, but losing the visibility from our security agents would be such an event.
By creating dedicated firewall rules which provide that guaranteed access to the agent control servers is permitted, we avoid the potential problems that may arise and affect our ability
to manage security incidents at potentially the worst possible time - during an incident caused by an advanced threat actor.
Any rules which apply to Proxies in this page must also be applied to Zscaler Internet Access (ZIA). All security related communications must not be interfered with by Zscaler.
Required Settings
Firewalls
The GISS team recommends that you create a rule group at the top of your Firewall policy and name this group "Security Agents" or similar. This rules below can then be placed in this group and routinely updated
by cross referencing back to this page so that you always know your endpoint devices can communicate with the cloud servers.
Cloud Agent 64.39.96.0/20 qagpublic.qg2.apps. HTTPS/443 This is the only connection required for Qualys Cloud Agent.
Qualys qualys.com
(64.39.96.1-
64.39.111.254)
Roaming Client 208.67.222.222 N/A UDP/53 UDP Port 443 is used for Encryption of the DNS queries so that DNS cannot be sniffed.
Cisco
Umbrella 208.67.220.220 UDP/443
If encrypted DNS impacts your ability in region to perform dynamic security inspection and routing (i.e with Secure Internet Breakout), you may choose to optionally block acce
2620:119:53::53 ss to 208.67.222 and 208.67.220.200 on UDP 443 on your internet firewall.
2620:119:35::35
72.21.91.29 crl3.digicert.com HTTP/80 These hostnames are part of a CDN and subject to change. The Firewall rule should use the hostname only rather than the static IP address.
93.184.220.29 ocsp.digicert.com
205.234.175.175
67.215.92.201 api.opendns.com HTTPS/443 Use DNS based rules rather than IP where possible
67.215.92.210 disthost.opendns.com
146.112.255.101 disthost.umbrella.
com
146.112.63.0/24 sync.hydra.opendns. HTTPS/443 Use DNS based rules rather than IP where possible
com
block pages 67.215.64.0/19 N/A HTTP/80 These are the Cisco Umbrella block pages. They must not traverse a proxy server, either explicit or transparent.
Cisco
204.194.232.0
Umbrella (not agent specific) /21 HTTPS/443 Details are provided here:
208.67.216.0/21 https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy
208.69.32.0/21
185.60.84.0/22
146.112.61.0/24
146.112.128.0
/18
146.112.192.0
/18
13.52.148.107
52.52.20.134
34.211.241.1
34.212.219.46
52.33.8.42
18.195.129.87
3.73.169.253
18.158.141.230
96.127.111.33
52.61.72.154
96.127.56.206
54.151.103.156
54.151.121.185
184.169.155.1
184.169.163.158
Cloud Agent 64.39.96.0/20 qagpublic.qg2.apps. HTTPS/443 Only required if servers do not have a Proxy server statically configured.
Qualys qualys.com
(64.39.96.1-
64.39.111.254)
block pages 67.215.64.0/19 N/A HTTP/80 These are the Cisco Umbrella block pages. They should not traverse a proxy server, either explicit or transparent.
Cisco
204.194.232.0
Umbrella (not agent /21 HTTPS/443
specific) For servers where there is no direct Internet access permitted, these rules can be ignored, however if a user is browsing websites from a server and their request is blocked, they
208.67.216.0/21 will not see the Umbrella block page and just see a connection failure instead.
208.69.32.0/21
185.60.84.0/22
146.112.128.0 https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy
/18
146.112.192.0
/18
Falcon Cloud 13.56.127.239 ts01-b.cloudsink.net HTTPS/443 Only required if servers do not have a Proxy server statically configured.
CrowdStrike 13.57.54.63
Falcon (US1) 50.18.194.39
52.52.117.52
52.52.119.33
52.52.149.168
52.52.239.58
52.53.77.89
52.8.134.130
52.8.160.82
52.8.172.89
52.8.173.58
52.8.19.75
52.8.32.113
52.8.45.162
52.8.5.240
52.8.54.244
52.8.61.206
52.9.104.148
52.9.212.176
52.9.77.209
52.9.82.94
52.9.87.98
54.183.105.3
54.183.122.156
54.183.140.32
54.183.142.105
54.183.148.116
54.183.148.43
54.183.234.42
54.183.24.162
54.183.252.86
54.183.34.154
54.183.39.68
54.183.51.31
54.183.51.69
54.183.52.221
54.193.117.199
54.193.27.226
54.193.29.47
54.193.67.98
54.193.87.57
54.193.90.171
54.193.93.19
54.215.131.232
54.215.154.80
54.215.169.199
54.215.169.38
54.215.176.108
54.215.183.157
54.215.226.55
54.219.112.243
54.219.115.12
54.219.137.54
54.219.140.50
54.219.141.250
54.219.145.181
54.219.147.253
54.219.148.161
54.219.149.89
54.219.149.92
54.219.151.1
54.219.151.27
54.219.153.248
54.219.158.53
54.219.159.84
54.219.161.141
54.241.138.180
54.241.146.67
54.241.148.127
54.241.150.134
54.241.161.60
54.241.162.180
54.241.162.64
54.241.164.212
54.241.175.140
54.241.175.52
54.241.179.52
54.241.181.242
54.241.184.161
54.241.185.201
54.241.186.124
54.241.197.58
54.67.105.202
54.67.119.89
54.67.123.150
54.67.123.234
54.67.26.184
54.67.33.233
54.67.48.56
54.67.54.116
54.67.6.201
54.67.68.88
54.67.92.206
54.67.96.255
54.67.99.247
13.56.121.58 lfodown01-b. HTTPS/443 Only required if servers do not have a Proxy server statically configured.
50.18.198.237 cloudsink.net
52.8.141.1
54.183.120.141
54.183.135.80
54.183.215.154
54.193.86.245
54.215.170.42
54.219.179.25
54.241.161.242
54.241.181.78
54.241.182.78
54.241.183.151
54.241.183.229
54.241.183.232
54.67.108.17
54.67.114.188
54.67.122.238
54.67.17.131
54.67.24.156
54.67.4.108
54.67.41.192
54.67.5.136
54.67.51.32
54.67.72.218
54.67.78.134
Proxy settings
Zscaler ZIA is a Proxy
Any rules which apply to Proxies in this page must also be applied to Zscaler Internet Access (ZIA). All security related communications must not be interfered with by Zscaler.
Laptop devices must not use Proxy servers for any security agents. Due to their roaming nature, all IP connectivity to security service cloud providers must be direct and your perimeter firewalls must be configured
appropriately to permit the traffic, and any proxy settings configured to bypass the proxy for those services. This is to ensure that when a laptop is roaming outside a group-managed network that it can still
communicate with the cloud service rather than attempt to connect to a proxy server it cannot reach.
SSL SSL Inspection disabled for all security agent communications *.qualys.com
Inspection
crl3.digicert.com
crl4.digicert.com
*.opendns.com
*.umbrella.com
ts01-b.cloudsink.net
lfoup01-b.cloudsink.net
lfodown01-b.cloudsink.
net
Explicit All endpoint devices must perform direct DNS resolution, even if the operating systems uses an This change forces clients to perform their own DNS query before connecting via the
Proxy explicit proxy server for web browsing. When using an explicit proxy server, it stops the endpoint PAC file content Proxy server. Without this setting, clients will not perform DNS and will rely on the Proxy
and DNS from performing DNS lookups, and Cisco Umbrella relies on seeing all DNS lookups directly for required for Cisco server to perform the DNS lookup on their behalf. This stops Umbrella and CrowdStrike
resolution policy enforcement. CrowdStrike Falcon is used for DNS lookup correlation and therefore also Falcon from seeing the DNS request from the client and being able to apply per-client
requires that the settings defined here are enforced. Umbrella identification and per-client policies (if defined).
function
FindProxyForURL
(url, host) { If your OpCo uses explicit proxy servers but does not use Proxy PAC files, you will have to
use Group Policies to apply proxy bypass rules in your endpoint devices so that your
//
Generate DNS users always know when Umbrella has blocked access to a website.
request on the
client
hostIP =
dnsResolve
(host);
// If the
requested
website is
using an
Umbrella IP
address,
return DIRECT
if (isInNet
(hostIP,
"67.215.64.0",
"255.255.224.0"
) ||
isInNet
(hostIP,
"204.194.232.0"
,
"255.255.248.0"
) ||
isInNet
(hostIP,
"208.67.216.0",
"255.255.248.0"
) ||
isInNet
(hostIP,
"208.69.32.0",
"255.255.248.0"
) ||
isInNet
(hostIP,
"185.60.84.0",
"255.255.252.0"
) ||
isInNet
(hostIP,
"146.112.61.0",
"255.255.255.0"
) ||
isInNet
(hostIP,
"146.112.128.0"
,
"255.255.192.0"
) ||
isInNet
(hostIP,
"146.112.192.0"
,
"255.255.192.0"
))
{
return
"DIRECT";
}
//
DEFAULT RULE:
All other
traffic, use
below proxies,
in fail-over
order.
return
"PROXY <Proxy
IP>:<Proxy
Port>; PROXY
<Proxy IP>:
<Proxy Port>";
}
Transpar Transparent proxies must be bypassed and direct IP connections must be allowed for the security
ent agents. Cisco Umbrella
Proxy Proxy Bypass
bypass
67.215.64.0/19
204.194.232.0
/21
208.67.216.0/21
208.69.32.0/21
185.60.84.0/22
146.112.61.0/24
146.112.128.0
/18
146.112.192.0
/18
CrowdStrike Falcon
Proxy Bypass
As per
Firewall rules
for laptops
Qualys Proxy
Bypass
As per
Firewall rules
for laptops