Firewall and Proxy Rules for Security Agent Egress

Category Group Security Controls On this page:

Solution Qualys, Umbrella, CrowdStrike Falcon

Network Egress Requirements
Why should agent connections go direct rather than via a Proxy?
Purpose All OpCos and affiliates must implement and
Required Settings
maintain Firewall and Proxy bypass rules which
Firewalls
permit the Group Security Controls to function
Rules for laptops and workstations
Audience GISS Architecture team Qualys
Cisco Umbrella
Control CONFIG MAINTAIN Cisco Umbrella
CrowdStrike Falcon
Compliance MANDATORY Falcon Forensics
Rules for Servers
Compliance Date September 2017 Qualys
Cisco Umbrella
Classification INTERNAL CrowdStrike Falcon
Proxy settings
Document Owner Edward Luck

Reference

Network Egress Requirements

The group has three security agents deployed as a mandatory directive from Group Executive and NTT. Each agent must be able to communicate in real-time to its Cloud-based controller regardless of its
location. For servers and desktop PCs which do not roam, this is not a complex problem and a static configuration customised to its office location is acceptable.

However, for laptop devices which may roam and stay outside of a group-managed network for extended periods of time, it is critical that access to the cloud-based control servers for that agent are maintained. As
a result, Proxy servers - including Zscaler - must not be used for connecting to these security servers on laptop devices and a proxy-bypass needs to be in effect.

Why should agent connections go direct rather than via a Proxy?

There are a couple of reasons for this, which we will describe in detail:
 Reason Details

Inconsistent Proxy The three security agents we have deployed all handle and use proxy servers differently. Whilst proxies are a fact of life, for any device which roams and leaves a desk (i.e. laptop PCs),
support in agents we need to ensure that there will never be a proxy detection failure which causes the agent to stop reporting in to the cloud servers.

Communication is Group Information Security Services will be heavily relying on real-time data from our security agents to ensure that we meet our compliance obligations to NTT and can detect &
critical respond to incidents as quickly as possible. Anything which jeopardises that real-time communication is a problem we must avoid.

Proxy servers are excellent tools. However, they are one more control which could be accidentally mis-configured, or go offline. Losing the ability to browse the web is not a critical
event, but losing the visibility from our security agents would be such an event.

By creating dedicated firewall rules which provide that guaranteed access to the agent control servers is permitted, we avoid the potential problems that may arise and affect our ability
to manage security incidents at potentially the worst possible time - during an incident caused by an advanced threat actor.

Zscaler ZIA is a Proxy

Any rules which apply to Proxies in this page must also be applied to Zscaler Internet Access (ZIA). All security related communications must not be interfered with by Zscaler.

Required Settings

Firewalls
The GISS team recommends that you create a rule group at the top of your Firewall policy and name this group "Security Agents" or similar. This rules below can then be placed in this group and routinely updated
by cross referencing back to this page so that you always know your endpoint devices can communicate with the cloud servers.

Rules for laptops and workstations

The following IP addresses, hostnames and ports/protocols must be permitted directly for laptop and workstation devices.

Solution Type Destination IP Destination Ports Comments

addresses Hostnames Required

Cloud Agent 64.39.96.0/20 qagpublic.qg2.apps. HTTPS/443 This is the only connection required for Qualys Cloud Agent.
Qualys qualys.com
(64.39.96.1-
64.39.111.254)
 Roaming Client 208.67.222.222 N/A UDP/53 UDP Port 443 is used for Encryption of the DNS queries so that DNS cannot be sniffed.
Cisco
Umbrella 208.67.220.220 UDP/443
If encrypted DNS impacts your ability in region to perform dynamic security inspection and routing (i.e with Secure Internet Breakout), you may choose to optionally block acce
2620:119:53::53 ss to 208.67.222 and 208.67.220.200 on UDP 443 on your internet firewall.

2620:119:35::35

72.21.91.29 crl3.digicert.com HTTP/80 These hostnames are part of a CDN and subject to change. The Firewall rule should use the hostname only rather than the static IP address.

117.18.237.29 crl4.digicert.com HTTPS/443

93.184.220.29 ocsp.digicert.com

205.234.175.175

67.215.92.201 api.opendns.com HTTPS/443 Use DNS based rules rather than IP where possible

67.215.92.210 disthost.opendns.com

146.112.255.101 disthost.umbrella.
com

146.112.63.0/24 sync.hydra.opendns. HTTPS/443 Use DNS based rules rather than IP where possible
com

block pages 67.215.64.0/19 N/A HTTP/80 These are the Cisco Umbrella block pages. They must not traverse a proxy server, either explicit or transparent.
Cisco
204.194.232.0
Umbrella (not agent specific) /21 HTTPS/443 Details are provided here:

208.67.216.0/21 https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy

208.69.32.0/21

185.60.84.0/22

146.112.61.0/24

146.112.128.0
/18

146.112.192.0
/18

Falcon Cloud 13.56.127.239 ts01-b.cloudsink.net HTTPS/443

CrowdStrike 13.57.54.63
Falcon (US1) 50.18.194.39 ts01-b.csa.cloudsink.
52.52.117.52 net
52.52.119.33
52.52.149.168
52.52.239.58
52.53.77.89
52.8.134.130
52.8.160.82
52.8.172.89
52.8.173.58
52.8.19.75
52.8.32.113
52.8.45.162
52.8.5.240
52.8.54.244
52.8.61.206
52.9.104.148
52.9.212.176
52.9.77.209
52.9.82.94
52.9.87.98
54.183.105.3
54.183.122.156
54.183.140.32
54.183.142.105
54.183.148.116
54.183.148.43
54.183.234.42
54.183.24.162
54.183.252.86
54.183.34.154
54.183.39.68
54.183.51.31
54.183.51.69
54.183.52.221
54.193.117.199
54.193.27.226
54.193.29.47
54.193.67.98
54.193.87.57
54.193.90.171
54.193.93.19
54.215.131.232
54.215.154.80
54.215.169.199
54.215.169.38
54.215.176.108
54.215.183.157
54.215.226.55
54.219.112.243
54.219.115.12
54.219.137.54
54.219.140.50
54.219.141.250
54.219.145.181
54.219.147.253
54.219.148.161
54.219.149.89
54.219.149.92
54.219.151.1
54.219.151.27
54.219.153.248
54.219.158.53
54.219.159.84
54.219.161.141
54.241.138.180
54.241.146.67
54.241.148.127
54.241.150.134
54.241.161.60
54.241.162.180
54.241.162.64
54.241.164.212
54.241.175.140
54.241.175.52
54.241.179.52
54.241.181.242
54.241.184.161
54.241.185.201
54.241.186.124
54.241.197.58
54.67.105.202
 54.67.119.89
54.67.123.150
54.67.123.234
54.67.26.184
54.67.33.233
54.67.48.56
54.67.54.116
54.67.6.201
54.67.68.88
54.67.92.206
54.67.96.255
54.67.99.247

13.52.148.107
52.52.20.134
34.211.241.1
34.212.219.46
52.33.8.42
18.195.129.87
3.73.169.253
18.158.141.230
96.127.111.33
52.61.72.154
96.127.56.206

54.151.103.156
54.151.121.185
184.169.155.1
184.169.163.158

13.56.121.58 lfodown01-b. HTTPS/443

50.18.198.237 cloudsink.net
52.8.141.1
54.183.120.141 lfodown01-b.csa.
54.183.135.80 cloudsink.net
54.183.215.154
54.193.86.245
54.215.170.42
54.219.179.25
54.241.161.242
54.241.181.78
54.241.182.78
54.241.183.151
54.241.183.229
54.241.183.232
54.67.108.17
54.67.114.188
54.67.122.238
54.67.17.131
54.67.24.156
54.67.4.108
54.67.41.192
54.67.5.136
54.67.51.32
54.67.72.218
54.67.78.134

54.193.196.61 ffc.us-1.crowdstrike. HTTPS/443

Falcon com
Forensics 52.52.60.244
ffcng.us-1.
54.219.239.208 crowdstrike.com
54.219.198.50
Rules for Servers

Solution Type Destination IP Destination Ports Comments

addresses Hostnames Required

Cloud Agent 64.39.96.0/20 qagpublic.qg2.apps. HTTPS/443 Only required if servers do not have a Proxy server statically configured.
Qualys qualys.com
(64.39.96.1-
64.39.111.254)

block pages 67.215.64.0/19 N/A HTTP/80 These are the Cisco Umbrella block pages. They should not traverse a proxy server, either explicit or transparent.
Cisco
204.194.232.0
Umbrella (not agent /21 HTTPS/443
specific) For servers where there is no direct Internet access permitted, these rules can be ignored, however if a user is browsing websites from a server and their request is blocked, they
208.67.216.0/21 will not see the Umbrella block page and just see a connection failure instead.

208.69.32.0/21

185.60.84.0/22

146.112.61.0/24 Details are provided here:

146.112.128.0 https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy
/18

146.112.192.0
/18

Falcon Cloud 13.56.127.239 ts01-b.cloudsink.net HTTPS/443 Only required if servers do not have a Proxy server statically configured.
CrowdStrike 13.57.54.63
Falcon (US1) 50.18.194.39
52.52.117.52
52.52.119.33
52.52.149.168
52.52.239.58
52.53.77.89
52.8.134.130
52.8.160.82
52.8.172.89
52.8.173.58
52.8.19.75
52.8.32.113
52.8.45.162
52.8.5.240
52.8.54.244
52.8.61.206
52.9.104.148
52.9.212.176
52.9.77.209
52.9.82.94
52.9.87.98
54.183.105.3
54.183.122.156
54.183.140.32
54.183.142.105
54.183.148.116
54.183.148.43
54.183.234.42
54.183.24.162
54.183.252.86
54.183.34.154
54.183.39.68
54.183.51.31
54.183.51.69
54.183.52.221
54.193.117.199
54.193.27.226
54.193.29.47
54.193.67.98
54.193.87.57
54.193.90.171
54.193.93.19
54.215.131.232
54.215.154.80
54.215.169.199
54.215.169.38
54.215.176.108
54.215.183.157
54.215.226.55
54.219.112.243
54.219.115.12
54.219.137.54
54.219.140.50
54.219.141.250
54.219.145.181
54.219.147.253
54.219.148.161
54.219.149.89
54.219.149.92
54.219.151.1
54.219.151.27
54.219.153.248
54.219.158.53
54.219.159.84
54.219.161.141
54.241.138.180
54.241.146.67
54.241.148.127
54.241.150.134
54.241.161.60
54.241.162.180
54.241.162.64
54.241.164.212
54.241.175.140
54.241.175.52
54.241.179.52
54.241.181.242
54.241.184.161
54.241.185.201
54.241.186.124
54.241.197.58
54.67.105.202
54.67.119.89
54.67.123.150
54.67.123.234
54.67.26.184
54.67.33.233
54.67.48.56
54.67.54.116
54.67.6.201
54.67.68.88
54.67.92.206
54.67.96.255
54.67.99.247
 13.56.121.58 lfodown01-b. HTTPS/443 Only required if servers do not have a Proxy server statically configured.
50.18.198.237 cloudsink.net
52.8.141.1
54.183.120.141
54.183.135.80
54.183.215.154
54.193.86.245
54.215.170.42
54.219.179.25
54.241.161.242
54.241.181.78
54.241.182.78
54.241.183.151
54.241.183.229
54.241.183.232
54.67.108.17
54.67.114.188
54.67.122.238
54.67.17.131
54.67.24.156
54.67.4.108
54.67.41.192
54.67.5.136
54.67.51.32
54.67.72.218
54.67.78.134

Falcon 54.193.196.61 ffc.us-1.crowdstrike. HTTPS/443

Forensics com
52.52.60.244
ffcng.us-1.
54.219.239.208 crowdstrike.com
54.219.198.50

Falcon Forensics 54.193.196.61 ffc.us-1.crowdstrike. HTTPS/443

com
52.52.60.244
ffcng.us-1.
54.219.239.2 crowdstrike.com
08
54.219.198.50

Proxy settings
Zscaler ZIA is a Proxy

Any rules which apply to Proxies in this page must also be applied to Zscaler Internet Access (ZIA). All security related communications must not be interfered with by Zscaler.
Laptop devices must not use Proxy servers for any security agents. Due to their roaming nature, all IP connectivity to security service cloud providers must be direct and your perimeter firewalls must be configured
appropriately to permit the traffic, and any proxy settings configured to bypass the proxy for those services. This is to ensure that when a laptop is roaming outside a group-managed network that it can still
communicate with the cloud service rather than attempt to connect to a proxy server it cannot reach.

Setting Requirement Details Comments

SSL SSL Inspection disabled for all security agent communications *.qualys.com
Inspection
crl3.digicert.com

crl4.digicert.com

*.opendns.com

*.umbrella.com

ts01-b.cloudsink.net

lfoup01-b.cloudsink.net

lfodown01-b.cloudsink.
net

Explicit All endpoint devices must perform direct DNS resolution, even if the operating systems uses an
Proxy explicit proxy server for web browsing. When using an explicit proxy server, it stops the endpoint
and DNS from performing DNS lookups, and Cisco Umbrella relies on seeing all DNS lookups directly for
resolution policy enforcement. CrowdStrike Falcon is used for DNS lookup correlation and therefore also
requires that the settings defined here are enforced.
This change forces clients to perform their own DNS query before connecting via the
PAC file content Proxy server. Without this setting, clients will not perform DNS and will rely on the Proxy
required for Cisco server to perform the DNS lookup on their behalf. This stops Umbrella and CrowdStrike
Falcon from seeing the DNS request from the client and being able to apply per-client
Umbrella identification and per-client policies (if defined).

function
FindProxyForURL
(url, host) { If your OpCo uses explicit proxy servers but does not use Proxy PAC files, you will have to
use Group Policies to apply proxy bypass rules in your endpoint devices so that your
//
Generate DNS users always know when Umbrella has blocked access to a website.
request on the
client
hostIP =
dnsResolve
(host);

// If the
requested
website is
using an
Umbrella IP
address,
return DIRECT
if (isInNet
(hostIP,
"67.215.64.0",
"255.255.224.0"
) ||
isInNet
(hostIP,
"204.194.232.0"
,
"255.255.248.0"
) ||
isInNet
(hostIP,
"208.67.216.0",
"255.255.248.0"
) ||
isInNet
(hostIP,
"208.69.32.0",
"255.255.248.0"
) ||
isInNet
(hostIP,
"185.60.84.0",
"255.255.252.0"
) ||
isInNet
(hostIP,
"146.112.61.0",
"255.255.255.0"
) ||
isInNet
(hostIP,
"146.112.128.0"
,
"255.255.192.0"
) ||
isInNet
(hostIP,
"146.112.192.0"
,
"255.255.192.0"
))
{

return
"DIRECT";
}

//
DEFAULT RULE:
All other
traffic, use
below proxies,
in fail-over
order.
return
"PROXY <Proxy
IP>:<Proxy
Port>; PROXY
<Proxy IP>:
<Proxy Port>";
}
Transpar Transparent proxies must be bypassed and direct IP connections must be allowed for the security
ent agents. Cisco Umbrella
Proxy Proxy Bypass
bypass
67.215.64.0/19

204.194.232.0
/21

208.67.216.0/21

208.69.32.0/21

185.60.84.0/22

146.112.61.0/24

146.112.128.0
/18

146.112.192.0
/18

CrowdStrike Falcon

Proxy Bypass

As per
Firewall rules
for laptops

Qualys Proxy

Bypass

As per
Firewall rules
for laptops