Requirements for Alert Logic Threat Manager for SoftLayer
United States firewall rules
Use the following rules to communicate with the US Data Center.
Appliance inbound
(missing or bad snippet)Appliance outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
| Appliance | 204.110.218.96/27 | TCP | 443 | Updates |
| Appliance | 204.110.219.96/27 | TCP | 443 | Updates |
| Appliance | 208.71.209.32/27 | TCP | 443 | Updates |
| Appliance | 208.71.209.32/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.218.96/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.219.96/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.219.96/27 | UDP | 123 | NTP, time sync |
| Appliance | 208.71.209.32/27 | UDP | 123 | NTP, time sync |
Agent outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Protected host | 208.71.209.32/27 | TCP | 443 | Agent updates (direct) |
| Protected host | 204.110.218.96/27 | TCP | 443 | Agent updates (direct) |
| Protected host | 204.110.219.96/27 | TCP | 443 | Agent updates (direct) |
| Protected host | Appliance | TCP | 443 | Agent updates (single point egress) |
| Protected host | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
European Union firewall rules
Use the following rules to communicate with the EU Data Center.
Appliance inbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
| 0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
| 185.54.124.0/24 | Appliance | TCP | 4849 | Appliance user interface (Web Security Manager) |
| 185.54.124.0/24 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Appliance outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 185.54.124.0/24 | TCP | 443 | Updates |
| Appliance | 185.54.124.0/24 | TCP | 4138 | Event transport |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
| Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
| Appliance | 185.54.124.0/24 | UDP | 123 | NTP, time sync |
Agent outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Protected host | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
| Protected host | 185.54.124.0/24 | TCP | 443 | Agent updates (direct) |
| Protected host | Appliance | TCP | 443 | Agent updates (single point egress) |
Cloud server size recommendations
Threat Manager runs on select compute instance types in the SoftLayer public cloud. Review the table below for more information:
| Instance type | Cores | Memory (GB) | Throughput - no scanning | Throughput - scanning enabled |
|---|---|---|---|---|
| 1x2.0 GHz | 1 | 1 | 30 Mbps | Supported, however, may result in degraded threat detection while scans are in progress. |
| 2x2.0 GHz cores | 2 | 2 | 150 Mbps | Supported, however, may result in degraded threat detection while scans are in progress. |
| 4x2.0 GHz cores | 4 | 15 | 300 Mbps | 150 Mbps |
| 8x2.0 GHz cores | 8 | 8 | 1 Gbps | 825 Mbps |
Ports settings
Unless you have a firewall in front of the environment, you do not need to set up ports nor create ACL entries for Threat Manager in the SoftLayer environment. Review the United States firewall rules firewall rules.
Regions
A region is a logical data center (one or more physical data centers) that features a low latency, high bandwidth interconnecting network. Regions are designated by the nearest airport code, such as DFW, IAD, ORD, LON, HKG, and SYD.
Location considerations
Appliances and agents must be located in the same region. Only cloud servers and services that are part of the same region can access each other. Services outside the region have no way to identify or connect to services hosted in other regions, unless specific ports are opened for external Internet sources.
If you have cloud servers in multiple regions, create an appliance and agent in each region.
Installation considerations
Image sharing can only occur within the same region. For example, you cannot share an image in the ORD region for later use in the SYD region. If your image is in IAD, and you share this image with another user, that user will only be able to build servers from the image in the IAD region. For installation purposes, Alert Logic maintains a virtual appliance image in each region.
For more information, see SoftLayer Image Templates.
Virtual appliance
The following table describes the basic system requirements to install a Threat Manager virtual appliance:
| Components | System Requirements |
|---|---|
| CPU | 4 virtual CPUs |
| RAM | 8 GB |
| Disk space | 40 GB minimum |
| Supported virtual environment | VMware only |
| Log collection support | N/A |
| Encryption | TLS Standard (SSL): 1024–2048bit key encryption, 256bit AES bulk encryption |
This is the recommended basic configuration for the Threat Manager product when deployed on a virtual appliance. Bandwidth volume directly impacts the ability of the appliance to inspect traffic. Therefore, high traffic environments may require a virtual machine with additional processor and memory resources.
If you want to run scans, consider 8 virtual CPUs (cores) and 16 GB of memory.
Alert Logic agent
The following table describes the basic requirements to install the agent:
| Components | System requirements |
|---|---|
| Operating systems | For Windows users:
For Linux users: Debian (.deb)
Ubuntu (.deb)
CentOS (.rpm)
Red Hat Enterprise Linux (.rpm)
SUSE
Amazon Linux The Alert Logic agent can be used in AWS Workspaces in conjunction with a supported operating system. |
| Memory | 96 MB of available memory |
| Disk space for agent | 30 MB of available disk space |
| Disk space for local cache | 500 MB of available disk space |
| Packet access | WinPcap 4.1.2 |
| CPU Utilization | 1-10% depending on log volume |
| RAM | 15 MB minimum |
| Disk space | 30 MB minimum |
| Log collection support | Windows, Flat File |
| Supported environments | Agent-only deployments with virtual and physical appliances, VPC, and Public Clouds |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption |
| Log collection frequency | At minimum, every five minutes logs are collected and sent to Alert Logic Cloud |
| Host permissions | LocalSystem account has all the necessary permissions by default |
The agent requires DNS access to communicate with the Alert Logic server.
Operating systems and browser support
The Alert Logic console supports the current version and the previous major version of the following operating systems and browsers:
| Operating system support | Browser support |
|---|---|
| Mac, Linux, and Windows | Chrome, Safari, Firefox, Opera, and Internet Explorer |
Alert Logic cannot guarantee that other browsers and versions will work with our product.
Related topics
