Requirements for Alert Logic Managed Web Application Firewall (WAF) for SoftLayer
United States firewall rules
Use the following rules to communicate with the US Data Center.
Appliance inbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 204.110.218.96/27 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 204.110.219.96/27 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 208.71.209.32/27 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 204.110.218.96/27 | Appliance | TCP | 4849 | Appliance user interface |
| 204.110.219.96/27 | Appliance | TCP | 4849 | Appliance user interface |
| 208.71.209.32/27 | Appliance | TCP | 4849 | Appliance user interface |
| 204.110.218.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 204.110.219.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 208.71.209.32/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Appliance outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 204.110.218.96/27 | TCP | 443 | Data transport |
| Appliance | 204.110.219.96/27 | TCP | 443 | Data transport |
| Appliance | 204.110.218.96/27 | UDP | 123 | NTP (OpenBSD and CentOS only) |
| Appliance | 204.110.219.96/27 | UDP | 123 | NTP (OpenBSD and CentOS only) |
| Appliance | 0.0.0.0/0 | TCP | 443 | AWS S3 (AWS only) |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
European Union firewall rules
Use the following rules to communicate with the EU Data Center.
Appliance inbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 185.54.124.0/24 | Appliance | TCP | 4849 | Appliance user interface |
| 185.54.124.0/24 | Appliance | TCP | 2222 | Secure Shell (AWS Autoscaling Only) |
| 185.54.124.0/24 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Appliance outbound
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 185.54.124.0/24 | UDP | 123 | NTP (OpenBSD only) |
| Appliance | 0.0.0.0/0 | TCP | 443 | S3 access (optional for non-AWS) |
| Appliance | 185.54.124.0/24 | TCP | 443 | Data transport/software updates |
| Appliance | DNS Servers | TCP/UDP | 53 | DNS |
Cloud server size recommendations
Managed WAF runs on select compute instance types in the Rackspace Public Cloud. Review the table below for more information.
| Instance type | Cores | Memory (GB) |
WAF performance |
|---|---|---|---|
| General purpose | 2 | 2 | ~ 73 Mbps |
| General purpose | 4 | 4 | ~ 149 Mbps |
| General purpose | 8 | 8 | ~ 271 Mbps |
| Input / Output (I / O) | 16 | 60 | ~ 467 Mbps |
Port settings
Typically, you do not need to set up ports or create ACL entries for Managed WAF in the Rackspace Public Cloud environment. However, the appliances and agents must be installed in the same region.
If you use RackConnect or a hybrid configuration with host firewall rules, you must open specific inbound and outbound ports for communication with Alert Logic.
In addition to the Alert Logic communication ports, you also need to open ports 80 and 443 for HTTP and HTTPS communication from Managed WAF to any protected web servers located in a different data center (or region).
Regions
A region is a logical data center (one or more physical data centers) that features a low latency, high bandwidth interconnecting network. Regions are designated by the nearest airport code, such as DFW, IAD, ORD, LON, HKG, and SYD.
Location considerations
Appliances and agents must be located in the same region. Only cloud servers and services that are part of the same region can access each other. Services outside the region have no way to identify or connect to services hosted in other regions, unless specific ports are opened for external Internet sources.
Cloud servers should be created in the same region as the protected host.
Installation considerations
Image sharing can only occur within the same region. For example, you cannot share an image in the ORD region for later use in the SYD region. If your image is in IAD, and you share this image with another user, that user will only be able to build servers from the image in the IAD region. For installation purposes, Alert Logic maintains a virtual appliance image in each region.
For more information, see Rackspace Public Cloud image FAQ.
HTTPS support
To support multiple HTTPS websites on one instance, the Server Name Indication (SNI) option must be use. You can also use a wildcard certificate that covers all websites. Some older, unsupported browsers, such as Internet Explorer on Windows XP, do not support SNI.
VMware virtual appliance
The following table describes the basic system requirements to install a VMware virtual appliance:
| Components | System Requirements |
|---|---|
| CPU | 2 CPUs 64 bit |
| RAM | 4 GB |
| Disk space | 250 GB |
| Virtual network interface(s) | An interface with an external IP address for management An interface with access to the web servers to be protected |
| Encryption / Decryption for SSL traffic | AES-NI CPU instruction set for encryption/decryption of SSL traffic on VMs and host OS is recommended |
| Clustering | For clustering to work, make sure promiscuous mode, forged transmits, and MAC address changes are allowed on the VMware virtual switch (vSwitch) or the port group in the VMware ESX network configuration |
Physical appliance
The following table describes the basic system requirements to install a physical appliance:
| Components | System Requirements |
|---|---|
| Equipment | 100–250 Mbit |
| CPU | Intel Xeon E3 4 cores |
| RAM | 8 GB |
| DISC | 500GB |
| Chassis | 1U rack mounted |
| Power | 250W |
| Log collection support | N/A |
| Encryption | TLS Standard (SSL): 1024–2048bit key encryption, 256bit AES bulk encryption |
Operating systems and browser support
The Alert Logic console supports the current version and the previous major version of the following operating systems and browsers:
| Operating system support | Browser support |
|---|---|
| Mac, Linux, and Windows | Chrome, Safari, Firefox, Opera, and Internet Explorer |
Alert Logic cannot guarantee that other browsers and versions will work with our product.
Related topics
