Requirements for Alert Logic Threat Manager for Amazon Web Services
United States firewall rules for direct customers
Use the following rules to communicate with the US Data Center.
Inbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates, agent routing, log collection |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
| 208.71.209.32/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 204.110.218.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 204.110.219.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Outbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
| Appliance | 204.110.218.96/27 | TCP | 443 | Updates |
| Appliance | 204.110.219.96/27 | TCP | 443 | Updates |
| Appliance | 208.71.209.32/27 | TCP | 443 | Updates |
| Appliance | 208.71.209.32/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.218.96/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.219.96/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.219.96/27 | UDP | 123 | NTP, time sync |
| Appliance | 208.71.209.32/27 | UDP | 123 | NTP, time sync |
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource, and if that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.
Outbound host rules
| Create a new rule | Port range | Destination |
|---|---|---|
| Custom TCP Rule | 7777 | <Appliances>* |
| Custom TCP Rule | 443 | 204.110.218.96/27 |
| Custom TCP Rule | 443 | 204.110.219.96/27 |
European Union firewall rules for direct customers
Use the following rules to communicate with the EU Data Center.
Inbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
| 0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
| 185.54.124.0/24 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Outbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 185.54.124.0/24 | TCP | 443 | Updates |
| Appliance | 185.54.124.0/24 | TCP | 4138 | Event transport |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
| Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
| Appliance | 185.54.124.0/24 | UDP | 123 | NTP, time sync |
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource, and if that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.
Outbound host rules
| Create a new rule | Port range | Destination |
|---|---|---|
| Custom TCP Rule | 7777 | <Appliances>* |
| Custom TCP Rule | 443 | 185.54.124.0/24 |
United States firewall rules for marketplace customers
Use the following rules to communicate with the US Data Center.
Default inbound and outbound firewall rules for Threat Manager for AWS
If you select a default security group in the AWS Marketplace, AWS automatically configures the security group with the following inbound firewall rules:
| Source | Connection Method | Protocol | Port Range |
|---|---|---|---|
| 0.0.0.0/0 | DNS | TCP | 53 - 53 |
| 0.0.0.0/0 | HTTP | TCP | 80 - 80 |
| 0.0.0.0/0 | HTTPS | TCP | 443 - 443 |
| 0.0.0.0/0 | HTTPS | TCP | 7777 - 7777 |
| 0.0.0.0/0 | DNS | UDP | 53 - 53 |
Outbound firewall rules for AWS pertain only to VPC customers. By default, the outbound rules open any port to any destination.
The default outbound rules are acceptable, but you can change them to the recommended rules.
Recommended inbound firewall rules for Threat Manager for AWS
The default firewall rules are permissive. If you select the default security group, you can edit the default firewall rules to the Alert Logic recommended settings.
Inbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| 0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates, agent routing, log collection |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
| 208.71.209.32/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 204.110.218.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
| 204.110.219.96/27 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Outbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
| Appliance | 204.110.218.96/27 | TCP | 443 | Updates |
| Appliance | 204.110.219.96/27 | TCP | 443 | Updates |
| Appliance | 208.71.209.32/27 | TCP | 443 | Updates |
| Appliance | 208.71.209.32/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.218.96/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.219.96/27 | TCP | 4138 | Event transport |
| Appliance | 204.110.219.96/27 | UDP | 123 | NTP, time sync |
| Appliance | 208.71.209.32/27 | UDP | 123 | NTP, time sync |
Outbound host rules
| Create a new rule | Port range | Destination |
|---|---|---|
| Custom TCP Rule | 7777 | <Appliances>* |
| Custom TCP Rule | 443 | 204.110.218.96/27 |
| Custom TCP Rule | 443 | 204.110.219.96/27 |
European Union firewall rules for marketplace customers
Use the following rules to communicate with the EU Data Center.
Default inbound and outbound firewall rules for Threat Manager for AWS
If you select a default security group in the AWS Marketplace, AWS automatically configures the security group with the following inbound firewall rules:
| Source | Connection Method | Protocol | Port Range |
|---|---|---|---|
| 0.0.0.0/0 | DNS | TCP | 53 - 53 |
| 0.0.0.0/0 | HTTP | TCP | 80 - 80 |
| 0.0.0.0/0 | HTTPS | TCP | 443 - 443 |
| 0.0.0.0/0 | HTTPS | TCP | 7777 - 7777 |
| 0.0.0.0/0 | DNS | UDP | 53 - 53 |
Outbound firewall rules for AWS pertain only to VPC customers. By default, the outbound rules open any port to any destination.
The default outbound rules are acceptable, but you can change them to the recommended rules.
Recommended inbound firewall rules for Threat Manager for AWS
The default firewall rules are permissive. If you select the default security group, you can edit the default firewall rules to the Alert Logic recommended settings.
Inbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates |
| Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
| 0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
| 185.54.124.0/24 | Appliance | TCP | 22 | Optional and temporary- required for troubleshooting during provisioning only |
Outbound firewall rules
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Appliance | 185.54.124.0/24 | TCP | 443 | Updates |
| Appliance | 185.54.124.0/24 | TCP | 4138 | Event transport |
| Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
| Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
| Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
| Appliance | 185.54.124.0/24 | UDP | 123 | NTP, time sync |
Outbound host rules
| Create a new rule | Port range | Destination |
|---|---|---|
| Custom TCP Rule | 7777 | <Appliances>* |
| Custom TCP Rule | 443 | 185.54.124.0/24 |
Supported AWS regions
Alert Logic supports the following AWS regions for Threat Manager deployments.
| AWS Region Name | Region |
|---|---|
| Africa (Cape Town) | af-south-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| Asia Pacific (Seoul) | ap-northeast-2 |
| Asia Pacific (Osaka-Local) | ap-northeast-3 |
| Asia Pacific (Mumbai) | ap-south-1 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |
| Canada (Central) | ca-central-1 |
| Europe (Frankfurt) | eu-central-1 |
| Europe (Stockholm) | eu-north-1 |
| Europe (Milan) | eu-south-1 |
| Europe (Ireland) | eu-west-1 |
| Europe (London) | eu-west-2 |
| Europe (Paris) | eu-west-3 |
| Middle East (Bahrain) | me-south-1 |
| South America (São Paulo) | sa-east-1 |
| US East (N. Virginia) | us-east-1 |
| US East (Ohio) | us-east-2 |
| US West (N. California) | us-west-1 |
| US West (Oregon) | us-west-2 |
Virtual appliance types in AWS
Review the following approved virtual appliance types. In the AWS marketplace, you should select the appropriate image based on the anticipated network throughput sent to the appliance, and whether you plan to enable vulnerability scanning.
| Supported Amazon instance names | Supported bandwidth throughput without vulnerability scanning | Supported bandwidth throughput with vulnerability scanning |
|---|---|---|
|
Compute Optimized Large (c3.large) |
300 Mbps | This instance does not support scanning. |
|
Compute Optimized XL (c3.xlarge) |
715 Mbps | 357 Mbps |
|
Compute Optimized 2XL (c3.2xlarge) |
2 Gbps | 1660 Mbps |
|
Compute Optimized Large (c4.large) |
280 Mbps | This instance does not support scanning. |
|
Compute Optimized XL (c4.xlarge) |
850 Mbps | 550 Mbps |
|
Compute Optimized 2XL (c4.2xlarge) |
1500 Mbps | 1100 Mbps |
|
Compute Optimized Large (c5.large) |
320 Mbps | 305 Mbps |
|
Compute Optimized XL (c5.xlarge) |
1000 Mbps | 640 Mbps |
|
Compute Optimized 2XL (c5.2xlarge) |
1733 Mbps | 1780 Mbps |
Virtual appliance
The following table describes the basic system requirements to install a Threat Manager virtual appliance:
| Components | System Requirements |
|---|---|
| CPU | 4 virtual CPUs |
| RAM | 8 GB |
| Disk space | 40 GB minimum |
| Supported virtual environment | VMware only |
| Log collection support | N/A |
| Encryption | TLS Standard (SSL): 1024–2048bit key encryption, 256bit AES bulk encryption |
This is the recommended basic configuration for the Threat Manager product when deployed on a virtual appliance. Bandwidth volume directly impacts the ability of the appliance to inspect traffic. Therefore, high traffic environments may require a virtual machine with additional processor and memory resources.
If you want to run scans, consider 8 virtual CPUs (cores) and 16 GB of memory.
Alert Logic agent
The following table describes the basic requirements to install the agent:
| Components | System requirements |
|---|---|
| Operating systems | For Windows users:
For Linux users: Debian (.deb)
Ubuntu (.deb)
CentOS (.rpm)
Red Hat Enterprise Linux (.rpm)
SUSE
Amazon Linux The Alert Logic agent can be used in AWS Workspaces in conjunction with a supported operating system. |
| Memory | 96 MB of available memory |
| Disk space for agent | 30 MB of available disk space |
| Disk space for local cache | 500 MB of available disk space |
| Packet access | WinPcap 4.1.2 |
| CPU Utilization | 1-10% depending on log volume |
| RAM | 15 MB minimum |
| Disk space | 30 MB minimum |
| Log collection support | Windows, Flat File |
| Supported environments | Agent-only deployments with virtual and physical appliances, VPC, and Public Clouds |
| Encryption | TLS Standard (SSL): 2048-bit key encryption, 256-bit AES bulk encryption |
| Log collection frequency | At minimum, every five minutes logs are collected and sent to Alert Logic Cloud |
| Host permissions | LocalSystem account has all the necessary permissions by default |
The agent requires DNS access to communicate with the Alert Logic server.
Operating system and browser support
The Alert Logic console supports the current version and the previous major version of the following operating systems and browsers:
| Operating system support | Browser support |
|---|---|
| Mac, Linux, and Windows | Chrome, Safari, Firefox, Opera, and Internet Explorer |
Alert Logic cannot guarantee that other browsers and versions will work with its products.
Related topics
