Are there network requirements for the CrowdStrike sensor to work?
Yes, depending on your network environment, you may need to allow ("whitelist") TLS (1.0 or later) traffic between your network and CrowdStrike cloud's network addresses. You can find your CrowdStrike cloud’s IP addresses by clicking Support > Documentation > Cloud IP Addresses in your Falcon console.
Please be sure that these addresses are authorized at network egress points and that traffic is not subject to manipulation or TLS interception:
- To access this information you must have Falcon portal login credentials
- US1 Cloud IP Addresses
- US2 Cloud IP Addresses
How is sensor-to-server communication protected?
The Falcon sensor uses certificate pinning to defend against man-in-the-middle (MitM) attacks. Some network configurations, such as deep packet inspection, interfere with certificate validation.
To prevent interference with certificate validation, disable deep packet inspection (also called "HTTPS interception," "TLS interception," or "SSL inspection") or similar network configurations. Other common sources of interference with certificate pinning include antivirus systems, firewalls, or proxies.
Can CrowdStrike be used with another third-party antivirus solution?
No, CrowdStrike Falcon only works with Windows Defender. If you’re using a different third-party antivirus solution, we recommend you disable the Quarantine & Security Center Registration setting within the prevention policy when installing a sensor. To do so, please go to Configuration > Prevention Policies, pick the affected policy and ensure Quarantine & Security Center Registration is disabled. When you’re ready to remove your third-party antivirus, you can enable Quarantine & Security Center Registration.