Skip to main content
Red Canary help

Networking / Firewall Requirements

  • Updated .

Enterprise Networking Requirements

Available in sensor version 1.2.4+

All Linux EDR instances have Enterprise Networking enabled by default, which can be used to connect to a specific subset of addresses. This allows you to connect to a single Red Canary domain, https://cwp-ingest.redcanary.io, for delivery of all telemetry and health and error reporting. This is available in any paid Linux EDR account.

Configuration

Add the following keys to /opt/redcanary/config.json. Both are required for enabling enterprise networking. These values are available in Red Canary under Endpoints > Deploy Sensors.

  • outpost_auth_token
  • offload_target

Sample config.json

{
   "access_token":"xxxxxxxxxxxxxx",
   "subscription_plan":"Managed",
   "outpost_auth_token":"xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx",
   "offload_target":"Outpost"
}

Migrating from Standard to Enterprise Networking

If you already use Red Canary Linux EDR without Enterprise Networking, you can migrate to it by adding the outpost_auth_token and offload_target to your config.json file, and restarting the service. You must be on sensor version 1.2.4 or above to use Enterprise Networking.

Sample config.json

{
   "access_token":"xxxxxxxxxxxxxx",
   "subscription_plan":"Managed",
   "outpost_auth_token":"xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx",
   "offload_target":"Outpost"
}

Restart Service

Once the new configuration is saved, restart the service for enterprise networking to take effect.

systemctl restart cfsvcd

Allow-list Domain

Please allow-list https://cwp-ingest.redcanary.io.

Verification

If there are any issues, check the sensor log file for errors relating to Outpost and reach out for support if needed.  

Log File

/opt/redcanary/cf_system_log.csv

Standard Networking Requirements

Red Canary also supports standard networking if you choose not to use enterprise networking for any reason or have a sensor version older than 1.2.4. Your firewall needs to be set to allow the following:

Outbound network connectivity
  • s3-us-east-2.amazonaws.com (tcp/443) 
  • 35.188.42.15 (tcp/443) (sentry.io)
  • 34.120.195.249 (tcp/443) (o1.ingest.sentry.io)

You will also need to remove the offload_target and outpost_auth_token from your config.json file:

{
   "access_token":"xxxxxxxxxxxxxx",
   "subscription_plan":"Managed"
}

Use Proxy Support

  • Set the HTTPS_PROXY or HTTP_PROXY environment variables
  • Or, add the following to config.json: "http_proxy": "https://HOST:PORT"

Proxy Configuration

Note: This feature is available in v0.4.8+

The agent supports the use of an HTTP Connect proxy. This can be configured through the config.json file.

Precedence

The agent utilizes the following precedence order when determining what proxy settings to utilize, if any at all.

  1. config.json's http_proxy field
  2. config.json's env_http_proxy_disabled field
  3. HTTPS_PROXY & HTTP_PROXY environment variables

Configuration

Define proxy settings via config.json:

"http_proxy": "https://HOST:PORT",

This overrides any proxy settings configured via the HTTPS_PROXY or HTTP_PROXY environment variables on the endpoint. Ensure `config.json` is valid JSON. (The comma at the end may not be needed).

To opt out of the use of proxy settings already defined via endpoint environment variables HTTPS_PROXY and/or HTTP_PROXY

"env_http_proxy_disabled": true,

The default value for this is false. When configured as false, this means the agent will utilize the HTTPS_PROXY or HTTP_PROXY environment variable for proxy settings, if set. Ensure `config.json` is valid JSON. (The comma at the end may not be needed).

 

Comments

0 comments

Please sign in to leave a comment.