Solved

perimiter firewall access list

  • 2 April 2013
  • 6 replies
  • 127 views

We are configuring our perimiter firewall with a default deny/all for outbound traffic.  What ports & destinations do I need to allow for Webroot to communicate back to the cloud service?
icon

Best answer by JimM 5 April 2013, 00:05

View original

6 replies

Userlevel 7
Hi apowell,

I see this is your first post. Welcome to the Community!

As long as your firewall supports allowing path masks, you can whitelist the following URLs to accomplish your goal:

*.webrootcloudav.com
(this will cover the g-url’s as well as several other target addresses)

*.*.webrootcloudav.com
(some devices don’t like a single * for urls that contain dots in the value of *

*.p4.webrootcloudav.com
(in case a device doesn’t like multiple *’s)

*.compute.amazonaws.com
(this will cover inbound communication from the Amazon cloud servers)

*.webroot.com
(for future communications)

*.webrootanywhere.com
(for future communications)

I hope this helps. Unfortunately we cannot provide IP addresses for security reasons.
Userlevel 3
What if it's impossible to configure it on my router like that and I need IP addresses or A Record? Is there any other way?
Userlevel 7
Any good modern router should allow for whitelisting of path masks, especially in an enterprise environment. While, as I mentioned, we cannot provide the IP addresses for security reasons, an additional reason is that the IP addresses change far too often to effectively keep track of the whitelisting that would need to be done on an ongoing basis. The changing of the IP addresses is both a technical benefit on some levels and a limitation on the level you're referring to. The ultimate solution is to invest in a better router since path mask whitelisting is ubiquitous in most enterprise router systems.
I know this is an older post, but it is still relevant to me.
 
I have a couple of servers that I am cutting off ALL traffic to/from, however I want to allow traffic from specific sources like Webroot so that the A/V can get updated.
 
Are the addresses in this post still relevant or have they changed? 
  
thanks in advance!
 
Tim
Userlevel 7
Badge +35
Please see our response here. Thanks!
Userlevel 6
Badge +26
These above are a little dated. We currently communicate the following URLs for firewall allowance.

*.webrootcloudav.com
Agent communication and updates
(Please note: Some firewalls do not support double dotted subdomain names with a single wildcard mask (i.e. g1.p4.webrootcloudav.com being represented by *.webrootcloudav.com) so some environments might require either *.p4.webrootcloudav.com or *.*.webrootcloudav.com)

*.webroot.com
Agent messaging

https://wrskynet.s3.amazonaws.com/*
https://wrskynet-eu.s3-eu-west-1.amazonaws.com/*
https://wrskynet-oregon.s3-us-west-2.amazonaws.com/*
Agent file downloading and uploading

*.webrootanywhere.com
Management portal and support ticket logs upload


WSAWebFilteringPortal.elasticbeanstalk.com
Web Threat Shield

Reply