# Firewall requirements ## Firewall Requirements Sections [Important Notes](#important-notes)\ This section covers Respond UX vs Quadrant UX applicability. It also covers SSL inspection, internet/air-gap requirements, and remote support IP range conflicts. [Vectra Cloud Connectivity](#vectra-cloud-connectivity)\ This section covers connectivity to Vectra services hosted in Vectra’s cloud. It is mainly for Respond UX deployments. The [Auth Gateways](#auth-gateways) section also applies to Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS. [Appliance Connectivity](#appliance-connectivity)\ This section covers connectivity required for Vectra appliances (physical or virtual). It applies to both RUX for Network and Quadrant UX deployments. This section also contains additional details regarding connectivity from Vectra appliances to the Vectra cloud. ## Important Notes ### Respond UX vs Quadrant UX Applicability The Respond User Experience (Respond UX or RUX) and the Quadrant User Experience (Quadrant UX or QUX) are two different analyst user experiences that Vectra offers. It is important to differentiate between the different UX's when looking at requirements for FW rules. Some FW rules will only apply to deployments using the Respond UX and some will apply only to deployments using the Quadrant UX. For additional information please see: Vectra Analyst User Experiences (Respond vs Quadrant). While the Respond UX is delivered from Vectra's cloud as part of the overall Vectra AI Platform, it can be used without traditional Brain and Sensor appliances when only non-network data sources are used. RUX for Network deployments (using network Sensors with the Respond UX) still require a Brain appliance to be installed in the customer environment (which can be in IaaS clouds or physical data centers, etc). Sensors will be deployed and paired with that Brain to capture network traffic for analysis. Requirements listed below that apply only to RUX for Network deployments or only to QUX deployments will be labeled as such. ### Firewall/Proxy SSL Inspection Please note that Vectra appliances validate SSL certificates for all HTTPS connections. For this reason, SSL/TLS inspection on firewall and proxy appliances must be disabled for these connections to work. We have also identified that some firewall software transparently enables SSL inspection if certain filters (DNS hostname filtering) are enabled. This is not necessarily obvious to the administrator and should be investigated if connectivity issues are being observed. ### Internet Access From Vectra Brain A Vectra Brain requires connectivity to the automatic update service for normal operation. This connectivity is used for automatic (including security) updates and to synchronize keys for cryptographic authentication of sensors. The Brain requires Internet DNS resolution to obtain the IP addresses for these requests. The customer may choose public/Internet DNS servers or internal DNS servers; however, Internet DNS entries must be resolvable by the Brain. Please note that DNS is often considered to be a UDP-only protocol, however, TCP may be used depending on the type of DNS transaction. Both UDP and TCP use port 53 and should be permitted to all configured DNS servers. Vectra can function in air-gapped environments when a Quadrant UX based deployment is done, but there will be some impacts such as: * Vectra Threat Intelligence detections will be disabled. * Suspect Domain Activity detection will be disabled. * Context enrichments from external sources such as whois, etc that are displayed in certain models will not function. Please see the [Vectra Quadrant UX Deployment Guide](https://support.vectra.ai/s/article/KB-VS-1077) for additional details about air gap environments including guidance for offline updates. Respond UX for Network is not possible in air-gapped environments since the Respond UX is delivered from Vectra's cloud and communicates with a locally installed Brain. ### Internet Access to Vectra Appliances As with all security infrastructure Vectra appliances should be blocked from Internet access and access should only be granted from trusted workstations and/or authenticated sources. ### Management Network IP Address Range Conflicts with Remote Support Customers should note that the following IP ranges will conflict with remote support capability: * 192.168.72.0/21 * 192.168.80.0/21 If you will ever need Vectra to assist remotely (outside of screen sharing sessions), care should be taken to number the management network interface (MGT) used on any appliance (physical, virtual, or cloud - Brains or Network Data Sources/Sensors) outside of the above ranges. If your management network interface (MGT) is numbered in either of these ranges, remote support access will not function. Remote support connectivity with Vectra all goes through the Brain (even to access other appliances in your deployment) so firewall rules for remote support functionality only need to allow connectivity from the Brain to Vectra's cloud (Sensors must still allow connectivity to the Brain per the below charts). ## Vectra Cloud Connectivity * For this document, the portions of the Vectra AI Platform that reside in Vectra’s cloud are referred to as the Vectra cloud. * This does not refer to any specific service offering. * Please check each category below to see if it is applicable to your deployment and if rules are required in your environment to enable the required connectivity. * For rule categories that have multiple region options, it is only necessary to put rules in place to allow connectivity to the region that your Vectra tenant is deployed in. This region should be visible in the URL used to access the Respond UX. * i.e. `[tenant_id].ew1.prod.vectra-svc.ai` is used for EU deployments (ew1). * RUX for Network refers to a RUX deployment that has enabled network data sources (sensors). * This means you have a Brain somewhere in your premises (data center or public cloud) that is connected to the Vectra cloud for use with the Respond UX and paired with network Sensors (virtual or physical) to capture network traffic and distill a metadata stream for processing by the Brain appliance. * Please refer to the [Vectra Respond UX Deployment Guide](https://support.vectra.ai/s/article/KB-VS-1696) for more details. * Please refer to the table below to see applicability of the various categories. * The **For Brain or User’s Browser** column should be interpreted as follows: * **Brain** – Rules required for the Brain to the Vectra Cloud. * **User’s Browser** – Rules required for the user’s web browser to the Vectra cloud.
Rule CategoryRequired ForFor Brain or User’s Browser
RUX for Network GUI SynchronizationRUX for Network DeploymentsBrain
Auth Gateways

RUX for Network Deployments

Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS.

Brain
RUX Metadata ForwardingRUX for Network DeploymentsBrain
RUX Research Metadata ForwardingRUX for Network DeploymentsBrain
RUX Analyst/Admin AccessAll RUX DeploymentsUser’s Browser
RUX Static Asset CDNAll RUX DeploymentsUser’s Browser
RUX Customer File UploadAll RUX DeploymentsUser’s Browser
Vectra Cloud Egress IPsVectra Cloud connecting to configured SaaS data source connectorsN/A
### RUX for Network GUI Synchronization * Required for: * All RUX for Network deployments. * This is used to synchronize configurations between the Brain appliance and your Vectra tenant. * This communications channel is initiated from the Brain to the endpoint in your Vectra tenant’s region. * The protocol and ports in use for each entry is the same: **Websocket and HTTPS over TCP/443**
Fully Qualified Domain Name (FQDN)IP(s)RegionInitiated From
main-cbi-tunnel-uw2.app.prod.vectra-svc.aiDynamicUSBrain
main-cbi-tunnel-ew1.app.prod.vectra-svc.aiDynamicEUBrain
main-cbi-tunnel-ec2.app.prod.vectra-svc.aiDynamicSwitzerlandBrain
main-cbi-tunnel-cc1.app.prod.vectra-svc.aiDynamicCanadaBrain
main-cbi-tunnel-as2.app.prod.vectra-svc.aiDynamicAustraliaBrain
### Auth Gateways * Required for: * All Respond UX for Network Deployments. * Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS. * Your Brain must be able to securely access the Vectra cloud over TCP/443 HTTPS connections to enable detection events from these products to be reported to your UI. * In Respond UX for Network deployments, the Brain forwards network detections, entities, host sessions, and any selective PCAPs (Vectra Packet Capture) to your Vectra tenant via this connection. * This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region.
Fully Qualified Domain Name (FQDN)IP(s)Protocol / PortsRegionInitiated From
authgateway.uw2.public.app.prod.vectra-svc.ai54.245.33.175
52.42.70.176
100.21.109.72
52.26.91.157

HTTPS

TCP/443

USBrain
authgateway.ew1.public.app.prod.vectra-svc.ai54.171.40.108
54.246.213.148
54.75.47.147

HTTPS

TCP/443

EUBrain
authgateway.ec2.public.app.prod.vectra-svc.ai

16.62.18.237

16.62.142.98

51.96.54.201

HTTPS

TCP/443

SwitzerlandBrain
authgateway.cc1.public.app.prod.vectra-svc.ai3.96.112.208
52.60.211.221
15.222.69.161

HTTPS

TCP/443

CanadaBrain
authgateway.as2.public.app.prod.vectra-svc.ai13.54.11.66
13.55.79.24
13.55.106.102

HTTPS

TCP/443

AustraliaBrain
### RUX Metadata Forwarding * Required for: * All Respond UX for Network Deployments. * Network metadata is forwarded to AWS S3 buckets and processed to make it available for features such as Instant Investigation and Advanced Investigation in the Respond UX. * This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region. * The protocol and ports in use for each entry is the same: **HTTPS over TCP/443**
Fully Qualified Domain Name (FQDN)IP(s)RegionInitiated From
cbo-upload-network-metadata-forwarder-uswt2-371371611652.s3-accesspoint.us-west-2.amazonaws.comDynamicUSBrain
cbo-upload-network-metadata-forwarder-euwt1-371371611652.s3-accesspoint.eu-west-1.amazonaws.comDynamicEUBrain
cbo-upload-network-metadata-forwarder-eucl2-371371611652.s3-accesspoint.eu-central-2.amazonaws.comDynamicSwitzerlandBrain
cbo-upload-network-metadata-forwarder-cacl1-371371611652.s3-accesspoint.ca-central-1.amazonaws.comDynamicCanadaBrain
cbo-upload-network-metadata-forwarder-apse2-371371611652.s3-accesspoint.ap-southeast-2.amazonaws.comDynamicAustraliaBrain
### RUX Research Metadata Forwarding * Optional but highly recommended for: * All Respond UX for Network Deployments * Research metadata from precursor algorithms are used to improve model quality and reduce detection noise. * This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region. * The protocol and ports in use for each entry is the same: **HTTPS over TCP/443**
Fully Qualified Domain Name (FQDN)IP(s)RegionInitiated From
cbo-upload-network-precursors-uswt2-371371611652.s3-accesspoint.us-west-2.amazonaws.comDynamicUSBrain
cbo-upload-network-precursors-euwt1-371371611652.s3-accesspoint.eu-west-1.amazonaws.comDynamicEUBrain
cbo-upload-network-precursors-eucl2-371371611652.s3-accesspoint.eu-central-2.amazonaws.comDynamicSwitzerlandBrain
cbo-upload-network-precursors-cacl1-371371611652.s3-accesspoint.ca-central-1.amazonaws.comDynamicCanadaBrain
cbo-upload-network-precursors-apse2-371371611652.s3-accesspoint.ap-southeast-2.amazonaws.comDynamicAustraliaBrain
### RUX Analyst/Admin Access * Required for: * All Respond UX deployments. * Any analyst or admin that wishes to access the Respond UX will need to ensure that their browser can reach their Vectra tenant to login and access the UI. * This communications channel is initiated from the user’s host. * The protocol and ports in use for each entry is the same: **HTTPS over TCP/443**
Fully Qualified Domain Name (FQDN)IP(s)RegionInitiated From
[tenant_id].uw2.portal.vectra.aiDynamicUSUser’s Browser
[tenant_id].ew1.portal.vectra.aiDynamicEUUser’s Browser
[tenant_id].ec2.portal.vectra.aiDynamicSwitzerlandUser’s Browser
[tenant_id].cc1.portal.vectra.aiDynamicCanadaUser’s Browser
[tenant_id].as2.portal.vectra.aiDynamicAustraliaUser’s Browser
### RUX Static Asset CDN * Required for: * All Respond UX deployments. * The Respond UX has certain static assets (HTML, CSS, JS) that are required to serve the web application hosted by a CDN (Content Delivery Network). * This communications channel is initiated from the user’s host.
Fully Qualified Domain Name (FQDN)Protocol / PortsIP(s)RegionInitiated From

dd6462tdmvp79.cloudfront.net

dpew7prsvwbf0.cloudfront.net

HTTPS

TCP/443

DynamicAllUser’s Browser
### RUX Customer File Upload * Required for: * All Respond UX deployments. * This communications channel is used for: * Vectra Match deployments and will allow upload of rulesets. * PCAP download from the Vectra Cloud for Selective PCAP (Vectra Packet Capture) * Additional capabilities are planned for future releases. * It is recommended to put rules in place even if you don’t use Match or Selective PCAP. * This communications channel is initiated from the user’s host.
Fully Qualified Domain Name (FQDN)Protocol / PortsIP(s)RegionInitiated From
prd-main-customerfiles-580786928539-uswt2.s3.amazonaws.com

HTTPS

TCP/443

DynamicUSUser’s Browser
prd-main-customerfiles-580786928539-euwt1.s3.amazonaws.com

HTTPS

TCP/443

DynamicEUUser’s Browser
prd-main-customerfiles-580786928539-eucl2.s3.amazonaws.com

HTTPS

TCP/443

DynamicSwitzerlandUser’s Browser
prd-main-customerfiles-580786928539-cacl1.s3.amazonaws.com

HTTPS

TCP/443

DynamicCanadaUser’s Browser
prd-main-customerfiles-580786928539-apse2.s3.amazonaws.com

HTTPS

TCP/443

DynamicAustraliaUser’s Browser
### Vectra Cloud Egress IPs When the Vectra Cloud connects externally to retrieve logs from configured data sources, it does so from the IPs listed at . The specific IPs used will be limited to the IPs listed for the regions in use for your Vectra deployment. For example, if you are only deployed in eu-west-1, then only the IPs from the list associated with eu-west-1 will be used. See the following table for details.
Region CodeRegion
ap-southeast-2Australia
ca-central-1Canada
eu-central-2Switzerland
eu-west-1EU
us-west-2US
In most situations, customers do NOT need to configure any specific firewall rules to allow Vectra to reach the endpoints required. If you see the IPs in the list accessing your data in your logs, this is not a cause for concern. It is due to the fact that your configured data source connector is connecting to the endpoint to retrieve the data necessary to provide the service. In the case of CDR for Azure, if private access is required for the Azure storage accounts that Vectra reads your Azure logs from, please see [Configuring Private Access for Azure Storage Accounts](https://docs.vectra.ai/cdr-for-azure/deployment/appendix-1-azure-configuration-notes#configuring-private-access-for-azure-storage-accounts) in the CDR for Azure deployment guide. Details are provided for how to configure the Storage accounts used to only accept connections from the IPs associated with the Vectra Cloud. ## Appliance Connectivity The [Vectra Cloud connectivity](#vectra-cloud-connectivity) section above primarily deals with connectivity required to deliver the Respond UX and detections from Vectra SaaS offerings to both RUX and QUX deployments, the content in this section also applies to any deployment using Vectra appliances (Brains, Sensors, and Stream) for RUX or QUX deployments. ### Vectra Cloud Appliance Connectivity All communications with the Vectra Cloud occur over a TLS encrypted channel. Appliance devices (physical, virtual, cloud) authenticate using keys. Unique public/private keys are generated when a device is provisioned by Vectra. The corresponding public key is copied to the Vectra Cloud. Every device connecting to the Vectra Cloud authenticates using its own private key. The Vectra Cloud houses several services: * update2.vectranetworks.com * Used for delivering updates to the Vectra software. * [Offline updates](https://docs.vectra.ai/operations/readme-1/offline-updates-v89) are also supported. * api.vectranetworks.com * Used for lightweight health monitoring of the Vectra platform and for delivering additional context certain Detections may need. * Queries to external information sources to provide context are proxied through this connection. * If required, customers can block the platform from reporting health monitoring by blocking outbound connections on their firewall to api.vectranetworks.com. * rp.vectranetworks.com * Used only for Brains deployed in IaaS clouds. Used for authentication and verification (integrity check of the file system). * metadata.vectra.ai * Metadata sharing improves threat detection by contributing anonymized metadata sourced from Brain deployed in your organization. This is optional in QUX deployments. * rs.vectranetworks.com * This enables remote support from authorized Vectra employees. * SaaS product offerings such as Recall #### Proxy Support Vectra Cloud connectivity to update2.vectranetworks.com and api.vectranetworks.com supports connecting through a customer proxy. If a proxy connection is required for your Brain appliance to reach these endpoints, edit the proxy settings in *Configuration → Data Sources → Network → Brain Setup → Proxy & Status*. * Note that [Remote Support](https://docs.vectra.ai/configuration/access/vectra-remote-support) does not support proxy configuration by default. If this is the only option, please contact Vectra support to configure remote support to manually to use a proxy. #### Lightweight Health Monitoring The lightweight health monitoring includes the following statistics, only aggregate statistics are collected, no details are collected. * System Health Metrics * Installed packages, running processes, system interface information, system usage, database usage, system error stats * Environment Metrics * Host counts, traffic counts, Brain configuration, remote support status, notification status, metadata status * Detection Metrics * Detection counts, PCAP stats, Triage stats #### Metadata Sharing [Why is Metadata Sharing Important](https://docs.vectra.ai/reference/why-is-metadata-sharing-important) * Full details are available at this link. There are optional additional levels of sharing also described. Metadata Sharing Improves Threat Detection * By contributing anonymized metadata sourced from the X-series platform deployed in your organization, you are contributing directly to the efficacy and accuracy of the Vectra software and the security of your network. * Access to Detection metadata improves Vectra’s threat detection algorithms, enabling the Vectra software you use to be more effective in a constantly evolving threat landscape. * Data is collected daily and includes: * Anonymized information about Detections that are triggered in your network. * Anonymized information about algorithms in the research and development phase (and not yet visible in the UI) that are triggered in your network. * Anonymized attribution of Detections to Hosts. * Anonymized information related to host identification efficacy. * Vectra Secures and Limits Access to Metadata * Any metadata you contribute is anonymized by removing personal and network-specific information before it is sent to metadata.vectranetworks.com via an encrypted connection. * Vectra treats this metadata as highly confidential and only allows authorized research personnel to access the metadata. * Any metadata collected is securely deleted after a six-month period. * Contact Vectra support if non-anonymized Full Metadata Sharing is desired * Algorithm development using non-anonymized metadata helps to ensure that new models function as efficiently as possible in your environment. ### Required Connectivity For Appliances
SourceDestinationProtocol/PortDescription
Administrator workstations

Brain

Sensors

TCP/22 (SSH)Command-line management of the Brain and Sensor appliances.
Administrator workstationsBrainTCP/443 (HTTPS)Web management of brain appliances.
Brain

update2.vectranetworks.com

(54.200.156.238)

TCP/443
(HTTPS)

Automatic updates.

Pairing keys for physical sensors.

See note above regarding SSL keys.

Brain

api.vectranetworks.com

(54.200.5.9)

TCP/443 (HTTPS)Health monitoring, algorithm support, reverse lookups for external IPs, Vectra Threat Intelligence, additional detection content. See note above regarding SSL keys.
Brain (Cloud)

rp.vectranetworks.com

(54.200.156.238)

TCP/443 (HTTPS)Used only for Brains deployed in IaaS clouds. Used for authentication and verification (integrity check of the file system)
BrainDNS servers (as configured)TCP/53, UDP/53Both TCP and UDP are required for normal operation. See note above regarding DNS resolution.
Brain

NTP servers (as configured)

Default is ntp.ubuntu.com

UDP/123Time synchronization.
BrainSMTP servers (as configured)TCP (as configured)Email alerting.
BrainSMTP (OAuth)TCP/443
TCP/587		Please see SMTP (OAuth) for Microsoft chart below.
BrainSensors, StreamTCP/22 (SSH)Remote management and troubleshooting.
Sensors, StreamBrainTCP/22 (SSH), TCP/443 (HTTPS)Pairing, metadata transfer, and ongoing communication.
StreamData lake (as configured)TCP (as configured)Metadata stream to a data lake
### Additional (Feature Dependent) Connectivity
SourceDestinationProtocol/PortDescription
Braincontent.user-telemetry.vectra.ai
data.user-telemetry.vectra.ai		TCP/443
(HTTPS)		Required for In-App support functionality.
See In-App Support KB for more details.
Administrator workstationsRecall Kibana serverTCP/443 (HTTPS)Recall IP addresses are provided during implementation and may be requested at any time from Vectra Support.
Brain

rs.vectranetworks.com

(74.201.86.229)

TCP/443 or UDP/9970Remote Support access for remote troubleshooting. See note above regarding SSL inspection and other note about potential IP range conflicts with the MGT interface.
Brain

metadata.vectra.ai

(100.20.236.31, 44.229.57.246, 44.228.37.60, 44.228.101.87)

TCP/443 (HTTPS)Anonymized metadata sharing to contribute to future algorithm development.
BrainRecall collectorTCP/443 (HTTPS)Recall IP addresses are provided during implementation and may be requested at any time from Vectra Support.
BrainSyslog (as configured)TCP or UDP (as configured)CEF or standard Syslog format.
BrainKafka (as configured)TCP (as configured)CEF or standard Syslog format.
Brain

Carbon Black Response

(as configured)

TCP/443 (as configured)Carbon Black integration (requires API key).
Brainapi.crowdstrike.comTCP/443 (HTTPS)Crowdstrike integration (Client ID and Client Secret).
BrainvCenter (as configured)TCP (as configured)vCenter integration enables vSensor physical host view, augmented host identification, and vCenter alerts.
BrainLDAP (as configured)TCP/389 STARTTLS/389LDAP authentication.
BrainRadius (as configured)UDP/1812Radius (PAP) authentication.
BrainTACACS (as configured)TCP/49TACACS (PAP or CHAP) authentication.
BrainBackup server (as configured)TCP/22 (SSH)Automated backup (SCP or SFTP).
BrainBrainTCP/22 (SSH), TCP/443 (HTTPS)Automated backup (brain-to-brain). Connectivity is bidirectional.
Sensors, Streamupdate2.vectranetworks.com (54.200.156.238)TCP/443 (HTTPS)Required for automatic pairing. Optional for manual (offline) pairing.
SIEM/CLM log managementBrainTCP or UDP (as configured)Log forwarding of DHCP/AD security events to augment host identification.
Brain

login.windows.net

api.securitycenter.windows.com

TCP/443 (HTTPS)Required for ATP lockdown
BrainEMEA customers (only)

authgateway.ew1.public.app.prod.vectra-svc.ai
(54.171.40.108 , 54.246.213.148 , 54.75.47.147 )

AMS/APJ customers (only)

authgateway.uw2.public.app.prod.vectra-svc.ai
(54.245.33.175, 52.42.70.176, 100.21.109.72 , 52.26.91.157)		TCP/443
(HTTPS)		Required for Vectra MDR Service for QUX Deployments. These endpoints are also required for RUX deployments that have network data sources (Sensors). These are already discussed in the Auth Gateways section of this doc for RUX. Essentially, if your deployment has a Brain, it MUST be able to reach Vectra over these endpoints for Vectra MDR service.
SensorS3 and SQS AWS Regional Endpoints. Only required for ZIA enabled Sensor.TCP/443Required for ZIA SASE/SSE integration. See KB for details.
### SMTP (OAuth) For Microsoft **Quadrant UX Only**: *Configuration → RESPONSE → Notifications → SMTP* Respond UX deployments do not require this as email notifications are sent from Vectra's cloud.
Cloud TypeDestinationProtocol/Port
Public (office365.com)login.microsoftonline.com
smtp.office365.com		TCP/443
TCP/587
US Government (office365.us)login.microsoftonline.us
smtp.office365.us		TCP/443
TCP/587
German (office365.de)login.microsoftonline.de
smtp.office365.de		TCP/443
TCP/587
China (office365.cn)login.microsoftonline.cn
smtp.office365.cn		TCP/443
TCP/587