Carbon Black Cloud: Is "Inbound" Traffic Required to Be Opened for Sensor Communication?
book
Article ID: 285204
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Is "inbound" traffic required to be opened for sensor communication?
Environment
Microsoft Windows: All Versions
Carbon Black Cloud
Endpoint Standard Sensor: All Versions
Enterprise EDR Sensor: All Versions
Resolution
Yes, if not using a stateful firewall. If using a stateful firewall then it is not required to open "inbound" traffic.
Additional Information
The sensor initiates the connection at all times over the assigned port, whether that is port 443 or 54443.
A stateful firewall is able to determine that traffic which originated from a specific endpoint is then allowed to return to that same endpoint.
If a stateful firewall is not used then "inbound" traffic over the assigned port needs opened and a firewall rule needs created, since the firewall cannot identify that the traffic from the original host is safe to return.