Carbon Black Cloud: Is "Inbound" Traffic Required to Be Opened for Sensor Communication?
search cancel

Carbon Black Cloud: Is "Inbound" Traffic Required to Be Opened for Sensor Communication?

book

Article ID: 285204

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Is "inbound" traffic required to be opened for sensor communication?

Environment

  • Microsoft Windows: All Versions
  • Carbon Black Cloud
    • Endpoint Standard Sensor: All Versions
    • Enterprise EDR Sensor: All Versions

Resolution

Yes, if not using a stateful firewall.  If using a stateful firewall then it is not required to open "inbound" traffic.

Additional Information

  • The sensor initiates the connection at all times over the assigned port, whether that is port 443 or 54443.
  • A stateful firewall is able to determine that traffic which originated from a specific endpoint is then allowed to return to that same endpoint.
  • If a stateful firewall is not used then "inbound" traffic over the assigned port needs opened and a firewall rule needs created,¬†since the firewall cannot identify that the traffic from the original host is safe to return.