Firewall settings for AppNeta SaaS
Article ID: 421127
Updated On:
Products
Issue/Introduction
We would like to review the required firewall changes for AppNeta
Resolution
The complete details for AppNeta Firewall settings can be found on the following Broadcom TechDocs page:
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/appneta/GA/appliance-firewall.html
Below you will find the table which details the minimum firewall rules needed for an AppNeta Monitoring Point (MP) to operate correctly.
| Direction | Protocol | Port | Destination / Target | Purpose |
| Outbound | TCP | 443 |
Alternative: |
Core AppNeta SaaS Connectivity: Communication, control, data upload, and software updates. |
| Outbound | UDP | 123 | NTP Server IP | Time Synchronization (Network Time Protocol) for accurate data logging. |
| Outbound | UDP | 53 | DNS Server IP | DNS Resolution for connectivity and some PathPlus testing. |
| Outbound | TCP | 53 | DNS Server IP | DNS Resolution (in case UDP fails, for PathPlus testing). |
| Inbound | TCP | 443 | Monitoring Point IP | Web Admin Access and inbound TCP Traceroute testing. |
| Inbound | UDP | 3239 | Monitoring Point IP | Path Coordination for Delivery (Network) Monitoring tests. |
| Bidirectional | ICMP | All | All destinations | Network Diagnostics (Ping and Traceroute). |
| Outbound | TCP | 443 | *.azurecr.io | CMP Software Updates |
-
Experience Monitoring: If you use the MP for Experience Monitoring (Web) see additional port requirements below:
-
FQDN Recommendation: Broadcom strongly recommends allowing the Fully Qualified Domain Name (FQDN)
*.pm.appneta.comon TCP port 443. If you must use IP whitelisting, you will need to allow specific, published IP addresses, which are subject to change. -
Stateful Firewalls: The table above assumes you are using a stateful firewall, which automatically allows return traffic for established outbound connections. If you use a non-stateful firewall, you may need to explicitly define inbound rules for the response traffic.
General Diagnostics & Management
These rules are for basic network testing and administrative access to the MP.
| Direction | Protocol | Port | Destination / Target | Purpose |
| In | TCP | 443 | MP IP address | Web Admin Access and inbound TCP Traceroute |
| Out | ICMP | All | All destinations | ICMP (Ping/Traceroute) |
| In | ICMP | All | MP IP address | ICMP (Ping/Traceroute Response) |
| Out | UDP | 162 | SNMP NMS address | SNMP Traps to Network Management Station |
| In | UDP | 161 | MP IP address | SNMPd (SNMP daemon access) |
Advanced UDP/TCP Monitoring
Advanced monitoring has additional complexity and uses specific ephemeral port range (45056-49151).
| Direction | Protocol | Port | Destination / Target |
| Out | UDP | 45056-49151 | All destinations |
| In | UDP | 45056-49151 | MP IP address |
| Out | TCP | 45056-49151 | All destinations |
| In | TCP | 45056-49151 | MP IP address |
| Out | UDP | 3236-3239 | All destinations |
| In | UDP | 3236-3239 | MP IP address |
| Out | TCP | 3236-3239 | All destinations |
| In | TCP | 3236-3239 | MP IP address |
Experience Monitoring (Web)
| Direction | Protocol | Port | Destination / Target | Purpose |
| Out | TCP | 80 | All destinations | Experience Monitoring (Unencrypted Web Traffic) |
| Out | TCP | 443 | All destinations | Experience Monitoring (Encrypted Web Traffic, TCP Traceroute/Monitoring) |
As need, you will find the AppNeta Endpoint FQDNs and IP Addresses below:
| Fully Qualified Domain Name (FQDN) | IP Addresses |
| comms.pm.appneta.com | 35.231.90.181 34.138.106.192 |
| data.pm.appneta.com | 35.231.90.181 34.138.106.192 |
| content.pm.appneta.com | 35.231.90.181 34.138.106.192 |
Additional Information
Please also see the following article for ICMP types used:
https://knowledge.broadcom.com/external/article?articleNumber=272765
Feedback
