Solved
perimiter firewall access list
We are configuring our perimiter firewall with a default deny/all for outbound traffic. What ports & destinations do I need to allow for Webroot to communicate back to the cloud service?
Best answer by JimM
Hi apowell,
I see this is your first post. Welcome to the Community!
As long as your firewall supports allowing path masks, you can whitelist the following URLs to accomplish your goal:
*.webrootcloudav.com
(this will cover the g-url’s as well as several other target addresses)
*.*.webrootcloudav.com
(some devices don’t like a single * for urls that contain dots in the value of *
*.p4.webrootcloudav.com
(in case a device doesn’t like multiple *’s)
*.compute.amazonaws.com
(this will cover inbound communication from the Amazon cloud servers)
*.webroot.com
(for future communications)
*.webrootanywhere.com
(for future communications)
I hope this helps. Unfortunately we cannot provide IP addresses for security reasons.
View originalI see this is your first post. Welcome to the Community!
As long as your firewall supports allowing path masks, you can whitelist the following URLs to accomplish your goal:
*.webrootcloudav.com
(this will cover the g-url’s as well as several other target addresses)
*.*.webrootcloudav.com
(some devices don’t like a single * for urls that contain dots in the value of *
*.p4.webrootcloudav.com
(in case a device doesn’t like multiple *’s)
*.compute.amazonaws.com
(this will cover inbound communication from the Amazon cloud servers)
*.webroot.com
(for future communications)
*.webrootanywhere.com
(for future communications)
I hope this helps. Unfortunately we cannot provide IP addresses for security reasons.
1 person likes this
Hi apowell,
I see this is your first post. Welcome to the Community!
As long as your firewall supports allowing path masks, you can whitelist the following URLs to accomplish your goal:
*.webrootcloudav.com
(this will cover the g-url’s as well as several other target addresses)
*.*.webrootcloudav.com
(some devices don’t like a single * for urls that contain dots in the value of *
*.p4.webrootcloudav.com
(in case a device doesn’t like multiple *’s)
*.compute.amazonaws.com
(this will cover inbound communication from the Amazon cloud servers)
*.webroot.com
(for future communications)
*.webrootanywhere.com
(for future communications)
I hope this helps. Unfortunately we cannot provide IP addresses for security reasons.
I see this is your first post. Welcome to the Community!
As long as your firewall supports allowing path masks, you can whitelist the following URLs to accomplish your goal:
*.webrootcloudav.com
(this will cover the g-url’s as well as several other target addresses)
*.*.webrootcloudav.com
(some devices don’t like a single * for urls that contain dots in the value of *
*.p4.webrootcloudav.com
(in case a device doesn’t like multiple *’s)
*.compute.amazonaws.com
(this will cover inbound communication from the Amazon cloud servers)
*.webroot.com
(for future communications)
*.webrootanywhere.com
(for future communications)
I hope this helps. Unfortunately we cannot provide IP addresses for security reasons.
What if it's impossible to configure it on my router like that and I need IP addresses or A Record? Is there any other way?
Any good modern router should allow for whitelisting of path masks, especially in an enterprise environment. While, as I mentioned, we cannot provide the IP addresses for security reasons, an additional reason is that the IP addresses change far too often to effectively keep track of the whitelisting that would need to be done on an ongoing basis. The changing of the IP addresses is both a technical benefit on some levels and a limitation on the level you're referring to. The ultimate solution is to invest in a better router since path mask whitelisting is ubiquitous in most enterprise router systems.
I know this is an older post, but it is still relevant to me.
I have a couple of servers that I am cutting off ALL traffic to/from, however I want to allow traffic from specific sources like Webroot so that the A/V can get updated.
Are the addresses in this post still relevant or have they changed?
thanks in advance!
Tim
I have a couple of servers that I am cutting off ALL traffic to/from, however I want to allow traffic from specific sources like Webroot so that the A/V can get updated.
Are the addresses in this post still relevant or have they changed?
thanks in advance!
Tim
+26These above are a little dated. We currently communicate the following URLs for firewall allowance.
*.webrootcloudav.com
Agent communication and updates
(Please note: Some firewalls do not support double dotted subdomain names with a single wildcard mask (i.e. g1.p4.webrootcloudav.com being represented by *.webrootcloudav.com) so some environments might require either *.p4.webrootcloudav.com or *.*.webrootcloudav.com)
*.webroot.com
Agent messaging
https://wrskynet.s3.amazonaws.com/*
https://wrskynet-eu.s3-eu-west-1.amazonaws.com/*
https://wrskynet-oregon.s3-us-west-2.amazonaws.com/*
Agent file downloading and uploading
*.webrootanywhere.com
Management portal and support ticket logs upload
WSAWebFilteringPortal.elasticbeanstalk.com
Web Threat Shield
*.webrootcloudav.com
Agent communication and updates
(Please note: Some firewalls do not support double dotted subdomain names with a single wildcard mask (i.e. g1.p4.webrootcloudav.com being represented by *.webrootcloudav.com) so some environments might require either *.p4.webrootcloudav.com or *.*.webrootcloudav.com)
*.webroot.com
Agent messaging
https://wrskynet.s3.amazonaws.com/*
https://wrskynet-eu.s3-eu-west-1.amazonaws.com/*
https://wrskynet-oregon.s3-us-west-2.amazonaws.com/*
Agent file downloading and uploading
*.webrootanywhere.com
Management portal and support ticket logs upload
WSAWebFilteringPortal.elasticbeanstalk.com
Web Threat Shield
Shane Cooper | Manager, Channels Sales (RMM & Strategic Partners)
1 person likes this
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.