Return
-
Title
What are the firewall rules on Safeguard? Is it possible to ping the Safeguard appliance? -
Description
What are the firewall rules on Safeguard?
Is it possible to ping the Safeguard appliance?
How is the firewall configured on Safeguard appliances?
Which ports are open on Safeguard appliances and what kinds of traffic are allowed? -
Resolution
Appliances are protected by an internal firewall. The firewall provides packet inspection and filtering, it is non user configurable. The rules are below:
X0 interface
• HTTPS (443/TCP) is permitted inbound (for client/Web/API access)
• SPP 6.13.1 or below:TINC (655/TCP and UDP) is open for secure VPN communication between appliances in a clustered high-availability configuration• SPP 7.0 LTS or above:Wireguard (655/UDP only) is open for secure VPN communication between appliances in a clustered high-availability configuration• Connections from the appliance and their responses are permitted• Other traffic directed to the appliance is dropped (including ping/ICMP packets) with the details recorded in the firewall log in the application.
X1 interface when using embedded sessions (2.11.2 and below)
• SSH (22/TCP) is permitted inbound for PSM SSH sessions• RDP (3389/TCP) is permitted inbound for PSM RDP sessions• ICMP ping is permitted
• Other traffic directed to the appliance is dropped -
Additional Information
More information about the design of the Safeguard appliance can be found in the "Understanding the Security Architecture of One Identity Safeguard" white paper.