1. Logpoint Service Desk
  2. Community
  3. SIEM - Architecture & Configuration

Which firewall ports should be opened for logpoint server?

Avatar
Follow
0

Hi,

on my firewall I opened port 443 to destination customer.logpoint.com (172.67.190.81 and 104.21.76.59).

Now I see on the firewall that the server tries to open connections to the ip addresses 104.16.37.47 and 104.16.38.47 through port 443. Are these connections also needed?

Best regards,

Hans Vedder

Share This Post:

6 comments

Date Votes
0
Avatar
Rupsan Shrestha

Hi Hans,

If you have enabled support connection then the Logpoint Server communicates with customer.logpoint.com

These should be their IPs:

Name: customer.logpoint.com

Address: 172.67.190.81:443

Name: customer.logpoint.com

Address: 104.21.76.59:443

It also communicates with reverse.logpoint.com

Name: reverse.logpoint.com

Address: 89.188.79.98:1193

The IPs that you provided: 104.16.37.47 and 104.16.38.47; don’t seem to be under our domain. Maybe this is something you have used like, fetchers, TI or similar API integrations in your environment.

0
Avatar
CSO Integrations

Hi Hans,

If you need further help, you are always welcome to open a support ticket with LogPoint Support. :)

0
Avatar
Basudev Raut

Hi Hans,

Both the IP address suggests (current status whitelisted), the external connections are attempted to maxmind which provide the geolocation information. The reason for this attempt originates from one of our process plugin named geoip whose input is IP address and the Output is geographic location.

With every LogPoint that we ship, geoip is bundled as a plugin with baseline information maintained in mmdb (maxmind database). On every Thursday , the geoip codebase attempts to connect to maxmind server through HTTPS (TCP/443) to update the database.

For further assurance, can you please check whether

  1. Outbound connection attempt to maxmind ip addresses happens on other days as well
  2. Additional connection attempt other than those mentioned ip address

Thanks,
Basudev Raut

0
Avatar
Johann Sampl

Hi Hans,

Both the IP address suggests (current status whitelisted), the external connections are attempted to maxmind which provide the geolocation information. The reason for this attempt originates from one of our process plugin named geoip whose input is IP address and the Output is geographic location.

With every LogPoint that we ship, geoip is bundled as a plugin with baseline information maintained in mmdb (maxmind database). On every Thursday , the geoip codebase attempts to connect to maxmind server through HTTPS (TCP/443) to update the database.

For further assurance, can you please check whether

  1. Outbound connection attempt to maxmind ip addresses happens on other days as well
  2. Additional connection attempt other than those mentioned ip address

Thanks,
Basudev Raut

Hi Basudev,

so it would be nice to find these informatíon - regarding the geoip update -under Connections required by LogPoint — Install and Upgrade LogPoint latest documentation .

Name:    www.maxwind.com
Addresses:  3.99.113.10
3.97.24.88

Are these IP Addresses correct.

BR

Johann

0
Avatar
Basudev Raut

Hi Hans,

Thank you for the suggestion. I will relay this to our documentation team. Regarding the IPs you mentioned, I have asked with relevant team, will get back to you soon.

Best Regards,
Basudev

Please sign in to leave a comment.