Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem: My network contains security policies that prevent agents from reaching the SeaLights platform

This is normally caused due to security policies related to Firewalls, or other networking-related security configurations that prevent access to the SeaLights API. In order to To verify this is the case, try running a cURL command to your dashboard URL:

...

If you need a generic Sealights endpoint, you can use https://csdemoconnect.sealights.co in your command.

...

Info

The above cURL commands runs on native Linux.

  • If using Windows, you will need to run it from a PowerShell prompt as it allows curl commands as an alias to the native Invoke-WebRequest cmdlet that you can use as well.
    For example, Invoke-WebRequest -Uri https://<YourCustomDNSName>.sealights.co -UseBasicParsing | Select-Object

-ExpandProperty BaseResponse
  • StatusCode,StatusDescription
    If a proxy is required, you can add -Proxy <Uri> parameter to the first part of the command. More details can be found in Microsoft’s Official documentation page.

  • If running on a Linux container without cURL, you can install it using apt-get update && apt-get install -y curl or use the wget equivalent.
    For example, wget --server-response --spider https://<YourCustomDNSName>.sealights.co . If a proxy is required, you can add -e use_proxy=yes -e http_proxy=<proxy_url> parameters to your command.

Solution

In case a firewall is present, it needs to allow network traffic to reach the SeaLights platform, and depending on your organization organization’s policy, you can use one of the following solutions.

Allow outbound traffic to Sealights' domain

The Firewall should allow outbound connections on port 443 (TLS v1.2) to our domain https://*.sealights.co.
For a more restrictive rule, you can open the connections to your Sealights dashboard URL only.

Allow outbound traffic to Sealights' range of IP

...

addresses

As SeaLights' networking is managed in AWS, the full list of subnets which can point pointing to our platform , can be found in the ip-ranges.json file supplied by AWS.

Be sure to follow the next steps to understand which IP addresses need to be added to your exceptions list:

  1. Download the provided ip-ranges.json file from AWS.

  2. From the file, filter out the entries related to CloudFront (using jq): cat ip-ranges.json | jq '.prefixes[] | select(.service=="CLOUDFRONT")'

  3. Add the subnets output from the previous stage to your Firewall exception list for outbound connections on port 443 (TLS v1.2)

Some customers may have their servers managed via F5 Volterra, therefore the IP Ranges should be configured based on the following information https://docs.cloud.f5.com/docs/reference/network-cloud-ref

Filter by label (Content by label)
page
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@1422e
showSpacefalse
sortmodified
showSpacetypefalsepage
reversetruetype
labelskb-troubleshooting-article
cqllabel in ( "security" , "network" , "firewall" , "tls" , "cipher" ) and type = "page" and space = "SUP"labelskb-troubleshooting-article
Page Properties
hiddentrue

Related issues