Insight Agent requirements - an overview

The Insight Agent has several system, network, and security policy requirements that must be satisfied to ensure your agent deployment functions as intended. These articles cover each of these requirements in detail.

Supported operating systems

Operating Systems

The Insight Agent is supported on Microsoft Windows, macOS, and various Linux distributions. This page defines what official support means for the functions of the Insight Agent software and details the support schedules for specific operating system (OS) versions.

How OS supportability affects agent functionality

The Insight Agent software receives regular updates (including new features, improvements, and defect fixes) designed to maintain agent performance for all supported OS versions. Running the agent on a supported version ensures that the agent software continues to receive these updates. Rapid7’s Customer Support team can also assist with any questions and troubleshoot any issues that arise with agents installed on supported OS versions.

Insight Agents installed on unsupported OS versions will continue to perform their usual tasks, but will not receive any software updates. Customer Support is unable to help install agents on unsupported OS versions, nor can they troubleshoot any issues that arise with agents installed on those versions. Additionally, the Insight Agent will not collect any new data for the InsightVM vulnerability content. However, due to the large amount of data the Insight Agent already collects, InsightVM itself will continue to detect vulnerabilities on the old content as well as the majority of new vulnerability content.

Supported OS versions

Refer to these tables to view the OS versions that the Insight Agent currently supports and the End-Of-Life (EOL) schedule for each.

Microsoft Windows Desktop

The Insight Agent supports Windows Desktop versions deployed with the Long-Term Servicing Channel (LTSC) where indicated.

Additional Windows requirements for InsightIDR and InsightOps subscribers

If you are installing the Insight Agent on Windows assets for use with InsightIDR or InsightOps, make sure that the event log is enabled on your assets. Refer to our InsightIDR event source documentation for more information.

NameVersionBuildArchitectureLTSCEOL for Insight Agent Support
Windows 1124H226100x86-64, ARM64YesOct 10, 2034
Windows 1123H222631x86-64, ARM64-Sep 20, 2032
Windows 1122H222621x86-64, ARM64-Sep 20, 2032
Windows 1121H222000x86-64, ARM64-Jan 13, 2032
Windows 1022H219045IA-32, x86-64-Sep 20, 2032
Windows 1021H219044IA-32, x86-64YesJan 13, 2032
Windows 1021H110.0.19043IA-32, x86-64-Jan 9, 2029
Windows 1020H210.0.19042IA-32, x86-64-Jan 9, 2029
Windows 1020H110.0.19041IA-32, x86-64-Jan 9, 2029
Windows 1019H210.0.18363IA-32, x86-64-Jan 9, 2029
Windows 1019H110.0.18362IA-32, x86-64-Jan 9, 2029
Windows 10v180910.0.17763IA-32, x86-64YesJan 9, 2029
Windows 10v180310.0.17134IA-32, x86-64-Oct 13, 2026
Windows 10v170910.0.16299IA-32, x86-64-Oct 13, 2026
Windows 10v170310.0.15063IA-32, x86-64-Oct 13, 2026
Windows 10v160710.0.14393IA-32, x86-64YesOct 13, 2026
Windows 10v151110.0.10586IA-32, x86-64-Oct 14, 2025
Windows 10v150710.0.10240IA-32, x86-64YesOct 14, 2025
Microsoft Windows Server

Additional Windows requirements for InsightIDR and InsightOps subscribers

If you are installing the Insight Agent on Windows assets for use with InsightIDR or InsightOps, make sure that the event log is enabled on your assets. Refer to our InsightIDR event source documentation for more information.

NameEOL for Insight Agent Support
Windows Server 2025Oct 10, 2034
Windows Server 2022Oct 14, 2031
Windows Server 2019Jan 09, 2029
Windows Server 2016Jan 11, 2027
macOS
NameArchitectureEOL for Insight Agent Support
macOS Ventura 13x86-64, ARM64On the release day of macOS 17 in Q3 of 2026
macOS Monterey 12x86-64, ARM64On the release day of macOS 16 in Q3 of 2025
macOS Big Sur 11x86-64, ARM64On the release day of macOS 15 in Q3 of 2024
macOS Catalina 10.15x86-64On the release day of macOS 14 in Q3 of 2023
Linux

Oracle Enterprise Linux compatibility

The Insight Agent does not support Oracle Enterprise Linux on the Unbreakable Enterprise Kernel (UEK)

Additional Linux requirements for InsightIDR subscribers

If you install the Insight Agent on Linux assets for use with InsightIDR, the auditd library must be present, but the service must be disabled. InsightIDR must have exclusive use of the auditd service in order to successfully run the agent.job.linux.ui_realtime job.

If your organization requires that auditd be enabled at all times, see the auditd Compatibility Mode for Linux Assets article for instructions on how to ensure that both the Insight Agent and auditd services can run together.

DistributionArchitectureEOL for Insight Agent Support
Amazon Linux 2023x86-64, ARM64Dec 31, 2027
Amazon Linux 2x86-64, ARM64Jun 30, 2025
Amazon Linux 1x86-64Jun 30, 2023
Debian 11IA-32, x86-64, ARM64Jun 1, 2026
Debian 10IA-32, x86-64, ARM64Jun 1, 2024
Fedora 37x86-64Dec 12, 2023
Fedora 36x86-64May 16, 2023
Red Hat Enterprise Linux / Oracle Enterprise Linux / Rocky Linux 9.1x86-64May 31, 2034
Red Hat Enterprise Linux / Oracle Enterprise Linux / Rocky Linux 9.0x86-64May 31, 2034
Red Hat Enterprise Linux / Oracle Enterprise Linux / Rocky Linux 8.7x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / Rocky Linux 8.6x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / Rocky Linux 8.5x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / Rocky Linux 8.4x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 8.3x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 8.2x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 8.1x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 8.0x86-64, ARM64May 31, 2031
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 7.0-7.9x86-64, ARM64Jun 30, 2025
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 6.0-6.10only x86-64Jun 30, 2024
SUSE Linux Enterprise Desktop 15 SP3x86-64Jan 31, 2023
SUSE Linux Enterprise Server 15x86-64, ARM64Jul 31, 2028
SUSE Linux Enterprise Server 12x86-64Oct 31, 2024
openSUSE LEAP 15.4x86-64, ARM64Nov 30, 2023
Ubuntu 23.04IA-32, x86-64, ARM64Jan 2, 2024
Ubuntu 22.04IA-32, x86-64, ARM64Apr 2, 2032
Ubuntu 20.04IA-32, x86-64, ARM64Apr 2, 2030
Ubuntu 18.04IA-32, x86-64, ARM64Apr 2, 2028
Ubuntu 16.04IA-32, x86-64Apr 2, 2026
Ubuntu 14.04IA-32, x86-64Apr 2, 2024

How to run the Insight Agent on an unsupported OS

If your organization has assets that run a version of an OS that is outside of what the Insight Agent currently supports, you can install an older, compatible version of the agent to maintain coverage. Check the unsupported OS versions table to determine the Insight Agent version range that applies to your assets, then refer to the Insight Agent Version History table to download legacy installers if they are available.

Unsupported OS versions

These tables contain the OS versions that the Insight Agent no longer supports.

Microsoft Windows Desktop
NameVersionArchitectureSupported Insight Agent Version Range (Inclusive)EOL for Insight Agent Support
Windows 8.1SP0, SP1IA-32, x86-641.4.7 through 3.2.5Jan 10, 2023
Windows 8SP0x86-32, x86-641.4.7 through 3.1.2Aug 13, 2021
Windows 7SP1x86-32, x86-641.4.7 through 3.1.2Aug 13, 2021
Windows 7SP0x86-32, x86-641.4.7 through 2.7.22Oct 14, 2020
Windows VistaSP0-SP2x86-32, x86-641.4.7 through 2.7.22Aug 13, 2021
Windows XPSP0-SP4x86-32, x86-641.4.7 through 2.7.22Jul 19, 2020
Microsoft Windows Server
NameSupported Insight Agent Version Range (Inclusive)EOL for Insight Agent Support
Windows Server 2012 R21.4.7 through 3.2.5Apr 10, 2023
Windows Server 2008 R21.4.7 through 3.1.2Aug 13, 2021
Windows Server 20081.4.7 through 2.7.22Aug 13, 2021
Windows Server 20031.4.7 through 2.7.22Dec 2, 2020
macOS
NameArchitectureSupported Insight Agent Version Range (Inclusive)EOL for Insight Agent Support
macOS Mojave 10.14x86-641.4.7 through 3.2.5Nov 15, 2022
macOS High Sierra 10.13x86-641.4.7 through 3.1.2Aug 13, 2021
macOS Sierra 10.12x86-641.4.7 through 3.1.2Aug 13, 2021
macOS El Capitan 10.11x86-641.4.7 through 3.1.1.9Aug 13, 2021
Linux
DistributionArchitectureSupported Insight Agent Version Range (Inclusive)EOL for Insight Agent Support
Debian 9x86-32, x86-641.4.7 through 3.2.5Jun 30, 2022
Debian 8x86-32, x86-641.4.7 through 3.1.2Aug 13, 2021
Debian 7x86-32, x86-641.4.7 through 2.7.22Aug 13, 2021
Debian 6x86-32, x86-641.4.7 through 2.7.22Aug 13, 2021
Debian 5x86-32, x86-641.4.7 through 2.7.22Aug 13, 2021
Fedora 35x86-32, x86-641.4.7 through 3.2.5Dec 12, 2022
Fedora 34x86-32, x86-641.4.7 through 3.2.5May 17, 2022
Fedora 33x86-32, x86-641.4.7 through 3.1.2Nov 30, 2021
Fedora 32x86-32, x86-641.4.7 through 3.1.2Nov 30, 2021
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 5x86-32, x86-641.4.7 through 3.1.1.9Aug 13, 2021
Red Hat Enterprise Linux / Oracle Enterprise Linux / CentOS 4x86-32, x86-641.4.7 through 2.7.22Aug 13, 2021
SUSE Linux Enterprise Server 11x86-32, x86-641.4.7 through 3.1.1Aug 13, 2021
openSUSE LEAP 15.3x86-641.4.7 through 3.2.5Nov 30, 2022
openSUSE 11x86-32, x86-641.4.7 through 3.1.1Aug 13, 2021
Ubuntu 22.10IA-32, x86-64, ARM641.4.7 through 3.3.1May 2, 2023
Ubuntu 21.10x86-32, x86-641.4.7 through 3.2.5Jul 31, 2022
Ubuntu 12.04x86-32, x86-641.4.7 through 3.1.2Aug 13, 2021
Ubuntu 11.04x86-32, x86-641.4.7 through 3.1.2Aug 13, 2021

FAQs

Can I install the Insight Agent on Docker containers?

The Insight Agent is not compatible with Docker containers. If you need a security solution for container deployment, see InsightCloudSec.

I have to run assets with legacy OS systems that are no longer supported by their vendor. Can I run an older agent version on them?

Yes, older versions of the Insight Agent are available for download.

Do I have to make changes to my agent if it is running on an OS version that is no longer supported?

No changes to the agent installation are required if your OS version is no longer supported, but be aware that the agent software will not receive any updates from that point on.

Where can I find more information and ask questions?

Check out the Rapid7 Discussion Forum to search for topics other community members have asked and answered, or feel free to share your own.

Network traffic and connectivity

Network traffic and connectivity

In order for the Insight Agent to successfully transmit data between the asset on which it is installed and the Insight Platform, your network must allow communication with a variety of endpoints through specific network ports based on the Rapid7 data storage region to which your organization is subscribed. Additionally, your network must allow agent-related data in transit to reach the Insight Platform without undergoing decryption or any other process that modifies the data from the format Rapid7 services are expecting.

This article covers all network traffic and connectivity requirements you need to be aware of, along with other common network scenarios that could impact the functionality of your agent deployment.

Insight Agent data must be excluded from SSL decryption

If your network decrypts traffic in transit to perform deep packet inspection (DPI) using a transparent proxy, Insight Agent-related data must be excluded from this process.

The Insight Platform will only accept data transmitted by an Insight Agent if the data is accompanied by the X.509 certificate that the Insight Platform is expecting. DPI technologies often replace this certificate with their own as a final step before allowing traffic to continue to its destination. Without the original certificate, the Insight Platform will not accept the data.

Network traffic allowance requirements by region

The assets on which the Insight Agent is installed (or the proxy you configure to receive all agent-related traffic) must be able to communicate with several Insight Platform endpoints for the agent to function properly and power your Insight products. Consult the following data region tables for a breakdown on what endpoints need to be reachable.

If you deploy a network traffic filtering solution that supports wildcards, each table indicates an optional wildcard endpoint that can accommodate multiple endpoint traffic allowances if you want to simplify your configuration.

Support for alternative static IP addresses

Most, but not all, endpoints documented in these sections support static IP address alternatives. You can configure traffic rules for these IP addresses (if indicated) instead of doing so for the endpoint if you prefer.

Rapid7 does not plan on changing these IP addresses in the near future. If changes are required, we'll update this document and communicate the details on the Insight Agent release notes page.

United States - 1

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*endpoint.ingress.rapid7.comendpoint.ingress.rapid7.comInsight Agent messages and beacons.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.main.endpoint.ingress.rapid7.comInsight Agent messages and beacons.193.149.136.0/24
" "us.storage.main.endpoint.ingress.rapid7.comInsight Agent file uploads.193.149.136.0/24
" "us.api.main.endpoint.ingress.rapid7.comInsight Agent file uploads and beacons.193.149.136.0/24
*.insight.rapid7.comdata.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "us.data.insight.rapid7.com" "None
" "us.data.logs.insight.rapid7.comLogs to InsightOps.None
United States - 2

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comus2.endpoint.ingress.rapid7.comInsight Agent messages and beacons.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.13.58.19.32
3.131.127.126
3.139.243.230
*.insight.rapid7.comus2.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "us2.data.logs.insight.rapid7.comLogs to InsightOps.None
United States - 3

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comus3.endpoint.ingress.rapid7.comInsight Agent messages and beacons.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.44.242.59.199
52.41.171.59
54.213.168.123
*.insight.rapid7.comus3.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "us3.data.logs.insight.rapid7.comLogs to InsightOps.None
Europe

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comeu.endpoint.ingress.rapid7.comInsight Agent messages and beacons.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.3.120.196.152
3.120.221.108
18.192.78.218
*.insight.rapid7.comeu.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "eu.data.logs.insight.rapid7.comLogs to InsightOps.None
Canada

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comca.endpoint.ingress.rapid7.comInsight Agent messages and beacons.52.60.40.157
52.60.107.153
" "ca.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.52.60.40.157
52.60.107.153
" "ca.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.52.60.40.157
52.60.107.153
" "ca.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.52.60.40.157
52.60.107.153
" "ca.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.52.60.40.157
52.60.107.153
*.insight.rapid7.comca.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "ca.data.logs.insight.rapid7.comLogs to InsightOps.None
Japan

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comap.endpoint.ingress.rapid7.comInsight Agent messages and beacons.103.4.8.209
18.182.167.99
" "ap.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.103.4.8.209
18.182.167.99
" "ap.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.103.4.8.209
18.182.167.99
" "ap.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.103.4.8.209
18.182.167.99
" "ap.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.103.4.8.209
18.182.167.99
*.insight.rapid7.comap.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "ap.data.logs.insight.rapid7.comLogs to InsightOps.None
Australia

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comau.endpoint.ingress.rapid7.comInsight Agent messages and beacons.52.64.24.140
13.55.81.47
13.236.168.124
" "au.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.52.64.24.140
13.55.81.47
13.236.168.124
" "au.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.52.64.24.140
13.55.81.47
13.236.168.124
" "au.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.52.64.24.140
13.55.81.47
13.236.168.124
" "au.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.52.64.24.140
13.55.81.47
13.236.168.124
*.insight.rapid7.comau.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "au.data.logs.insight.rapid7.comLogs to InsightOps.None

Port requirements for assets when using Rapid7 Collectors as proxies

If you use the Rapid7 Collector as a proxy destination for Insight Agent traffic, your assets must also be allowed to communicate with your Collector host through these ports:

  • 5508 - Used for agent messages and beacons.
  • 6608 - Used for agent update requests and file uploads for collection.
  • 8037 - Used for agent messages and beacons.
Endpoint protection software exclusion

Endpoint protection software exclusion

Endpoint Protection Software is an umbrella of applications that can be deployed on endpoint devices to detect and block malicious activity from both trusted and untrusted applications.

Endpoint security applications (such as McAfee Threat Intelligence Exchange, CylancePROTECT, Carbon Black, and others) may flag, block, or delete the Insight Agent from your assets depending on your detection and response settings. To prevent this and ensure the successful operation of the Insight Agent, you have to allowlist the Agent in the Endpoint Protection Platform you have deployed in your environment.

Allowlist the Insight Agent within your Endpoint Protection Software

To allowlist the Insight Agent, navigate to your Endpoint Protection Platform and set up a path exclusion rule for the agent directory.

Your rule must accommodate all subdirectories contained in the agent installation path. The following paths show default agent installation locations by operating system:

  • Windows - C:\Program Files\Rapid7\Insight Agent\
  • Mac and Linux - /opt/rapid7/ir_agent/
How to allowlist Insight Agent in Carbon Black
  1. Log into the Carbon Black Cloud Console and create a new Application Policy specifically for the Insight Agent.
  2. Ensure the new application path to the policy points to the correct installation location and includes all subdirectories. By default, the agent is installed under the following directories:
    • Windows - C:\Program Files\Rapid7\Insight Agent\
    • Mac and Linux - /opt/rapid7/ir_agent/
  3. After adding the Agent path, configure the Policy to bypass the Insight Agent directory altogether.

For more details, consult Carbon Black documentation.

How to allowlist Insight Agent in CylancePROTECT
  1. Login into the CylancePROTECT Console and configure the Protection Settings for the devices you want to deploy the Agent to.
  2. Ensure the new protection settings folder exclusion points to the correct installation location and includes all subdirectories. By default, the agent is installed under the following directories:
    • Windows - C:\Program Files\Rapid7\Insight Agent\
    • Mac and Linux - /opt/rapid7/ir_agent/

For more details, consult CylancePROTECT documentation.

InsightIDR asset quarantine

InsightIDR asset quarantine

The Insight Agent allows you to quarantine an asset in InsightIDR until you are able to resolve the investigation. This isolates the asset from all other network connections, except for connections to the Insight Platform and trusted services, such as DHCP. To ensure your quarantine actions are successful, you must properly configure your operating systems:

Linux/Unix Operating Systems

For Linux/Unix systems, you must enable iptables.

Windows Operating Systems

The Insight Agent uses the operating system’s local firewall service for the quarantine actions. To ensure that Insight Agent quarantine actions run successfully for Windows assets, the Insight Agent must be able to use the Windows Firewall service. Review the Firewall Group Policy settings for your organization to verify that you do not have the Windows Firewall service disabled. If you do have the Windows Firewall service disabled, you will need to set it to either Not Configured or On to be able to quarantine an asset with the Insight Agent.

Required Windows Firewall Settings for Insight Agent Quarantine Actions

These are the required Firewall Group Policy settings for all Domain/Private/Public/Standard profiles:

  • Firewall State - Not Configured or On
  • Allow local rule merge - Not configured or Yes

You do not need to change the firewall settings for Inbound Connections or Outbound Connections.

Group Policy Management of Windows Firewall

Windows Firewall Service must be enabled and properly configured to ensure that the Insight Agent quarantine actions run successfully. If you have not previously configured Windows Firewall group policy for your domain, the quarantine will succeed. However, if your Windows Firewall Domain Policy is configured to turn the service off, the Agent quarantine will fail. To verify your Group Policy Management settings for Windows Firewall and Windows Defender Firewall, follow the instructions below.

Group Policy Management of Windows Firewall with Advanced Security

Verify your group policy settings for Windows Firewall follow the requirements mentioned above. Use the tool you normally use to manage your global group policies to verify these settings.

  1. Open the Group Policy Management tool. Find the policy that you use to apply settings for the Windows Firewall service in your organization and edit the policy.
  2. Click Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security Settings folder > Windows Firewall with Advanced Security Settings.
  3. Click Windows Firewall Properties.
  4. Verify that the Firewall state is set to Not Configured or On for each profile: Domain/Private/Public/Standard.
  5. Under Settings, click Customize.
  6. Verify that "Apply local firewall rules" is set to Not Configured or Yes.
    • Click Ok.
  7. Click Apply.

Group Policy Management of Windows Defender Firewall

Verify your group policy settings for Windows Defender Firewall follow the requirements mentioned above. Ensure that all profiles are set to either Not Configured or Enabled.

  1. Open the Group Policy Management console.
  2. Click Policies > Administrative Templates > Network > Network Connections > Windows (Defender) Firewall > Domain/Private/Public/Standard Profile.
  3. Click Windows Firewall: Protect all network connections.
  4. Ensure that either Not Configured or Enabled are selected.