Insight Agent requirements - network traffic and connectivity

In order for the Insight Agent to successfully transmit data between the asset on which it is installed and the Insight Platform, your network must allow communication with a variety of endpoints through specific network ports based on the Rapid7 data storage region to which your organization is subscribed. Additionally, your network must allow agent-related data in transit to reach the Insight Platform without undergoing decryption or any other process that modifies the data from the format Rapid7 services are expecting.

This article covers all network traffic and connectivity requirements you need to be aware of, along with other common network scenarios that could impact the functionality of your agent deployment.

Insight Agent data must be excluded from SSL decryption

If your network decrypts traffic in transit to perform deep packet inspection (DPI) using a transparent proxy, Insight Agent-related data must be excluded from this process.

The Insight Platform will only accept data transmitted by an Insight Agent if the data is accompanied by the X.509 certificate that the Insight Platform is expecting. DPI technologies often replace this certificate with their own as a final step before allowing traffic to continue to its destination. Without the original certificate, the Insight Platform will not accept the data.

Network traffic allowance requirements by region

The assets on which the Insight Agent is installed (or the proxy you configure to receive all agent-related traffic) must be able to communicate with several Insight Platform endpoints for the agent to function properly and power your Insight products. Consult the following data region tables for a breakdown on what endpoints need to be reachable.

If you deploy a network traffic filtering solution that supports wildcards, each table indicates an optional wildcard endpoint that can accommodate multiple endpoint traffic allowances if you want to simplify your configuration.

Support for alternative static IP addresses

Most, but not all, endpoints documented in these sections support static IP address alternatives. You can configure traffic rules for these IP addresses (if indicated) instead of doing so for the endpoint if you prefer.

Rapid7 does not plan on changing these IP addresses in the near future. If changes are required, we'll update this document and communicate the details on the Insight Agent release notes page.

United States - 1

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*endpoint.ingress.rapid7.comendpoint.ingress.rapid7.comInsight Agent messages and beacons.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
" "us.main.endpoint.ingress.rapid7.comInsight Agent messages and beacons.193.149.136.0/24
" "us.storage.main.endpoint.ingress.rapid7.comInsight Agent file uploads.193.149.136.0/24
" "us.api.main.endpoint.ingress.rapid7.comInsight Agent file uploads and beacons.193.149.136.0/24
*.insight.rapid7.comdata.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "us.data.insight.rapid7.com" "None
" "us.data.logs.insight.rapid7.comLogs to InsightOps.None
United States - 2

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comus2.endpoint.ingress.rapid7.comInsight Agent messages and beacons.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.13.58.19.32
3.131.127.126
3.139.243.230
" "us2.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.13.58.19.32
3.131.127.126
3.139.243.230
*.insight.rapid7.comus2.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "us2.data.logs.insight.rapid7.comLogs to InsightOps.None
United States - 3

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comus3.endpoint.ingress.rapid7.comInsight Agent messages and beacons.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.44.242.59.199
52.41.171.59
54.213.168.123
" "us3.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.44.242.59.199
52.41.171.59
54.213.168.123
*.insight.rapid7.comus3.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "us3.data.logs.insight.rapid7.comLogs to InsightOps.None
Europe

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comeu.endpoint.ingress.rapid7.comInsight Agent messages and beacons.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.3.120.196.152
3.120.221.108
18.192.78.218
" "eu.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.3.120.196.152
3.120.221.108
18.192.78.218
*.insight.rapid7.comeu.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "eu.data.logs.insight.rapid7.comLogs to InsightOps.None
Canada

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comca.endpoint.ingress.rapid7.comInsight Agent messages and beacons.52.60.40.157
52.60.107.153
" "ca.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.52.60.40.157
52.60.107.153
" "ca.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.52.60.40.157
52.60.107.153
" "ca.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.52.60.40.157
52.60.107.153
" "ca.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.52.60.40.157
52.60.107.153
*.insight.rapid7.comca.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "ca.data.logs.insight.rapid7.comLogs to InsightOps.None
Japan

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comap.endpoint.ingress.rapid7.comInsight Agent messages and beacons.103.4.8.209
18.182.167.99
" "ap.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.103.4.8.209
18.182.167.99
" "ap.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.103.4.8.209
18.182.167.99
" "ap.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.103.4.8.209
18.182.167.99
" "ap.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.103.4.8.209
18.182.167.99
*.insight.rapid7.comap.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "ap.data.logs.insight.rapid7.comLogs to InsightOps.None
Australia

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comau.endpoint.ingress.rapid7.comInsight Agent messages and beacons.52.64.24.140
13.55.81.47
13.236.168.124
" "au.storage.endpoint.ingress.rapid7.comInsight Agent file uploads.52.64.24.140
13.55.81.47
13.236.168.124
" "au.api.endpoint.ingress.rapid7.comInsight Agent messages, beacons, and file uploads.52.64.24.140
13.55.81.47
13.236.168.124
" "au.bootstrap.endpoint.ingress.rapid7.comUpdates for the Insight Agent software.52.64.24.140
13.55.81.47
13.236.168.124
" "au.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Insight Agent installations.52.64.24.140
13.55.81.47
13.236.168.124
*.insight.rapid7.comau.data.insight.rapid7.comInsight Agent messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
" "au.data.logs.insight.rapid7.comLogs to InsightOps.None

Port requirements for assets when using Rapid7 Collectors as proxies

If you use the Rapid7 Collector as a proxy destination for Insight Agent traffic, your assets must also be allowed to communicate with your Collector host through these ports:

  • 5508 - Used for agent messages and beacons.
  • 6608 - Used for agent update requests and file uploads for collection.
  • 8037 - Used for agent messages and beacons.