Rapid7 Agent (Insight Agent) requirements - network traffic and connectivity
Copy link

In order for the Rapid7 Agent (Insight Agent) to successfully transmit data between the asset on which it is installed and the Command Platform (Insight Platform), your network must allow communication with a variety of endpoints through specific network ports based on the Rapid7 data storage region to which your organization is subscribed. Additionally, your network must allow agent-related data in transit to reach the Command Platform (Insight Platform) without undergoing decryption or any other process that modifies the data from the format Rapid7 services are expecting.

This article covers all network traffic and connectivity requirements you need to be aware of, along with other common network scenarios that could impact the functionality of your agent deployment.

Rapid7 Agent (Insight Agent) data must be excluded from SSL decryption
Copy link

If your network decrypts traffic in transit to perform deep packet inspection (DPI) using a transparent proxy, Rapid7 Agent (Insight Agent)-related data must be excluded from this process.

The Command Platform (Insight Platform) will only accept data transmitted by an Rapid7 Agent (Insight Agent) if the data is accompanied by the X.509 certificate that the Command Platform (Insight Platform) is expecting. DPI technologies often replace this certificate with their own as a final step before allowing traffic to continue to its destination. Without the original certificate, the Command Platform (Insight Platform) will not accept the data.

Network traffic allowance requirements by region
Copy link

The assets on which the Rapid7 Agent (Insight Agent) is installed (or the proxy you configure to receive all agent-related traffic) must be able to communicate with several Command Platform (Insight Platform) endpoints for the agent to function properly and power your Rapid7 products. Consult the following data region tables for a breakdown on what endpoints need to be reachable.

If you deploy a network traffic filtering solution that supports wildcards, each table indicates an optional wildcard endpoint that can accommodate multiple endpoint traffic allowances if you want to simplify your configuration.

ℹ️

Support for alternative static IP addresses

Most, but not all, endpoints documented in these sections support static IP address alternatives. You can configure traffic rules for these IP addresses (if indicated) instead of doing so for the endpoint if you prefer.

Rapid7 does not plan on changing these IP addresses in the near future. If changes are required, we’ll update this document and communicate the details on the Command Platform Release Notes  site.

United States - 1

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*endpoint.ingress.rapid7.comendpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
” “us.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
” “us.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
” “us.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
” “us.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.34.226.68.35
54.144.111.231
52.203.25.223
34.236.161.191
” “us.main.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.193.149.136.0/24
” “us.storage.main.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.193.149.136.0/24
” “us.api.main.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads and beacons.193.149.136.0/24
*.insight.rapid7.comdata.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “us.data.insight.rapid7.com” “None
” “us.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

United States - 2

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comus2.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.13.58.19.32
3.131.127.126
3.139.243.230
” “us2.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.13.58.19.32
3.131.127.126
3.139.243.230
” “us2.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.13.58.19.32
3.131.127.126
3.139.243.230
” “us2.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.13.58.19.32
3.131.127.126
3.139.243.230
” “us2.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.13.58.19.32
3.131.127.126
3.139.243.230
*.insight.rapid7.comus2.data.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “us2.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

United States - 3

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comus3.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.44.242.59.199
52.41.171.59
54.213.168.123
” “us3.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.44.242.59.199
52.41.171.59
54.213.168.123
” “us3.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.44.242.59.199
52.41.171.59
54.213.168.123
” “us3.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.44.242.59.199
52.41.171.59
54.213.168.123
” “us3.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.44.242.59.199
52.41.171.59
54.213.168.123
*.insight.rapid7.comus3.data.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “us3.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

Europe

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comeu.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.3.120.196.152
3.120.221.108
18.192.78.218
” “eu.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.3.120.196.152
3.120.221.108
18.192.78.218
” “eu.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.3.120.196.152
3.120.221.108
18.192.78.218
” “eu.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.3.120.196.152
3.120.221.108
18.192.78.218
” “eu.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.3.120.196.152
3.120.221.108
18.192.78.218
*.insight.rapid7.comeu.data.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “eu.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

Canada

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comca.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.52.60.40.157
52.60.107.153
” “ca.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.52.60.40.157
52.60.107.153
” “ca.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.52.60.40.157
52.60.107.153
” “ca.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.52.60.40.157
52.60.107.153
” “ca.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.52.60.40.157
52.60.107.153
*.insight.rapid7.comca.data.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “ca.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

Japan

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comap.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.103.4.8.209
18.182.167.99
” “ap.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.103.4.8.209
18.182.167.99
” “ap.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.103.4.8.209
18.182.167.99
” “ap.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.103.4.8.209
18.182.167.99
” “ap.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.103.4.8.209
18.182.167.99
*.insight.rapid7.comap.data.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “ap.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

Australia

All endpoints listed here must be reachable through port 443.

Optional wildcardEndpointDescriptionSupported static IP addresses
*.endpoint.ingress.rapid7.comau.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages and beacons.52.64.24.140
13.55.81.47
13.236.168.124
” “au.storage.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) file uploads.52.64.24.140
13.55.81.47
13.236.168.124
” “au.api.endpoint.ingress.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, and file uploads.52.64.24.140
13.55.81.47
13.236.168.124
” “au.bootstrap.endpoint.ingress.rapid7.comUpdates for the Rapid7 Agent (Insight Agent) software.52.64.24.140
13.55.81.47
13.236.168.124
” “au.deployment.endpoint.ingress.rapid7.comCertificate files for token-based Rapid7 Agent (Insight Agent) installations.52.64.24.140
13.55.81.47
13.236.168.124
*.insight.rapid7.comau.data.insight.rapid7.comRapid7 Agent (Insight Agent) messages, beacons, update requests, and file uploads for collection using the Rapid7 Collector.None
” “au.data.logs.insight.rapid7.comLogs to Log Management (InsightOps).None

Reserved CDN IP Addresses
Copy link

The Rapid7 Agent (Insight Agent) has the ability to download updates and content from a Content Delivery Network (CDN) if allowed by your network. A CDN’s specialized infrastructure offers faster downloads than the Command Platform (Insight Platform) endpoints. If the InsightAgent cannot reach the CDN for any reason, it will instead use the regional endpoints documented in the region requirements section.

The following IP addresses (all endpoints must be reachable through port 443) are reserved for Rapid7’s content delivery and are not region-dependent:

  • 3.163.232.9
  • 3.163.233.9
  • 3.163.234.9
  • 3.163.235.9
  • 3.163.236.9
  • 3.163.237.9
  • 3.163.238.9
  • 3.163.239.9
  • 3.163.240.9
  • 3.163.241.9
  • 3.163.242.9
  • 3.163.243.9
  • 3.163.244.9
  • 3.163.245.9
  • 3.163.246.9
  • 3.163.247.9
  • 3.163.248.9
  • 3.163.249.9
  • 3.163.250.9
  • 3.163.251.9
  • 3.163.252.9

Port requirements for assets when using Rapid7 Collectors as proxies
Copy link

If you use the Rapid7 Collector as a proxy destination for Rapid7 Agent (Insight Agent) traffic, your assets must also be allowed to communicate with your Collector host through these ports:

  • 5508 - Used for agent messages and beacons.
  • 6608 - Used for agent update requests and file uploads for collection.
  • 8037 - Used for agent messages and beacons.