Some of the features described in this topic are only available to participants in the ThreatSync+ NDR Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.
For users and endpoints to connect to WatchGuard Cloud, your network must allow connections to the URLs and IP ranges used by WatchGuard Cloud products and services.
Many, but not all, of these URLs and IP ranges are included as default exceptions in the Blocked Sites Exceptions list, and the WebBlocker and TLS Decryption exceptions lists for your WatchGuard Firebox.
WatchGuard Cloud operates in three regions. Region-specific URLs in this list include <region> where you must include one of these region codes:
- usa = NA / Americas region
- deu = EMEA region
- jpn = APAC region
This topic lists the host names and IP addresses required for connections from your network to different areas in WatchGuard Cloud:
- WatchGuard Cloud Platform
- Firebox
- Access Points
- AuthPoint
- WatchGuard Cloud URLs and Network Access Requirements
- WatchGuard Endpoint Security
- ThreatSync+ NDR
WatchGuard Cloud Platform
Connections are required to these host names to log in to and administer WatchGuard Cloud.
|
Feature or Function |
Host Names |
Ports |
|---|---|---|
| Public Login Page and User Interface |
cloud.watchguard.com <region>.cloud.watchguard.com login.cloud.watchguard.com login.watchguard.com wglogin.b2clogin.com guard.<region>.watchguard.com account.authpoint.watchguard.com |
TCP 443 |
| Public API |
api.<region>.cloud.watchguard.com |
TCP 443 |
| Cloud APIs and Dashboards |
guard.<region>.cloud.watchguard.com guardapi.<region>.cloud.watchguard.com guardapi.wess.<region>.cloud.watchguard.com guardapi.wifi.<region>.cloud.watchguard.com guardapi.threatsync.<region>.cloud.watchguard.com |
TCP 443 |
Notifications and Reports
Email notifications and reports from WatchGuard Cloud are sent from these systems.
|
Feature or Function |
From Address |
IP Addresses |
Ports |
|---|---|---|---|
|
WatchGuard Cloud Alerts and Reports |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu Return-Path: *@deu.cloud.watchguard.com From: [email protected] jpn Return-Path: *@jpn.cloud.watchguard.com From: [email protected] |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
|
AuthPoint Activation Emails and Notifications |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu From: *@deu.cloud.watchguard.com jpn From: *@jpn.cloud.watchguard.com |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
|
DNSWatch Alerts |
Return-Path: *@amazonses.com From: [email protected] |
DNSWatch alerts are delivered through the Amazon SES service. To see a full list of IP addresses, go to: https://aws.amazon.com/blogs/messaging-and-targeting/amazon-ses-ip-addresses/ |
TCP 25 |
|
Wi-Fi Cloud Alerts |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu From: *@deu.cloud.watchguard.com jpn From: *@jpn.cloud.watchguard.com |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
|
Dark Web Scan Reports |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu From: *@deu.cloud.watchguard.com jpn From: *@jpn.cloud.watchguard.com |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
Firebox
Connections are required to these host names for the Firebox to register with WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
| WatchGuard Cloud Firebox Registration |
firebox.agent.watchguard.com firebox.<region>.agent.watchguard.com |
TCP 443 |
| WatchGuard Cloud Firebox Registration (for Fireware v12.2.1 and lower) |
firebox.watchguard.com |
TCP 8443 |
| DNSWatch Registration |
dnswatch.watchguard.com |
TCP 443 |
| WatchGuard Cloud |
usa
deu
jpn
|
TCP 443 |
Access Points
Connections are required to these host names for cloud-managed access points to connect to WatchGuard Cloud.
| Feature or Function | Host Names and IP Addresses | Ports |
|---|---|---|
| WatchGuard Cloud Registration |
accesspoint.agent.watchguard.com accesspoint.<region>.agent.watchguard.com |
TCP 443 |
| WatchGuard Cloud Communications | accesspoint.iot.<region>.cloud.watchguard.com | TCP 443 |
| Feature Key Updates | featurekeyapi.watchguard.io | TCP 443 |
| Firmware Updates | cdn.watchguard.com | TCP 443 |
| NTP Service |
pool.ntp.org |
UDP 123 |
| Connectivity and DNS check (Google public DNS server to confirm Internet connectivity and initial DNS lookups) |
8.8.8.8 |
ICMP |
| Connectivity check | google.com (this can include other regional domains or IP addresses) | TCP 80 |
| Diagnostic Tools (for connectivity tests and to retrieve IP address geolocation data) |
speedtest.net (this can include other regional domains, such as speedtest.[region], or ookla.[region]) ipinfo.io |
TCP 443 |
You cannot manage Wi-Fi 6 access points (AP130, AP330, AP430CR, and AP432) with the Gateway Wireless Controller on a Firebox or with Wi-Fi Cloud. You cannot use WatchGuard Cloud to manage previously released access points (AP120, AP125, AP225W, AP320, AP325, AP327X, AP420) that you managewith the Gateway Wireless Controller on a Firebox or with Wi-Fi Cloud.
AuthPoint
Gateway Services
Connections are required to these host names for AuthPoint to register and authenticate with WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
|
Gateway Installation and Registration |
authpoint.agent.watchguard.com authpoint.<region>.agent.watchguard.com |
TCP 443 |
|
AuthPoint Gateway Service |
gateway.authpoint.<region>.cloud.watchguard.com gateway-agent.authpoint.cloud.watchguard.com gateway-agent.authpoint.<region>.cloud.watchguard.com For more information, go to About Gateways. |
TCP 443 |
|
AuthPoint ADFS Gateway |
adfs.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
AuthPoint RADIUS Gateway |
radius.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| WatchGuard Cloud |
usa aidd27s0p51l6.iot.us-west-2.amazonaws.com aidd27s0p51l6-ats.iot.us-west-2.amazonaws.com deu aidd27s0p51l6.iot.eu-central-1.amazonaws.com aidd27s0p51l6-ats.iot.eu-central-1.amazonaws.com jpn aidd27s0p51l6.iot.ap-northeast-1.amazonaws.com aidd27s0p51l6-ats.iot.ap-northeast-1.amazonaws.com |
TCP 443 |
| Public Login Page and User Interface |
cloud.watchguard.com <region>.cloud.watchguard.com login.cloud.watchguard.com login.watchguard.com wglogin.b2clogin.com guard.<region>.watchguard.com account.authpoint.watchguard.com |
TCP 443 |
| Public API | api.<region>.cloud.watchguard.com | TCP 443 |
| Cloud APIs and Dashboards |
guard.<region>.cloud.watchguard.com guardapi.<region>.cloud.watchguard.com guardapi.wess.<region>.cloud.watchguard.com guardapi.wifi.<region>.cloud.watchguard.com guardapi.threatsync.<region>.cloud.watchguard.com |
TCP 443 |
AuthPoint Features
Connections are required to these host names for AuthPoint features and functions.
| Feature or Function | Host Names | Ports |
|---|---|---|
| IdP Portal and Set User Password |
authpoint.watchguard.com <region>.authpoint.watchguard.com sp.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Self Service Portal |
selfserviceportal.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| Alias of IdP Portal |
account.authpoint.watchguard.com |
TCP 443 |
| Get SAML Metadata Endpoint |
saml.metadata.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Set User Password, Token Activation, Migration, and Sync |
auth-management.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Logon App |
policies.authpoint.<region>.cloud.watchguard.com desktop.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| AuthPoint Browser Extension / AuthPoint Password Manager |
api.<region>.credentialmgmt.watchguard.com cdn.<region>.credentialmgmt.watchguard.com auth-management.authpoint.<region>.cloud.watchguard.com vault-session.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
AuthPoint Azure AD Integration
Connections to these IP addresses are required for WatchGuard Cloud to communicate with Azure AD.
| Feature or Function | IP Addresses | Ports |
|---|---|---|
| Azure AD |
us-west-2 34.218.136.36 eu-central-1 18.196.254.65 ap-northeast-1 13.114.41.102 |
TCP 443 |
AuthPoint Mobile App
Connections are required to these host names for the AuthPoint mobile app to connect to WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Login |
device.authpoint.<region>.cloud.watchguard.com auth-management.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| Total Identity Security Password Manager |
api.<region>.credentialmgmt.watchguard.com cdn.<region>.credentialmgmt.watchguard.com vault-session.authpoint.<region>.cloud.watchguard.com auth-management.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| Notifications |
devicenotification.authpoint.<region>.cloud.watchguard.com mobileservice.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Token Activation for New User or New Token |
dskpp.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
The AuthPoint mobile app uses ports to connect to Apple and Google servers for push authentication. To make sure that users on your network can approve AuthPoint push authentication requests, configure your Firebox or other network firewall to allow outbound connections on these ports:
- iOS: TCP ports 5223, 2195-2196, and 443
- Android: TCP ports 5228-5230, and 443
WatchGuard Cloud Branding
Connections are required to these host names to show custom branding images for the AuthPoint mobile app and SAML IDP portal.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Branding |
usa prod-us-west-2-wgc-custom-branding-mw-s3.s3.amazonaws.com deu prod-eu-central-1-wgc-custom-branding-mw-s3.s3.amazonaws.com jpn prod-ap-northeastl-1-wgc-custom-branding-mw-s3.s3.amazonaws.com |
TCP 443 |
DNSWatchGO Client
Connections are required to these host names for DNSwatchGO clients to register and communicate with WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Registration and Communication | client-api.dnswatch.watchguard.com | TCP 443 |
WatchGuard Endpoint Security
Connections are required to these host names for WatchGuard Endpoint Security products and modules to connect to WatchGuard Cloud through your firewall.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Communications Agent |
*.pandasecurity.com *.pandasoftware.com *.windows.net |
TCP 443 TCP 80 |
| Anti-spam and URL Filtering on v8.00.18.0002 and lower^ |
*.ctmail.com |
TCP 443 |
| Remote Access | *.rc.pandasecurity.com |
TCP 443 TCP 8080 |
| URL Filtering | rp.cloud.threatseeker.com |
TCP 443 |
| Patch Management |
content.ivanti.com application.ivanti.com |
TCP 443 |
| Advanced Visualization |
*.pandasecurity.devo.com |
TCP 443 |
| Root Certificate Verification |
*.globalsign.net *.globalsign.com *.digicert.com |
TCP 443 |
^Fireware v11.12 to Fireware v12.5.3 include a default blocked sites exception for *.ctmail.com to allow connections from the Firebox to the spamBlocker servers. If your configuration already includes this default exception, you do not have to add it again.
The WatchGuard Mobile Security app uses the Apple Push Notification service to communicate with the software. For more information, go to this Knowledge Base article (external link).
ThreatSync+ NDR
The ThreatSync+ NDR Collection Agent receives log data from switches and routers in your network and sends the data to WatchGuard Cloud.
The ThreatSync+ NDR Collection Agent listens on:
- Port 2055 for NetFlow log data from endpoints.
- Port 6343 for sFlow log data from endpoints.
- Port 514 for DHCP log data from the Windows Log Agent.
Connections to these IP addresses are required for WatchGuard Cloud to communicate with the agent API for ThreatSync+ NDR.
| Feature or Function | IP Addresses | Ports |
|---|---|---|
| Agent API |
https://agentapi.ndr.<region>.cloud.watchguard.com/ |
TCP 443 |
URLs Used by WatchGuard Cloud Services (external Knowledge Base article)
URLs Used by Panda and WatchGuard Endpoint Security Products (external Knowledge Base article)
Get Started — Add a Device to WatchGuard Cloud
Quick Start — Set Up AuthPoint