For users and endpoints to connect to WatchGuard Cloud, your network must allow connections to the URLs and IP ranges used by WatchGuard Cloud products and services.
Many, but not all, of these URLs and IP ranges are included as default exceptions in the Blocked Sites Exceptions list as well as WebBlocker and TLS Decryption exceptions lists for your WatchGuard Firebox.
WatchGuard Cloud operates in three regions. Region-specific URLs in this list include <region> where you must include one of these region codes:
- usa = NA / Americas region
- deu = EMEA region
- jpn = APAC region
This topic lists the host names and IP addresses required for connections from your network to different areas in WatchGuard Cloud:
- WatchGuard Cloud Platform
- Firebox
- Access Points
- AuthPoint
- FireCloud
- WatchGuard Cloud URLs and Network Access Requirements
- WatchGuard Endpoint Security
- ThreatSync+ NDR
WatchGuard Cloud Platform
Connections are required to these host names to log in to and administer WatchGuard Cloud.
|
Feature or Function |
Host Names |
Ports |
|---|---|---|
| Public Login Page and User Interface |
cloud.watchguard.com <region>.cloud.watchguard.com login.cloud.watchguard.com login.watchguard.com wglogin.b2clogin.com guard.<region>.watchguard.com account.authpoint.watchguard.com |
TCP 443 |
| Public API |
api.<region>.cloud.watchguard.com |
TCP 443 |
| Cloud APIs and Dashboards |
guard.<region>.cloud.watchguard.com guardapi.<region>.cloud.watchguard.com guardapi.wess.<region>.cloud.watchguard.com guardapi.wifi.<region>.cloud.watchguard.com guardapi.threatsync.<region>.cloud.watchguard.com guardapi.ndr.<region>.cloud.watchguard.com |
TCP 443 |
Directories and Domain Services
Connections are required to these addresses for the WatchGuard endpoint agent to sync Active Directory and LDAP users to Directories and Domain Services in WatchGuard Cloud.
| Feature or Function | From Address | Ports |
|---|---|---|
| Active Directory User Sync |
unifiedid.iot.<region>.cloud.watchguard.com |
TCP 8883 |
Notifications and Reports
Email notifications and reports from WatchGuard Cloud are sent from these systems.
|
Feature or Function |
From Address |
IP Addresses |
Ports |
|---|---|---|---|
|
WatchGuard Cloud Alerts and Reports |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu Return-Path: *@deu.cloud.watchguard.com From: [email protected] jpn Return-Path: *@jpn.cloud.watchguard.com From: [email protected] |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
|
AuthPoint Activation Emails and Notifications |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu From: *@deu.cloud.watchguard.com jpn From: *@jpn.cloud.watchguard.com |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
|
DNSWatch Alerts |
Return-Path: *@amazonses.com From: [email protected] |
DNSWatch alerts are delivered through the Amazon SES service. For a full list of IP addresses, go to: https://aws.amazon.com/blogs/messaging-and-targeting/amazon-ses-ip-addresses/ |
TCP 25 |
|
Wi-Fi Cloud Alerts |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu From: *@deu.cloud.watchguard.com jpn From: *@jpn.cloud.watchguard.com |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
|
Dark Web Scan Reports |
usa Return-Path: *@cloud.watchguard.com From: [email protected] deu From: *@deu.cloud.watchguard.com jpn From: *@jpn.cloud.watchguard.com |
209.61.151.0/24, 166.78.68.0/22, 198.61.254.0/23,192.237.158.0/23, 23.253.182.0/23, 104.130.96.0/28, 146.20.113.0/24, 146.20.191.0/24, 159.135.224.0/20, 69.72.32.0/20, 104.130.122.0/23, 146.20.112.0/26, 161.38.192.0/20, 143.55.224.0/21, 143.55.232.0/22, 159.112.240.0/20 |
TCP 25 |
Firebox
Connections are required to these host names for the Firebox to register and communicate with WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
| WatchGuard Cloud Firebox Registration |
firebox.agent.watchguard.com firebox.<region>.agent.watchguard.com |
TCP 443 |
| WatchGuard Cloud Firebox Registration (for Fireware v12.2.1 and lower) |
firebox.watchguard.com |
TCP 8443 |
| WatchGuard Cloud |
usa
deu
jpn
|
TCP 443 |
| Subscription Service Signature Updates (including Microsoft 365 alias updates) |
services.watchguard.com cdn.watchguard.com |
TCP 433 TCP 80 |
| SpamBlocker |
global glb-api.mailscan.cloudfilter.net america us-api.mailscan.cloudfilter.net emea eu-api.mailscan.cloudfilter.net apac jp-api.mailscan.cloudfilter.net |
TCP 443 |
| WebBlocker Cloud | rp.cloud.threatseeker.com | TCP 443 |
| APT Blocker |
global sps.api.cloud.watchguard.com deu sps.api.deu.cloud.watchguard.com For more information, go to Configure APT Blocker Advanced Settings. |
TCP 443 |
| DNSWatch Registration | dnswatch.watchguard.com | TCP 443 |
| Metadata Services |
ask.watchguard.com feedback.watchguard.com |
TCP 443 |
| Feature Key Updates | ask.watchguard.com | TCP 443 |
| Fault Report Submission | feedback.watchguard.com | TCP 443 |
| Firebox Upgrades (initiated from Fireware Web UI or WatchGuard Cloud) |
ask.watchguard.com cdn.watchguard.com |
TCP 443 TCP 80 |
| CA Certificate Updates |
ask.watchguard.com cdn.watchguard.com |
TCP 443 TCP 80 |
SpamBlocker regions differ from WatchGuard Cloud regions. SpamBlocker uses geolocation data, and WatchGuard Cloud uses registration data to determine regions.
Access Points
Connections are required to these host names for cloud-managed access points to connect to WatchGuard Cloud.
| Feature or Function | Host Names and IP Addresses | Ports |
|---|---|---|
| WatchGuard Cloud Registration |
accesspoint.agent.watchguard.com accesspoint.<region>.agent.watchguard.com |
TCP 443 |
| WatchGuard Cloud Communications | accesspoint.iot.<region>.cloud.watchguard.com | TCP 443 |
| Feature Key Updates | featurekeyapi.watchguard.io | TCP 443 |
| Firmware Updates | cdn.watchguard.com | TCP 443 |
| NTP Service |
pool.ntp.org |
UDP 123 |
| Connectivity and DNS Check (Google public DNS server to confirm Internet connectivity and initial DNS lookups) |
8.8.8.8 |
ICMP |
| Connectivity Check | google.com (This can include other regional domains or IP addresses.) | TCP 80 |
| Diagnostic Tools (for connectivity tests and to retrieve IP address geolocation data) |
speedtest.net (This can include other regional domains, such as speedtest.[region], or ookla.[region].) ipinfo.io |
TCP 443 |
You cannot manage the new Wi-Fi 6 access points (AP130, AP230W, AP330, AP332CR, AP430CR, and AP432) with the Gateway Wireless Controller on a Firebox or with Wi-Fi Cloud. You cannot use WatchGuard Cloud to manage previously released access points (AP125, AP225W, AP325, AP327X, AP420) that are currently managed by the Gateway Wireless Controller on a Firebox or with Wi-Fi Cloud.
AuthPoint
Gateway Services
Connections are required to these host names for AuthPoint to register and authenticate with WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
|
Gateway Installation and Registration |
authpoint.agent.watchguard.com authpoint.<region>.agent.watchguard.com |
TCP 443 |
|
AuthPoint Gateway Service |
gateway.authpoint.<region>.cloud.watchguard.com gateway-agent.authpoint.cloud.watchguard.com gateway-agent.authpoint.<region>.cloud.watchguard.com For more information, go to About Gateways. |
TCP 443 |
|
AuthPoint ADFS Gateway |
adfs.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
AuthPoint RADIUS Gateway |
radius.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| WatchGuard Cloud |
usa aidd27s0p51l6.iot.us-west-2.amazonaws.com aidd27s0p51l6-ats.iot.us-west-2.amazonaws.com deu aidd27s0p51l6.iot.eu-central-1.amazonaws.com aidd27s0p51l6-ats.iot.eu-central-1.amazonaws.com jpn aidd27s0p51l6.iot.ap-northeast-1.amazonaws.com aidd27s0p51l6-ats.iot.ap-northeast-1.amazonaws.com |
TCP 443 |
| Public Login Page and User Interface |
cloud.watchguard.com <region>.cloud.watchguard.com login.cloud.watchguard.com login.watchguard.com wglogin.b2clogin.com guard.<region>.watchguard.com account.authpoint.watchguard.com |
TCP 443 |
| Public API | api.<region>.cloud.watchguard.com | TCP 443 |
| Cloud APIs and Dashboards |
guard.<region>.cloud.watchguard.com guardapi.<region>.cloud.watchguard.com guardapi.wess.<region>.cloud.watchguard.com guardapi.wifi.<region>.cloud.watchguard.com guardapi.threatsync.<region>.cloud.watchguard.com |
TCP 443 |
AuthPoint Features
Connections are required to these host names for AuthPoint features and functions.
| Feature or Function | Host Names | Ports |
|---|---|---|
| IdP Portal and Set User Password |
authpoint.watchguard.com <region>.authpoint.watchguard.com sp.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Self Service Portal |
selfserviceportal.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| Alias of IdP Portal |
account.authpoint.watchguard.com |
TCP 443 |
| Get SAML Metadata Endpoint |
saml.metadata.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Set User Password, Token Activation, Migration, and Sync |
auth-management.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Logon App |
policies.authpoint.<region>.cloud.watchguard.com desktop.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| AuthPoint Browser Extension / AuthPoint Password Manager |
api.<region>.credentialmgmt.watchguard.com cdn.<region>.credentialmgmt.watchguard.com auth-management.authpoint.<region>.cloud.watchguard.com vault-session.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
AuthPoint Azure AD Integration
Connections to these IP addresses are required for WatchGuard Cloud to communicate with Azure AD.
| Feature or Function | IP Addresses | Ports |
|---|---|---|
| Azure AD |
usa 34.218.136.36 54.202.225.225 52.39.246.186 3.208.106.144 98.80.113.211 deu 18.196.254.65 18.199.137.117 3.120.90.84 54.76.35.136 63.35.23.23 jpn 13.114.41.102 52.195.130.7 35.73.165.176 13.214.226.176 13.228.175.64 |
TCP 443 |
AuthPoint Mobile App
Connections are required to these host names for the AuthPoint mobile app to connect to WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Login |
device.authpoint.<region>.cloud.watchguard.com auth-management.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| Total Identity Security Password Manager |
api.<region>.credentialmgmt.watchguard.com cdn.<region>.credentialmgmt.watchguard.com vault-session.authpoint.<region>.cloud.watchguard.com auth-management.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
| Notifications |
devicenotification.authpoint.<region>.cloud.watchguard.com mobileservice.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
|
Token Activation for New User or New Token |
dskpp.authpoint.<region>.cloud.watchguard.com |
TCP 443 |
The AuthPoint mobile app uses ports to connect to Apple and Google servers for push authentication. To make sure that users on your network can approve AuthPoint push authentication requests, configure your Firebox or other network firewall to allow outbound connections on these ports:
- iOS: TCP ports 5223, 2195-2196, and 443
- Android: TCP ports 5228-5230, and 443
FireCloud
| Feature or Function | From Address | Ports |
|---|---|---|
| WatchGuard Connection Manager |
https://authsvc.firecloud.region.cloud.watchguard.com https://amer.sso.authpoint.watchguard.com https://emea.sso.authpoint.watchguard.com https://apac.sso.authpoint.watchguard.com |
TCP 443 |
| FireCloud Connection Manager | IP address of the closest point of presence (PoP) | UDP 4500 |
WatchGuard Cloud Branding
Connections are required to these host names to show custom branding images for the AuthPoint mobile app and SAML IDP portal.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Branding |
usa prod-us-west-2-wgc-custom-branding-mw-s3.s3.amazonaws.com deu prod-eu-central-1-wgc-custom-branding-mw-s3.s3.amazonaws.com jpn prod-ap-northeastl-1-wgc-custom-branding-mw-s3.s3.amazonaws.com |
TCP 443 |
DNSWatchGO Client
Connections are required to these host names for DNSwatchGO clients to register and communicate with WatchGuard Cloud.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Registration and Communication | client-api.dnswatch.watchguard.com | TCP 443 |
WatchGuard Endpoint Security
Connections are required to these host names for Endpoint Security products and modules to connect to WatchGuard Cloud through your firewall.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Communications Agent |
*.watchguard.com *.pandasecurity.com *.rc.pandasecurity.com *.pandasoftware.com aether100proservicebus.servicebus.windows.net aether100pronotification.table.core.windows.net aether100prostorage.blob.core.windows.net |
TCP 443 TCP 80 |
| Remote Access | *.rc.pandasecurity.com |
TCP 443 TCP 8080 |
| URL Filtering |
rp.cloud.threatseeker.com wg.cloud.threatseeker.com |
TCP 443 |
| Patch Management |
*.ivanti.com content.ivanti.com application.ivanti.com license.shavlik.com Go to this Ivanti Knowledge Base Article (external link) to review a list of URLs required to download catalog content and patches. |
TCP 443 |
| Advanced Visualization |
*.pandasecurity.devo.com |
TCP 443 |
| Root Certificate Verification |
*.globalsign.net *.globalsign.com *.digicert.com *.sectigo.com |
TCP 443 TCP 80 |
The WatchGuard Mobile Security app uses the Apple Push Notification service to communicate with the software. For more information, go to Exceptions for iOS Devices in Endpoint Security Required Domains and URLs.
ThreatSync+ NDR
The ThreatSync+ NDR Collection Agent receives log data from switches and routers in your network, DHCP data from the Windows Log Agent, and data from locally-managed Fireboxes and sends the data to WatchGuard Cloud.
The ThreatSync+ NDR Collection Agent listens on:
- Port 2055 for NetFlow log data from endpoints.
- Port 6343 for sFlow log data from endpoints.
- Port 514 for DHCP log data from the Windows Log Agent.
Connections to these host names are required for WatchGuard Cloud to communicate with the agent API and the collectors for ThreatSync+ NDR.
| Feature or Function | Host Names | Ports |
|---|---|---|
| Agent API |
https://agentapi.ndr.<region>.cloud.watchguard.com |
TCP 443 |
| WatchGuard Cloud |
usa
deu
jpn
|
TCP 443 |
URLs Used by WatchGuard Cloud Services (external Knowledge Base article)
Endpoint Security Required Domains and URLs
Get Started — Add a Device to WatchGuard Cloud
Quick Start — Set Up AuthPoint
Quick Start — Set Up WatchGuard EDR Core