In order for your Monitoring Point to access AppNeta Performance Manager (APM) and perform the monitoring you require, you must configure your firewall rules to allow this access. At a minimum, the Monitoring Point must be able to connect to APM. Additional configuration beyond this is based on your monitoring needs. In addition to setting firewall rules, you can create Access Control Lists (ACLs) on some Monitoring Point models to restrict inbound access.

Note that the firewall configuration for a Container-based Monitoring Point (CMP) and the Native Monitoring Point (NMP) on Windows have separate requirements.

A summary of the firewall rules described below is available in a separate spreadsheet. To create a PDF version, navigate to File > Download > PDF document (.pdf) within the Google Sheet.

Overview

The following diagram shows all the services and applications that the Monitoring Point may need access to.

The following table outlines the firewall rules required to access the various services and applications. Click the links for details.

Firewall rules required?	Reason	Description
Mandatory	APM	Monitoring Point requires access to AppNeta Performance Manager.
Typical	Delivery monitoring	Required if you are using Delivery monitoring.
Typical	Path Plus	Required if you are using Path Plus tools.
Optional	Voice/Video	Required if you are using voice and video monitoring tools.
Typical	Experience monitoring	Required if you are using Experience monitoring.
Optional	Proxy	Required only if a proxy server is used.
Optional	DNS	Required only if DNS resolver is located externally.
Optional	NTP	Required only if NTP server is located externally.
Optional	SNMP	Required only if you are using SNMP and the NMS is located externally.

Connecting to APM servers

Access to APM is mandatory.

Firewall configuration details for APM server access

AppNeta recommends using *.pm.appneta.com to provide access to all AppNeta APM servers.

If that is not possible in your environment, you can create rules for specific APM servers you need to access. The details are provided in the following tables.

Assigned server

	Direction	Protocol	Port(s)	Address(es)
	Outbound	TCP	8080 or 80	e.g., app-01.pm.appneta.com A Monitoring Point attempts to connect to APM on port 8080, then on port 80. Whether you are connecting directly or through a proxy, you must allow outbound TCP connections to your assigned server on one of these ports (8080 is recommended). To determine the URL of your assigned APM server, Log in to APM. The server URL is in the browser address bar.

Relay server

	Direction	Protocol	Port(s)	Address(es)
	Outbound	TCP	443	mp-relay.pm.appneta.com A Monitoring Point first tries to connect to your assigned APM server on port 80, then on port 8080. If it cannot (for example, when your security policy disallows HTTPS) the Monitoring Point attempts to connect to APM via an SSL relay server. In this case, you must allow outbound TCP connections on port 443 to this server. Note that when the Monitoring Point is connected in this way you will see "connected via relay" in the "Public IP" column of the Monitoring Points page (access via > Manage Monitoring Points).

Capture server

	Direction	Protocol	Port(s)	Address(es)
	Outbound	TCP	443	e.g., cap-01.pm.appneta.com Capture servers receive Usage monitoring records and packet captures, and provide a reverse proxy for SSL connections from the APM server to Monitoring Points. You must allow outbound TCP connections on port 443 for the capture server you use. To determine which capture server you are using, login to a Monitoring Point. The capture server name is in the address bar of your browser.

Upgrade repository

	Direction	Protocol	Port(s)	Address(es)
	Outbound	TCP	443	appliance-repo.pm.appneta.com You must allow outbound TCP connections on port 443 to this server so that your Monitoring Point can download new software versions.

Configuring for Delivery monitoring

Delivery monitoring is a fundamental feature of the AppNeta solution so ports related to Delivery monitoring should be opened. In addition, in cases where the Monitoring Point is a target behind a NAT device (for example, a video test target), port forwarding is required on the remote firewall to route traffic to the target Monitoring Point.

Firewall configuration details for Delivery monitoring

	Direction	Protocol	Port(s)	Address(es)
	Inbound + Outbound	TCP	443	All Addresses Allow TCP 443 so that the Monitoring Point can perform TCP traceroute on single- and dual-ended paths.
	Inbound + Outbound	ICMP		Message types used: Echo Request, Echo Reply, Time Exceeded, and Destination Unreachable ICMP is used for Delivery monitoring on single- and dual-ended paths, so it is essential that these messages are allowed.
	Inbound	UDP	7	All Addresses Allow UDP 7 so that the Monitoring Point can perform UDP traceroute on single- and dual-ended paths.
	Inbound	UDP	33434	All Addresses Allow UDP 33434 so that the Monitoring Point can perform UDP traceroute on single- and dual-ended paths.
	Inbound + Outbound	UDP	3239	All Addresses Allow UDP 3239 inbound so that Monitoring Points can coordinate dual-ended monitoring. Allow UDP 3239 outbound so that Monitoring Points can coordinate dual-ended monitoring and perform UDP traceroute.
	Inbound + Outbound	UDP	45056-49151	All Addresses Allow inbound and outbound UDP messages on this range so that Monitoring Points can perform single- and dual-ended monitoring, continuous monitoring traceroute using the port-unreachable method, voice tests, and QoS alerting. You can also customize this range.
	Outbound	UDP	49152-65535	All Addresses APM sends UDP packets to ports in the stated range as part of QoS diagnostics, path MTU determination, and network discovery. ICMP port-unreachable messages are expected in response. Keep in mind that path targets must actually respond with an ICMP port-unreachable for any of these processes to be successful.

Configuring for Path Plus

Part of Delivery monitoring, the Path Plus tools are used for basic network investigation so related ports should be opened.

Firewall configuration details for Path Plus

	Direction	Protocol	Port(s)	Address(es)
	Inbound + Outbound	ICMP		Message types used: Echo Request, Echo Reply. ICMP is used for pings in Path Plus.
	Inbound	UDP	7	All Addresses UDP port 7 is used for traceroute in Path Plus.
	Inbound	UDP	33434	All Addresses UDP port 33434 is used for traceroute in Path Plus.
	Outbound	TCP	53	All Addresses TCP and UDP messages on port 53 are used for nslookup in Path Plus.
	Outbound	UDP	53
	Inbound	TCP	3236	All Addresses Allow inbound TCP messages on port 3236 so that PathTests can target Monitoring Points. The source and target Monitoring Points coordinate on TCP 3236 before and after tests, so it must be opened even if the testing protocol is UDP.

Configuring for Voice/Video

As optional Delivery monitoring components, if the voice and video tools are being used, related ports should be opened.

Firewall configuration details for Voice/Video

	Direction	Protocol	Port(s)	Address(es)
	Inbound + Outbound	UDP	3239	All Addresses Monitoring Points coordinate over UDP 3239 for voice and video tests. Allow outbound access for source Monitoring Points and inbound access for target Monitoring Points.
	Inbound + Outbound	UDP	5060	All Addresses Video and voice tests can use one of two signaling protocols: SIP uses port 5060, and H.323 uses port 1720. If you need to use different ports for signaling, open a support ticket.
	Inbound+ Outbound	UDP	1720
	Inbound + Outbound	UDP	45056- 49151	All Addresses For video and voice tests, RTP and RTCP automatically select ports between 45056-49151.

Configuring for Experience monitoring

Experience monitoring is a fundamental feature of the AppNeta solution so ports related to Experience monitoring should be opened. Outbound TCP connections on port 80 are essential to Experience monitoring. Allow outbound connections on port 443 if a workflow includes logging in to the target site.

Firewall configuration details for Experience monitoring

	Direction	Protocol	Port(s)	Address(es)
	Outbound	TCP	80, 443	All Addresses

Configuring for optional services

There a number of services that you need access to only if required.

Configuring for a proxy server

If HTTP traffic is directed to a proxy server, make sure that no ACLs prevent the Monitoring Point from connecting to it (for example, permit tcp host device-ip host proxy-ip eq proxy-port). This might be the case if the Monitoring Point is deployed in a subnet reserved for network infrastructure rather than end-stations. If the proxy service requires authentication, it must use either basic or digest authentication; NTLM and Kerberos are not supported. See the proxy setup page: physical and virtual Monitoring Points or native Monitoring Points. For the Container-based Monitoring Point (CMP), proxy configuration is done on the Docker host. Newer versions of Docker can be configured to pass the proxy through to containers. See Configure Docker to use a proxy server.

Configuring for a DNS server

Domain Name System (DNS) is required for hostname to IP resolution. Firewall rules allowing access to a DNS resolver are only required if the resolver is external.

Firewall configuration details for DNS server access

	Direction	Protocol	Port(s)	Address(es)
	Outbound	UDP	53	Addresses for all external DNS servers you want to access.

Configuring for an NTP server

The Monitoring Point needs inbound and outbound connections for Network Time Protocol (NTP) to ensure precise timestamping. Firewall rules allowing access to a NTP server are only required if the server is external.

Firewall configuration details for NTP server access

	Direction	Protocol	Port(s)	Address(es)
	Inbound + Outbound	UDP	123	Addresses for all external NTP servers you want to access.

Configuring for an SNMP NMS

Firewall rules allowing access to a Simple Network Management Protocol (SNMP) Network Management System (NMS) server are only required if the Monitoring Point is configured for SNMP notification forwarding and the server is external.

Firewall configuration details for SNMP NMS access

	Direction	Protocol	Port(s)	Address(es)
	Outbound	UDP	162	Addresses for all external SNMP NMSs you want to access.

Configuring for a CMP

In order support Container-based Monitoring Point (CMP) deployment, outbound access on TCP port 443 is required to the following FQDNs:

• appneta.azurecr.io
• appneta.eastus2.data.azurecr.io
• appneta.westus.data.azurecr.io

Additional firewall rules may be required depending on where you are deploying the CMP.

AKS

If you are installing the CMP in Azure using AKS, there are no additional firewall rules to configure. The install process takes care of the firewall rules.

Docker

If you are installing the CMP in a Docker environment directly or using Docker Compose, you need to configure the following firewall rules for Delivery monitoring. All the other (non-Delivery) firewall rules shown above still apply:

Service	Direction	Protocol	Port(s)	Addresses
Delivery - Target	Inbound + Outbound	TCP	443	All addresses
Delivery - Target	Inbound + Outbound	ICMP
Delivery - Target	Inbound	UDP	7	All addresses
Delivery - Target	Inbound	UDP	33434	All addresses
Delivery - Target	Inbound + Outbound	UDP	3236 - 3239	All addresses
Delivery - Target	Inbound + Outbound	TCP	3236 - 3239	All addresses
Delivery - Source	Outbound	UDP	45056-49151	All addresses

• Azure - If you are deploying within Azure, the Azure firewalls and Network Security Groups should be configured with “Allow Inbound ICMP”.
• AWS - If you are deploying within AWS, the default Security Group needs a rule to allow inbound ICMP Echo Requests.

Configuring for an NMP on Windows

When you install the AppNeta Native Monitoring Point (NMP) on a Windows machine, firewall rules are automatically added during the installation process. They are all inbound rules and include:

• Allow ICMPv4 “Echo Reply” (Type 0, Code Any) packets to the NMP
• Allow ICMPv4 “Destination Unreachable” packets to the NMP
• Allow UDP packets to the NMP
• Allow ICMPv4 “Time Exceeded” packets to any program

Additional rule required for single-ended path target use case

If the Windows NMP is to serve as a target for single-ended paths, you need to add an inbound rule to allow ICMPv4 “Echo Request” packets to any program. You can do this from the command line or via the Windows Firewall app.

Use the command line

1. In the Windows search box (lower left), type “command prompt”.
2. Click ​Run as administrator.
3. If you receive the message Do you want to allow this app to make changes to your device?, click Yes.
   • The ​Administrator Command Prompt app appears.

4. In the Administrator Command Prompt app, enter the following command:

   netsh.exe advfirewall firewall add rule name="AppNeta Native Monitoring Point (ICMP-Echo-Request)" profile=any action=allow dir=in protocol=icmpv4:8,any
   

   • Inbound ICMPv4 “Echo Request” packets are now allowed.

Use the Windows Firewall app

1. In the Windows search box (lower left), type “windows defender firewall”.
2. Click ​Windows Defender Firewall​.
   • The ​Windows Defender Firewall ​page appears.
3. In the Windows Defender Firewall window, click Advanced settings.
4. If you receive the message Do you want to allow this app to make changes to your device?, click Yes.
5. Click Inbound Rules.
6. Click New Rule.
7. Select Custom and click Next.
8. Select All programs and click Next.
9. In the Protocol type dropdown select ICMPv4 and click Customize.
10. Select Specific ICMP types, select Echo Request, then click OK.
11. Click Next.
12. Click Next.
13. Click Next.
14. Make sure Domain, Private, and Public are checked and click Next.
15. In the Name field, enter “AppNeta NMP ICMP Echo Requests” and click Finish.
    • Inbound ICMPv4 “Echo Request” packets are now allowed.
16. Close the Windows Defender Firewall windows.