Prerequisite for Cloud Firewall
Points to Remember
- Allow the required domains and HTTP(S) ports on any upstream firewall.
- By default, the system uses the first network interface (eth0) for IP address allocation and subsequent Cloud Firewall traffic.
- If DNS auto-registration is enabled on the VMware host, add an additional DNS entry with the desired hostname instead of modifying the default one.
- Ensure that the CPU used for TCP and UDP deployments supports the Intel ADX instruction set.
NOTE:
UDP support has been validated for DNS, ECHO, NTP, HTTP/3, and RDP over UDP protocols.
Firewall Settings
-
NOTE: Whitelist or allow all required hosts and domains listed in the firewall configuration table on the outbound proxy.
Domains Port Purpose iam.mcafee-cloud.com 443 Register a token or get access to the user accounts from the IAM service skyhighlinux.org 443 Skyhigh Centos iam.skyhigh.cloud 443 *cloudfront.net 443 cloudfront.net 443 eu-central-1-euprod-cwpp-binary-storage.s3.eu-central-1.amazonaws.com 443 Auto-update of runtime artifacts us-west-2-usprod-cwpp-binary-storage.s3.us-west-2.amazonaws.com 443 Auto-update of runtime artifacts Local DNS server ip 53/UDP To resolve all Private application hostnames to Private IP. Additional hosts/ports to be allowed for the UDP Protocol *connect.gateway.skyhigh.cloud 443/TCP Set up a WireGuard tunnel between the SCP client and the Cloud Firewall. connect.gateway.skyhigh.cloud 443/TCP Set up a WireGuard tunnel between the SCP client and the Cloud Firewall. *traffic.gateway.skyhigh.cloud 443/UDP Send/Receive UDP traffic from Windows client to Cloud firewall over WireGuard tunnel. traffic.gateway.skyhigh.cloud 443/UDP Send/Receive UDP traffic from Windows client to Cloud firewall over WireGuard tunnel.
TIP: Configure additional parameters such as DHCP and ARP as required for your corporate endpoint environment to ensure optimal Cloud Firewall behavior. For more details, see Cloud Firewall Settings