Whitelisting requirements for Invicti On-Premises
Accurate scans of your targets require proper network access configuration. Follow these steps to configure whitelist settings:
- Your browser outbound connections
- Invicti Enterprise Scanning Agent outbound connections
- Invicti Enterprise Main Installation outbound connections
- Invicti Enterprise Auth Verifier Agent outbound connections
- Shark outbound connections
- IAST Bridge accepting inbound connections
- Invicti Enterprise Main Installation accepting inbound connections
- Your target accepting inbound connections
- Your integration server accepting inbound connections
Outbound connections
Your browser outbound connections
If your browser is behind an outbound firewall or web proxy, particularly within a corporate LAN or VPN, ensure that the firewall, proxy, or VPN permits outbound connections to:
Scope | Destination |
Browser access to Invicti Enterprise | IP or URL of your Invicti Enterprise Main Installation on (default) port 443 |
Browser and Auth Verifier Agent Access to the Authentication Verifier Service | IP or URL of your Invicti Enterprise Main Installation on (default) port 5000/5001 |
Invicti Enterprise Scanning Agent outbound connections
Ensure that your network infrastructure permits any deployed Scanning Agent to establish outbound connections to:
Scope | Destination |
API Calls to Invicti Enterprise Main Installation | IP or URL of your Invicti Enterprise Main Installation on (default) port 443 |
API Calls to the Hawk service for out-of-band vulnerability checking | https://r87.me |
VDB Database Download | https://service.invicti.com/ |
API Calls to the IAST Bridge | https://iast.invicti.com |
Scanning requests to your Target | IP Address / URL for your Target, including destination port |
Invicti Enterprise Main Installation outbound connections
Ensure that your network infrastructure permits the Invicti Enterprise Main Installation to establish outbound connections to:
Scope | Destination |
API Calls to the Hawk service for out-of-band vulnerability checking | https://r87.me |
VDB Database Download; Update notifications | https://www.invicti.com |
Access Tokens for the Discovery Service | https://jwtsigner.invicti.com |
API Calls to the Discovery Service | https://discovery-service.invicti.com |
API Calls for Invicti Licensing and Target Management | https://service.invicti.com |
Scanning requests to your Target | IP Address / URL for your Target, including destination port |
API Hub discovery for Apigee, Mulesoft, AWS API Gateway, etc | IP ranges or URLs for your Target API Integrations (including port number) |
ZeroDiscovery requests to your Targets | IP Address / URL for your Targets (default port list is 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, 8888) |
Invicti Enterprise Auth Verifier Agent outbound connections
For any deployed Auth Verifier agent, you must ensure that your network infrastructure allows it to make outbound connections to:
Scope | Destination |
API Calls for Auth Verifier Registration | IP or URL of your Invicti Enterprise Authentication Verifier Service on (default) port 5000/5001 |
Auth Verification requests to your Target | IP Address / URL for your Target, including destination port |
ZeroDiscovery requests to your Targets | IP Address / URL for your Targets (default port list is 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, 8888) |
Shark outbound connections
Ensure that your network infrastructure permits any Shark agent deployed in your target web application to establish outbound connections to:
Scope | Destination |
API Calls to the IAST Bridge (default) | https://iast.invicti.com |
API Calls to the IAST Bridge (if configured) | IP or URL of your Invicti Enterprise IAST Bridge on port 7880 |
Inbound connections
Your IAST Bridge accepting inbound connections
Ensure that your IAST Bridge network infrastructure allows incoming connections from:
Scope | Source |
Incoming Shark sensor data | IP Address of your Shark sensor |
API Calls from the Scanning Agent | IP Address of your Scanning Agent |
API Calls from Invicti Enterprise Main Installation | IP Address of your Main Installation |
Your Invicti Enterprise Main Installation accepting inbound connections
You must ensure that your Invicti Enterprise Main Installation's network infrastructure whitelists incoming connections from:
Scope | Source |
Connections from Auth Verifier Service | IP Address of your Auth Verifier Service |
Connections from the Scanning Agent | IP Address of your Scanning Agent |
Connections from the integration source | IP Address of your integration source |
Your target accepting inbound connections
You must ensure that your target's network infrastructure whitelists incoming connections from:
Scope | Source |
Incoming scanning and auth verification requests | IP Address of your scanning and auth verification agents |
Incoming API Discovery requests | IP Address of your Auth Verification Service |
Your integration server accepting inbound connections
You must ensure that your integrations server's network infrastructure whitelists incoming connections from:
Scope | Source |
Integration Connections | IP Address of your Invicti Enterprise Main Installation |