During your subscription period or proof-of-value, in-scope entities and systems are expected to receive network traffic from the watchTowr Platform, and artifacts of watchTowr's testing mechanisms may exist within logs.
Allowlist Information
While allowlisting in WAFs, IDSs, IPSs, and firewalls is not required, please ensure that the watchTowr Platform's activity and infrastructure are communicated to all necessary stakeholders, including the SOC, MSSP, in-scope subsidiaries, and any relevant third parties.
It is highly recommended that watchTowr's source IP addresses be allowlisted and filtered in network defense devices and monitoring systems. Allowlisting watchTowr's IP addresses helps ensure the following.
watchTowr security testing probes are not blocked.
watchTowr activity does not trigger false alarms or alerts in SOCs, MSSPs, etc.
All alerts and activities can be attributed to authorized actions.
The Allowlist column indicates whether an IP address should be allowlisted.
Name/IP | Allowlist | Region | Description |
18.143.202.0/24 | Yes | Singapore | SG region outbound activities |
3.107.82.128/25 | Yes | Australia | AU region outbound activities |
3.107.66.224/28 | Yes | Australia | AU region outbound activities |
3.146.41.0/25 | Yes | United States | US region outbound activities |
54.247.251.128/25 | Yes | Europe | EU region outbound activities |
Some IP addresses must not be allowlisted to perform Web Application Firewall (WAF) checks. The table below lists all the hostnames and IP addresses that the watchTowr Platform uses for network activities. The Allowlist column indicates whether an IP address should be allowlisted.
Name/IP | Allowlist | Region | Description |
18.142.102.154/32 | No | Singapore | SG region WAF/IDS checks |
52.220.114.68/32 | No | Singapore | SG region WAF/IDS checks |
54.255.89.164/32 | No | Singapore | SG region WAF/IDS checks |
3.105.138.238/32 | No | Australia | AU region WAF/IDS checks |
52.64.196.1/32 | No | Australia | AU region WAF/IDS checks |
52.63.5.140/32 | No | Australia | AU region WAF/IDS checks |
3.130.91.129/32 | No | US | US region WAF/IDS checks |
3.135.57.25/32 | No | US | US region WAF/IDS checks |
3.131.243.124/32 | No | US | US region WAF/IDS checks |
3.142.223.252/32 | No | US | US region WAF/IDS checks |
3.22.254.26/32 | No | US | US region WAF/IDS checks |
18.223.84.46/32 | No | US | US region WAF/IDS checks |
wtwr.io | No | Global | Global callback infrastructure (likely to be present in logs) |
*.dns.outbound.watchtowr.com | No | Global | Global callback infrastructure (likely to be present in logs) |
*.dns.watchtowr-oob.com | No | Global | Global callback infrastructure |
The Testing Infrastructure page has the current list of IP addresses and hostnames used by the watchTowr Platform. Follow the instructions below to access this page.
Click the Platform menu from the left sidebar.
Click Testing Infrastructure.
It should be noted that the 'Testing Infrastructure' functionality within your watchTowr Platform tenant (Platform > Testing Infrastructure) should be considered authoritative.
Export
The table of IP addresses and hostnames can be exported to a CSV file for allowlisting or reference purposes.
Click the Download Icon button in the upper right corner of the Testing Infrastructure.
The file will be downloaded with your browser.
If you need assistance, don't hesitate to contact the watchTowr team. Our knowledgeable team is ready to help you navigate the watchTowr Platform and address any questions or concerns.