Trustlist requirements for Invicti Enterprise on-premises
Accurate scans of your targets require proper network access configuration. Follow these steps to configure trustlist settings:
Outbound connections
Your browser outbound connections
If your browser is behind an outbound firewall or web proxy, particularly within a corporate LAN or VPN, ensure that the firewall, proxy, or VPN permits outbound connections to:
| Scope | Destination |
|---|---|
| Browser access to Invicti Enterprise | IP or URL of your Invicti Enterprise main installation on (default) port 443 |
| Browser and agent access to the authentication verifier service | IP or URL of your Invicti Enterprise main installation on (default) port 5000/5001 |
Invicti Enterprise scanning agent outbound connections
Ensure that your network infrastructure permits any deployed scanning Agent to establish outbound connections to:
| Scope | Destination |
|---|---|
| API calls to Invicti Enterprise main installation | IP or URL of your Invicti Enterprise main installation on (default) port 443 |
| API calls to the Hawk service for out-of-band vulnerability checking | https://r87.me |
| VDB database download | https://service.invicti.com/ |
| API calls to the IAST Bridge | https://iast.invicti.com |
| Scanning requests to your Target | IP address/URL for your Target, including destination port |
Invicti Enterprise main installation outbound connections
Ensure that your network infrastructure permits the Invicti Enterprise main installation to establish outbound connections to:
| Scope | Destination |
|---|---|
| API calls to the Hawk service for out-of-band vulnerability checking | https://r87.me |
| VDB database download; Update notifications | https://www.invicti.com |
| Access Tokens for the Discovery service | https://jwtsigner.invicti.com |
| API calls to the Discovery service | https://discovery-service.invicti.com |
| API calls for Invicti licensing and Target management | https://service.invicti.com |
| Scanning requests to your Target | IP address/URL for your Target, including destination port |
| API Hub discovery for Apigee, Mulesoft, AWS API Gateway, etc. | IP ranges or URLs for your Target API integrations (including port number) |
| ZeroDiscovery requests to your Targets | IP addresses/URLs for your Targets (default port list is 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, 8888) |
Invicti Enterprise auth verifier agent outbound connections
For any deployed auth verifier agent, you must ensure that your network infrastructure allows it to make outbound connections to:
| Scope | Destination |
|---|---|
| API calls for auth verifier registration | IP or URL of your Invicti Enterprise main installation on (default) port 5000/5001 |
| API calls to Invicti Enterprise main installation | IP or URL of your Invicti Enterprise main installation on (default) port 443 |
| Scanning requests to your Target | IP address/URL for your Target, including destination port |
| ZeroDiscovery requests to your Targets | IP addresses/URLs for your Targets (default port list is 80, 81, 443, 3000, 5000, 7000, 8000, 8008, 8080, 8081, 8083, 8088, 8090, 8181, 8443, 8888) |
Shark outbound connections
Ensure that your network infrastructure permits any Shark agent deployed in your target web application to establish outbound connections to:
| Scope | Destination |
|---|---|
| API calls to the IAST Bridge (default) | https://iast.invicti.com |
| API calls to the IAST Bridge (if configured) | IP or URL of your Invicti Enterprise IAST Bridge on port 7880 |
Inbound connections
IAST Bridge accepting inbound connections
Ensure that your IAST Bridge network infrastructure allows incoming connections from:
| Scope | Source |
|---|---|
| Incoming Shark sensor data | IP or URL of your Target Shark |
| API calls from the scanning agent | IP or URL of your scanning agent |
Your Invicti Enterprise main installation accepting inbound connections
You must ensure that your Invicti Enterprise main installation's network infrastructure trustlists incoming connections from:
| Source | Scope |
|---|---|
| IP or URL of your auth verifier agent | Auth verifier service (port 5000/5001) |
Your target accepting inbound connections
You must ensure that your target's network infrastructure trustlists incoming connections from:
| Scope | Source |
|---|---|
| Incoming scanning and verification requests; Incoming API Discovery requests | IP or URL of your Invicti Enterprise main installation |
| Incoming scanning requests | IP address / URL of your internal scanning agents |
| Incoming verification requests; Incoming API Discovery requests | IP addresses/URLs of your internal auth verifier agents |
Your integration server accepting inbound connections
You must ensure that your integrations server's network infrastructure trustlists incoming connections from:
| Scope | Source |
|---|---|
| Integration API calls | IP or URL of your Invicti Enterprise main installation |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center