Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Agent Deployment Guide

    Home FortiDLP Agent 12.0.0 FortiDLP Agent Deployment Guide
    12.0.0
    12.0.0
    11.5.1
    11.4.6
    11.4.5
    11.4.3
    11.4.2
    11.3.4
    11.3.3
    11.3.2
    11.2.3
    11.2.0
    11.1.2
    11.1.1
    11.0.1
    10.5.1
    10.4.0
    10.3.1

    Allowing communication between the FortiDLP Agent and FortiDLP Cloud

    Allowing communication between the FortiDLP Agent and FortiDLP Cloud

    Every FortiDLP Agent requires a direct connection to the FortiDLP Cloud to report real-time data and receive configuration updates. FortiDLP Agents make this connection using one of the following DNS entries depending on the cluster region:

    • US: edge.27d0b831.reveal.nextdlp.com:443
    • EU: edge.4bfc9a65.reveal.nextdlp.com:443

    The FortiDLP Agent uses mutually-authenticated certificates to secure connections with the FortiDLP Cloud. The trust relationship between the FortiDLP Agent and FortiDLP Cloud is managed by FortiDLP and established during Agent enrollment. The Agent rejects connection attempts to devices that do not present the correct certificates, such as transparent proxies.

    If you enable automatic upgrades, the Agent will also contact updates.qush.com:443 using HTTPS to download software updates. For more on this, see Upgrading the FortiDLP Agent.

    Caution

    To prevent connectivity issues, you must ensure all proxies and other terminating/redirection services have explicit exemptions in place to allow communications with the FortiDLP Cloud. For some organizations, this will only require the addition of FortiDLP Cloud IP addresses to allowlists. For others, it may be necessary to exempt certain certificate subject names to allow transparent passthrough. While the FortiDLP Agent uses the FQDN to resolve the IP address of the FortiDLP Cloud, this is not the subject name of the certificates that gets used for all TLS connections. However, the Server Name Indication (SNI) is always set to either enroll.edge.jazz, circuit.edge.jazz, v2.circuit.edge.jazz, or http.edge.jazz.

    Before you deploy the FortiDLP Agent, either manually or via a fleet management tool, you should configure your network firewall rules to allow access to the following.

    US customer allowlist
    • edge.27d0b831.reveal.nextdlp.com
    • edge.27d0b831.reveal.qush.com
    • edge.27d0b831.reveal.avasecurity.com
    • edge.27d0b831.reveal.ava.uk
    • edge.27d0b831.cloud.jazznetworks.com
    • updates.qush.com
    • updates.nextdlp.com
    • uploads.us0.reveal.nextdlp.com
    • 34.36.139.49
    • 35.232.224.35
    • enroll.edge.jazz
    • circuit.edge.jazz
    • v2.circuit.edge.jazz
    • *.circuit.edge.jazz
    • http.edge.jazz
    EU customer allowlist
    • edge.4bfc9a65.reveal.nextdlp.com
    • edge.4bfc9a65.reveal.qush.com
    • edge.4bfc9a65.reveal.avasecurity.com
    • edge.4bfc9a65.reveal.ava.uk
    • edge.4bfc9a65.cloud.jazznetworks.com
    • updates.qush.com
    • updates.nextdlp.com
    • uploads.eu0.reveal.nextdlp.com
    • 34.160.252.90
    • 130.211.100.13
    • enroll.edge.jazz
    • circuit.edge.jazz
    • v2.circuit.edge.jazz
    • *.circuit.edge.jazz
    • http.edge.jazz
    Note

    Fortinet aims to avoid altering FortiDLP Cloud IP addresses, but we cannot guarantee this indefinitely. For this reason, we recommend routinely checking the IP addresses and the Europe/USA edge addresses using nslookup or dig to keep your firewall rules up to date. We reserve the right to add additional SNIs in the future.
    Browser extension and email add-in communications

    If you will be using the FortiDLP Browser Extension for Firefox, you must also configure your firewall rules to allow access to https://firefox-extension.reveal.nextdlp.com, so that the extension is automatically updated.

    Additionally, if you will be deploying the FortiDLP Email Add-in, your firewall rules should allow access to the:

    • outlook-addin.reveal.nextdlp.com domain, and
    • Agent's local web server (Outlook Proxy), 127.0.0.1:13243.
    Tooltip

    For more information, including troubleshooting steps, click here.

    If you would like to verify your configuration, contact Fortinet Support.
    Previous
    Next

    Allowing communication between the FortiDLP Agent and FortiDLP Cloud

    Allowing communication between the FortiDLP Agent and FortiDLP Cloud

    Every FortiDLP Agent requires a direct connection to the FortiDLP Cloud to report real-time data and receive configuration updates. FortiDLP Agents make this connection using one of the following DNS entries depending on the cluster region:

    • US: edge.27d0b831.reveal.nextdlp.com:443
    • EU: edge.4bfc9a65.reveal.nextdlp.com:443

    The FortiDLP Agent uses mutually-authenticated certificates to secure connections with the FortiDLP Cloud. The trust relationship between the FortiDLP Agent and FortiDLP Cloud is managed by FortiDLP and established during Agent enrollment. The Agent rejects connection attempts to devices that do not present the correct certificates, such as transparent proxies.

    If you enable automatic upgrades, the Agent will also contact updates.qush.com:443 using HTTPS to download software updates. For more on this, see Upgrading the FortiDLP Agent.

    Caution

    To prevent connectivity issues, you must ensure all proxies and other terminating/redirection services have explicit exemptions in place to allow communications with the FortiDLP Cloud. For some organizations, this will only require the addition of FortiDLP Cloud IP addresses to allowlists. For others, it may be necessary to exempt certain certificate subject names to allow transparent passthrough. While the FortiDLP Agent uses the FQDN to resolve the IP address of the FortiDLP Cloud, this is not the subject name of the certificates that gets used for all TLS connections. However, the Server Name Indication (SNI) is always set to either enroll.edge.jazz, circuit.edge.jazz, v2.circuit.edge.jazz, or http.edge.jazz.

    Before you deploy the FortiDLP Agent, either manually or via a fleet management tool, you should configure your network firewall rules to allow access to the following.

    US customer allowlist
    • edge.27d0b831.reveal.nextdlp.com
    • edge.27d0b831.reveal.qush.com
    • edge.27d0b831.reveal.avasecurity.com
    • edge.27d0b831.reveal.ava.uk
    • edge.27d0b831.cloud.jazznetworks.com
    • updates.qush.com
    • updates.nextdlp.com
    • uploads.us0.reveal.nextdlp.com
    • 34.36.139.49
    • 35.232.224.35
    • enroll.edge.jazz
    • circuit.edge.jazz
    • v2.circuit.edge.jazz
    • *.circuit.edge.jazz
    • http.edge.jazz
    EU customer allowlist
    • edge.4bfc9a65.reveal.nextdlp.com
    • edge.4bfc9a65.reveal.qush.com
    • edge.4bfc9a65.reveal.avasecurity.com
    • edge.4bfc9a65.reveal.ava.uk
    • edge.4bfc9a65.cloud.jazznetworks.com
    • updates.qush.com
    • updates.nextdlp.com
    • uploads.eu0.reveal.nextdlp.com
    • 34.160.252.90
    • 130.211.100.13
    • enroll.edge.jazz
    • circuit.edge.jazz
    • v2.circuit.edge.jazz
    • *.circuit.edge.jazz
    • http.edge.jazz
    Note

    Fortinet aims to avoid altering FortiDLP Cloud IP addresses, but we cannot guarantee this indefinitely. For this reason, we recommend routinely checking the IP addresses and the Europe/USA edge addresses using nslookup or dig to keep your firewall rules up to date. We reserve the right to add additional SNIs in the future.
    Browser extension and email add-in communications

    If you will be using the FortiDLP Browser Extension for Firefox, you must also configure your firewall rules to allow access to https://firefox-extension.reveal.nextdlp.com, so that the extension is automatically updated.

    Additionally, if you will be deploying the FortiDLP Email Add-in, your firewall rules should allow access to the:

    • outlook-addin.reveal.nextdlp.com domain, and
    • Agent's local web server (Outlook Proxy), 127.0.0.1:13243.
    Tooltip

    For more information, including troubleshooting steps, click here.

    If you would like to verify your configuration, contact Fortinet Support.
    Previous
    Next