Skip to content

Discovery Agent for Next-Gen Trust Security network requirements

Discovery Agent for Next-Gen Trust Security needs to connect to the Next-Gen Trust Security REST API, so you may need to configure your firewall or egress proxy accordingly.

Firewall and proxy requirements

If Discovery Agent for Next-Gen Trust Security is deployed in a secure environment that limits connection to external sites or services, add the following egress rules to your firewall:

Rule Host Protocol Port
ALLOW .ngts.paloaltonetworks.com` TCP 443
ALLOW registry.ngts.paloaltonetworks.com TCP 443

Discovery Agent uses the Go HTTP library, which allows getting the proxy from the process environment.

Discovery Agent uses the Go HTTP library, which allows getting the proxy from the process environment.

Modifying network settings for Kubernetes

You may need to add a network policy to allow outbound traffic, configure a proxy server, or both.

Egress using a network policy

Many Kubernetes and OpenShift clusters have NetworkPolicy enabled. Network policies allow you to limit how a Pod communicates over a network. They apply to connections between Pods in a cluster and also to connections between Pods and the internet.

To learn more, see external documentation on Kubernetes and OpenShift network policies.

Network policy example

The following example shows a NetworkPolicy which enables Discovery Agent to connect to the Next-Gen Trust Security REST API.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-venafi-agent
  namespace: venafi
spec:
  podSelector:
    matchLabels:
      app: venafi-agent
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 443

Proxy Server Considerations

Some clusters only allow internet connections through an HTTP(S) proxy. If that applies to you:

  1. Add the relevant API URL to the your egress proxy's allowed domain list of your egress proxy, using your tsgID. For example, if your tsgID is 1426959155, add 1426959155 .ngts.paloaltonetworks.com.

Using a proxy server

If your cluster only allows internet connections through an HTTP(S) proxy, add the following to your discovery-agent.values.yaml and update the values for your environment:

http_proxy: "http://proxy.example.com:8080"
https_proxy: "https://proxy.example.com:8443"
no_proxy: "127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local"