Firewall Configuration

Firewall Allowlist for External Logging

Event logs configured through the Keeper Admin Console are pushed from Keeper's backend logging system through a static set of IP addresses. For added security, you can lock down your SIEM HTTP collector to the specific IP/ports listed below.

Inbound Requests (SIEM Events and Automator)

For customers who are receiving inbound requests from the Keeper production environment, use the below IP addresses. This applies to SIEM event reporting and SSO Cloud Automator.

US / Global

• 34.194.242.137/32

• 18.235.39.229/32

• 54.208.20.102/32 (Connection verification only)

• 34.203.159.189/32 (Connection verification only)

EU / Dublin

• 54.246.149.209/32

• 34.250.37.43/32

• 52.210.163.45/32 (Connection verification only)

• 54.246.185.95/32 (Connection verification only)

AU / Sydney

• 54.206.253.126/32

• 52.64.85.78/32

• 3.106.40.41/32 (Connection verification only)

• 54.206.208.132/32 (Connection verification only)

US / GovCloud

• 18.253.101.55/32

• 18.253.102.58/32

• 18.252.135.74/32 (Connection verification only)

• 18.253.212.59/32 (Connection verification only)

CA / Canada Hosted Customers

• 35.182.155.224/32

• 35.182.216.11/32 (Connection verification only)

• 15.223.136.134/32 (Connection verification only)

JP / Tokyo Hosted Customers

• 35.74.131.237/32

• 54.150.11.204/32 (Connection verification only)

• 52.68.53.105/32 (Connection verification only)

After external logging is established, it might be automatically put on pause if the external system becomes unavailable and the number of the events in the queue reaches a threshold of 50. If this happens, you will have to manually resume the external logging after correcting the issue. We recommend setting up an alert for the "Paused Audit log Sync" event so you get notified if the external logging is paused.