Overview 💥
Some systems your Liongard inspectors need to reach enforce IP-based access restrictions or allowlists. These restrictions can block inspection traffic if Liongard’s source IPs are not allowed. This is most common when:
Inspecting internal or restricted systems behind a firewall
Inspecting cloud systems with strict API allowlists
Using On-Demand agents (cloud-based) which originate from dynamic IP pools
Liongard’s inspectors may fail or remain in an error state if their source IP is blocked. This article explains why this happens and how to address it.
Why This Happens 🤔
🌐 Dynamic IPs and On-Demand Agents
Liongard’s On-Demand Agents operate from the cloud and use dynamic AWS IP addresses that reside in shared IP pools. Many target systems that enforce strict IP restrictions will reject traffic from these dynamic addresses, leading to inspection failures.
🏠 Networks with Static IP Restrictions
Systems with static IP allowlists (e.g., internal firewalls, VPN-only services, or cloud APIs locked to specific IPs) will not accept traffic unless the source IP is explicitly permitted.
🧠 Recommended Solution: Use Self-Managed Agents
To work around IP restrictions and ensure inspections succeed, we recommend using Self-Managed Agents instead of cloud On-Demand Agents.
Self-Managed Agents run inside your or your customer’s network, making their IP address predictable and allowlist-friendly. These agents support most Liongard inspectors and are ideal for restricted environments.
Step-by-Step: How to Overcome IP Restrictions 🧑🏫
1️⃣ Install a Self-Managed Agent
In your environment, select a server or workstation that has network access to the restricted system.
Download the Self-Managed Agent installer from Liongard.
Run the installer and complete agent setup.
Confirm the agent appears as online in Liongard under Admin → Agents.
🔁 Make sure the host device has a static IP or is behind a VPN with a consistent source IP. If the public IP changes (e.g., via DHCP), the allowlist will break.
2️⃣ Reassign Your Inspectors
Go to Admin → Inspectors.
Edit each inspector that needs to bypass IP restrictions.
In the Agent dropdown, select the new Self-Managed Agent.
Save changes and run the inspector manually to verify connectivity.
3️⃣ Allowlist the Agent’s IP Address
Identify the public or internal IP address of the machine hosting the Self-Managed Agent.
In the target system’s IP access control / allowlist settings, add this IP address.
Confirm that the allowlist entry permits traffic on the ports and protocols used by that inspector (often HTTPS/TCP-443 or other protocol ports depending on the inspector).
📌 If the target system permits CIDR notation (e.g., 10.0.0.0/24), specify the range covering your agent’s expected source IP.
Additional Considerations 👨💻
🟡 Firewall and Network Settings
Ensure the Self-Managed Agent’s host is not blocked by local or perimeter firewalls.
Verify that outbound traffic from the agent to the target system is permitted over the required protocols.
🔁 Static vs Dynamic IPs
If a Self-Managed Agent’s public IP is dynamic (changes over time), your allowlist will eventually block it again.
Use a static IP or a VPN with a fixed egress IP for reliable inspections.
🧪 Agent Must Remain Online
Inspectors cannot run if the Self-Managed Agent goes offline. Verify agent status in Admin → Agents and resolve any connectivity or heartbeat issues promptly.
On-Demand Agents and IP Restrictions 🚨
Because On-Demand Agents use dynamic IP addresses from AWS:
They cannot be reliably allowlisted by specific IP.
They are suitable for systems without strict IP restrictions.
Target systems that require allowlisting should use Self-Managed Agents instead.
Troubleshooting Checklist 🗒️
Symptom | Common Cause | Recommended Action |
Inspector fails to connect | Target system rejects source IP | Verify allowlist includes Self-Managed agent IP |
Inspector times out | Firewall blocking traffic | Confirm firewall allows traffic from agent |
Inspector never runs | Agent offline | Check agent heartbeat and connectivity |
Partial success | IP range not fully allowed | Expand allowlist to include full agent range |
Best Practices 🌟
📌 Always use Self-Managed Agents for IP-restricted systems.
📋 Use static IPs or VPN egress IPs for agents to ensure reliable allowlisting.
🔁 Document allowlist entries, including date and reason allowed.
🔍 Periodically verify that agent IPs remain valid after network changes.
When to Contact Liongard Support 🦁
Contact Support if:
You cannot install or configure a Self-Managed Agent.
Allowlisting seems correct, but inspectors still fail.
You are unsure which IP or allowlist configuration is needed.
Include in your support request:
Target system type
Network allowlist settings
Self-Managed agent IP
Inspector name and operating environment
Summary 🤩
On-Demand Agents use dynamic AWS IPs and are not suitable for heavily restricted systems.
Installing a Self-Managed Agent with a predictable source IP lets you bypass IP restrictions.
After installing, reassign inspectors and allowlist the agent’s IP on the target platform.
Use static IP configurations for best reliability.