RedShield Cloud: Network Firewall Lockdown Security
When finalising your migration to RedShield Cloud, it is important to block traffic which comes directly to your website, ie traffic which attempts to bypass RedShield Cloud.
Network administrators should follow this article (click the button on the top right corner of this article) in order to be notified of changes in RedShield IP ranges.
RedShield IP ranges
RedShield IP ranges are published on https://www.redshield.co/ipv4 (Last changed: 28th January 2023)
These may change periodically, but we will update this article with the date they were last changed, so you can follow this article to be notified.
Set your firewalls to only allow traffic from RedShield IP ranges to your websites.
Verify that these firewall rules are being triggered, and processing traffic for your website, before continuing with configuring the blocking rule below.
Please ensure there is no blocking, rate limiting or intrusion prevention which may impede any traffic originating from RedShield addresses.
Vulnerability Scanning Traffic
Vulnerability Scanning traffic may come from any of the RedShield IP ranges above.
RedShield runs two types of scan against your website: "Shielded" and "Passthrough". Prior to migrating your DNS to RedShield, a third type of scan ("Standard") may run.
Shielded scans test the effectiveness of RedShield's process of blocking malicious traffic. RedShield is between the scanners and your origin website, and will block most of the malicious requests.
Passthrough scans test the vulnerabilities on your website as if RedShield was not in place. RedShield's protections are switched off, and the scanner traffic hits your web server directly.
By looking at the difference between Passthrough and Shielded scans, we can show which valid vulnerabilities are being blocked by RedShield.
Standard scans are run when your website DNS has not yet migrated to RedShield. Our scanners will scan your origin web servers directly.
Please note that Standard and Passthrough scanning traffic is not blocked by RedShield and may result in an increased number of requests during a scan. The operations team will work with you to determine a schedule for when this will occur.
Shielded scan traffic will come from any RedShield IP and contain an X-Forwarded-For header with one of the following IPs:
Passthrough scan traffic will not contain X-Forwarded-For headers, and will come from a different set of IPs:
Standard scan traffic may come from any RedShield IP.
Block all other traffic to your website IP and ports
RedShield can only secure your origin web servers if no other internet traffic is able to reach them. Once you are confident RedShield is in path and DNS is migrated, you need to block all other traffic from reaching your origin web servers.
1. This rule MUST go below the rules shown above as listed in your firewall rule set. Do not set this rule to take precedence over the allow statements listed above.
2. You may wish to implement this rule in transparent/non-blocking mode for a period, to determine that it is not being triggered by legitimate traffic for any reason.
IP and Port:
|*:*||your web IPs||80, 443||TCP||Block|
Rollback: Migrating Traffic back off RedShield Cloud, to hit sites directly
In the event of rollback where traffic is required to hit web servers directly and bypass RedShield Cloud, disable the blocking rule listed above before making DNS changes.