Title
#fleet
a

Artem

05/24/2022, 2:17 PM
Hi guys! Could you please give some advices how to securely open fleet access for osquery from internet?
2:32 PM
Some our hosts are in isolated network segments from each other and have access only to internet
2:38 PM
This is the only API absolutely required to be public for hosts that are running osquery and aren't on the same network as the fleet servers.
a

Artem

05/24/2022, 5:49 PM
Thank you!
j

Jason

05/24/2022, 6:29 PM
We expose our fleet server to the internet behind a WAF and restrict the admin interface to known IPs. Also we are able to block potential abuse / bots etc this way.
a

Artem

05/24/2022, 6:31 PM
Hi @Jason! Thank you too! We’ll try to create ACL for such hosts!
Andreas Piening

Andreas Piening

05/25/2022, 2:42 PM
Just for my understanding: The clients (osquery nodes) needs access to the fleet server at
/api/osquery
, but not the other way around, right? So it would be fine to have a local system behind
NAT
which is not directly exposed or reachable from the public network as long as the node can access the
fleet
server via
HTTPS
?
j

Jason

05/25/2022, 7:15 PM
Correct
7:15 PM
Double check with the fleet folks. Some of the endpoints have changed recently.