Introduction
This document outlines the necessary network firewall rules for the Navitas SmartProbe to ensure full functionality.
The requirements are in three parts:
Navitas SmartProbe Application: Detailing the specific endpoints required by our custom software.
Remote Support (AnyDesk): Rules required for remote troubleshooting and control.
Android 8 OS & Google Services: Core services required by the Android operating system for connectivity, notifications, and app management.
For the device to operate as intended, all listed destinations and ports must be accessible from the device's network.
Application-Specific Rules: Navitas SmartProbe
This section details the network requirements for the Navitas SmartProbe application software.
Destination Host(s)
| IP Address | Protocol | Port | Reason |
apps.navitas.eu.com | 35.195.27.57 | TCP | 443 (HTTPS) | Navitas Login Server |
dfs.navitas.eu.com smartprobes.dfs.navitas.eu.com | 35.227.247.204 | TCP | 443 (HTTPS) | Required for access to the Digital Food Safety platform and SmartProbe APIs |
Note: We strongly recommend that firewall rules are based on the Hostnames (CNAME) and not the IP addresses, as we cannot guarantee that IP addresses will not change over time.
Remote Support Requirements: AnyDesk
The device utilizes AnyDesk for remote support and troubleshooting. To ensure our support team can access the device when required, the following rules must be active.
Reference:Official AnyDesk Firewall Documentation
Destination Host(s) | IP Address | Protocol | Ports | Reason |
*.anydesk.com *.net.anydesk.com | n/a | TCP | 6568 | AnyDesk Network (Primary) |
*.anydesk.com *.net.anydesk.com | n/a | TCP | 80, 443 | AnyDesk (Fallback) |
Note: AnyDesk favors port 6568 but will fallback to standard web ports 80 or 443 if 6568 is unavailable.
Remote Application Monitoring: Sentry
Our application makes use of Sentry.io to capture application telemetry related to performance or operational issues, such as errors occurring within the application. If access to these endpoints is restricted then the application will display a warning dialogue on start-up but will otherwise function as expected.
Reference:Official Sentry Firewall Documentation (ref #Event Ingestion)
Destination Host(s) | IP Address | Protocol | Ports | Reason |
o<number>.ingest.sentry.io o<number>.<location>.ingest.sentry.io | Currently:
34.120.195.249/32
34.120.62.213/32 34.160.81.0/32 34.102.210.18/32 2600:1901:0:5e8a::/64 2600:1901:0:7edb::/64
| TCP | 443 | Transmission of application telemetry from the Navitas SmartProbe Application to Sentry for remote analysis and alerting |
Note: These values are taken from the official sentry documentation as of the time of updating this document, however Sentry reserves the right to change them. As such a more flexible ruleset would be to define a cname based rule on *.ingest.sentry.io
Operating System Requirements: Android 8 (Oreo)
The Android 8 operating system and Google Play Services require access to several services to function. Blocking these can result in connectivity warnings, failed app updates, and a failure of push notifications.
It should be noted that the Navitas application does not currently rely on the standard Android ecosystem (e.g. push notifications, play services or the google play store), however various underlying parts of the device may still require them and so we would recommend traffic be permitted through the firewall.
For the official and detailed information please refer to the following Google documentation: Android Enterprise Network Requirements documentation.
Push Notification Services (GCM/FCM)
This is the most critical requirement for any application that needs real-time alerts. Android uses Google's Firebase Cloud Messaging (FCM) service to deliver all push notifications.
Note: This service often uses non-standard ports. If these ports are blocked, no push notifications will be delivered to the device.
Destination Host(s) | IP Address | Protocol | Ports | Reason |
fcm.googleapis.com gcm-http.googleapis.com | n/a | TCP | 443 | Notification Service (Primary) |
(No specific host. A port-based rule is required) | n/a | TCP / UDP | 5228-5230 | Persistent Notification Connection |
Core System & Connectivity Checks
These services are used by the OS to verify that it has a valid internet connection and to synchronize its internal clock. An incorrect clock will cause all secure (HTTPS/SSL) connections to fail.
Destination Host(s) | IP Address | Protocol | Ports | Reason |
connectivitycheck.android.com connectivitycheck.gstatic.com www.google.com (for /generate_204) | na | TCP | 443 | Internet Connectivity Check |
time.google.com time.android.com (Or a local NTP server) | na | UDP | 123 | Time Synchronization (NTP) |
(Customer's configured DNS server) | na | TCP / UDP | 53 | Domain Name System (DNS) |
Google Play Services & Application Management
These services are required for Google account authentication, downloading new applications, and updating both existing applications and built-in Google framework services
Destination Host(s) | IP Address | Protocol | Ports | Reason |
play.google.com *.gvt1.com dl.google.com dl-ssl.google.com | na | TCP | 443 | Google Play Store & App Downloads |
*.googleapis.com *.googleusercontent.com *.gstatic.com | na | TCP | 443 | General Google APIs & Content |
accounts.google.com | na | TCP | 443 | Account Authentication |
Google Observations
During internal testing we have observed that in many cases a reverse DNS lookup on the Google Servers will show addresses such as ‘sv-in-f94.1e100.net’ or ‘yulhrs-in-f104.1e100.net’ rather than the ‘forward’ domain names specified in the above tables.
It should be noted that ‘1e100.net’ is a Google-owned domain used to host the entirety of their backend infrastructure, and as such any appearance of this within device logs is likely to correlate to the above rules and should be permitted.
Destination Host(s) | IP Address | Protocol | Ports | Reason |
connectivitycheck.android.com connectivitycheck.gstatic.com www.google.com (for /generate_204) | na | TCP | 443 | Internet Connectivity Check |
time.google.com time.android.com (Or a local NTP server) | na | UDP | 123 | Time Synchronization (NTP) |
(Customer's configured DNS server) | na | TCP / UDP | 53 | Domain Name System (DNS) |
Google Play Services & Application Management
These services are required for Google account authentication, downloading new applications, and updating both existing applications and built-in Google framework services
Destination Host(s) | IP Address | Protocol | Ports | Reason |
play.google.com *.gvt1.com dl.google.com dl-ssl.google.com | na | TCP | 443 | Google Play Store & App Downloads |
*.googleapis.com *.googleusercontent.com *.gstatic.com | na | TCP | 443 | General Google APIs & Content |
accounts.google.com | na | TCP | 443 | Account Authentication |
Local Network Requirements (Multicast)
In addition to the remote networking rules defined in previous sections, the Smart Probe will also send local network traffic broadcasts as shown in the table below.
Note: Our testing has shown these can safely be blocked if required by your internal security policies. The impact of doing so will simply remove the ability for local device discovery across Android, Network Discovery or AnyDesk.
Purpose | Protocol | Ports | Reason |
AnyDesk Local Discovery | UDP | 50001
50002
50003
| Used by AnyDesk to locate other clients on the local network.; uses the multicast group address: 239.255.102.18. |
Android ZeroConf | UDP | 5353 | This is Android’s native "Network Service Discovery" (NSD). Android uses this to find printers, Google Cast devices (Chromecasts), and allows other local tools to find it |
IPv6 Neighbor Discovery | ICMPv6 |
| As the Android network stack prefers IPv6 it will periodically send "Neighbor Solicitation" packets to see if there are any IPv6 routers nearby. |
Multicast Management (IGMP) | IGMPv3 |
| igmp.mcast.net. Required to manage the membership in the multicast groups listed above. |
Appendix A – Complete List of Network Rules
Where a CNAME is provided we strongly recommend that any firewall rules are based on the CNAME and not the IP address as the exact IP address may change over time.
Note that these represent ‘forward’ DNS rules suitable for rulesets, and not ‘reverse’ DNS mappings that might appear in device logs. This is most applicable to Google-related endpoints where reverse DNS may show as subdomains under 1e100.net
Destination Host | IP | Protocol | Port | Reason |
apps.navitas.eu.com | 35.195.27.57 | TCP | 443 (HTTPS) | Navitas Login Server |
dfs.navitas.eu.com smartprobes.dfs.navitas.eu.com | 35.227.247.204 | TCP | 443 (HTTPS) | Required for access to the Digital Food Safety platform and SmartProbe APIs |
*.anydesk.com *.net.anydesk.com |
| TCP | 6568 | AnyDesk Network (Primary) |
*.anydesk.com *.net.anydesk.com |
| TCP | 80, 443 | AnyDesk (Fallback) |
o<number>.ingest.sentry.io o<number>.<location>.ingest.sentry.io | 34.120.195.249/32 34.120.62.213/32 34.160.81.0/32 34.102.210.18/32 2600:1901:0:5e8a::/64 2600:1901:0:7edb::/64
| TCP | 443 | Transmission of application telemetry from the Navitas SmartProbe Application to Sentry for remote analysis and alerting |
fcm.googleapis.com gcm-http.googleapis.com |
| TCP | 443 | Notification Service (Primary) |
(No specific host. A port-based rule is required) |
| TCP / UDP | 5228-5230 | Persistent Notification Connection |
connectivitycheck.android.com connectivitycheck.gstatic.com www.google.com (for /generate_204) |
| TCP
| 443
| Internet Connectivity Check
|
time.google.com time.android.com (Or a local NTP server) |
| UDP | 123 (NTP) | Time Synchronization (NTP) |
(Customer's configured DNS server) |
| TCP / UDP | 53 | Domain Name System (DNS) |
play.google.com *.gvt1.com dl.google.com dl-ssl.google.com |
| TCP | 443 | Google Play Store & App Downloads |
*.googleapis.com *.googleusercontent.com *.gstatic.com |
| TCP | 443 | General Google APIs & Content |
accounts.google.com |
| TCP | 443 | Account Authentication |