API Gateway requirements
Review the requirements before you
Core platform dependencies
Make sure that your environment meets the following requirements:
-
Tanium™ Core Platform servers: 7.4.4 or later
- Tanium™ Client: No client requirements.
- Tanium™ Console: 2.0 or later
- Tanium content: API Gateway uses sensors that are included in the Core Content and Core AD Query content packs.
Solution dependencies
Other Tanium solutions are required for API Gateway to function (required dependencies) or for specific API Gateway features to work (feature-specific dependencies). The installation method that you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some API Gateway dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies and Feature-specific dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that API Gateway requires.
Tanium recommended installation
If you select Tanium Recommended Installation when you import API Gateway, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.
Import specific solutions
If you select only API Gateway to import and are using Tanium Core Platform 7.5.2.3531 with Tanium Console 3.0.72 or later, the Tanium Server automatically imports the latest available versions of any required dependencies that are missing. If some required dependencies are already imported but their versions are earlier than the minimum required for API Gateway, the server automatically updates those dependencies to the latest available versions.
If you select only API Gateway to import and you are using Tanium Core Platform 7.5.2.3503 or earlier with Tanium Console 3.0.64 or earlier, you must manually import or update required dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Required dependencies
API Gateway has the following required dependencies at the specified minimum versions:
- Tanium Interact 2.14.96 or later
- Tanium System User Service 1.0.40 or later
Feature-specific dependencies
If you select only API Gateway to import, you must manually import or update its feature-specific dependencies regardless of the Tanium Console or Tanium Core Platform versions. API Gateway has the following feature-specific dependencies at the specified minimum versions:
- Tanium Asset 1.23.8 or later is required to submit a mutation request to import assets (assetsImport).
- Tanium Asset 1.24.76 or later is required to submit a request that retrieves Asset products (query.assetProducts) or endpoints based on installed Asset products (query.assetProductEndpoints), or updates Asset tracking metrics (mutation.assetProducts).
- Tanium Blob 1.0.6 or later is required to submit a request involving blob storage.
- Tanium Comply 2.10.940 or later is required to submit a request involving the System Vulnerability and System Compliance risk vectors.
- Tanium Comply 2.16.97 or later is required to submit a request that filters Comply-related fields (complianceFindings or cveFindings).
- Tanium Direct Connect 1.10.39 or later is required to submit a request involving a direct connection with an endpoint.
- Tanium Deploy 2.9.123 or later is required to submit a request involving Deploy functionality.
- Tanium Impact 1.7.62 or later is required to submit a request involving the Administrative Access risk vector.
- Tanium Reporting 1.12.144 or later is required to submit a request involving Reporting functionality.
- Tanium Reveal 1.15.185 or later is required to submit a request involving the Password Identification risk vector.
- Tanium Risk/Benchmark 1.2.24 or later is required to submit a request involving Risk/Benchmark functionality.
- Tanium Performance 1.10.57 or later is required to submit a request involving Performance functionality.
- Tanium Threat Response 3.1 or later is required to submit a request involving Threat Response functionality.
Tanium™ Module Server
API Gateway is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.
Endpoints
API Gateway does not directly deploy packages to endpoints. However, you can use API Gateway to deploy packages through Tanium Deploy. For Tanium Deploy endpoint requirements, see Tanium Deploy User Guide: Endpoints.
For Tanium Client operating system support, see Tanium Client Management User Guide: Client version and host system requirements.
Host and network security requirements
Specific ports
Ports
The following ports are required for API Gateway communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
|
Module Server (loopback) | 17600 | TCP | Internal purposes, not externally accessible |
No additional ports are required.
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
If security software is in use in the environment to monitor and block unknown host system processes, Tanium recommends that a security administrator create exclusions to allow the Tanium processes to run without interference. The configuration of these exclusions varies depending on AV software. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
| Target Device | Notes | Exclusion Type | Exclusion |
|---|---|---|---|
| Module Server | Process | <Module Server>\services\graphql-platform-service\TaniumGraphqlPlatformService.exe | |
| Process | <Module Server>\services\twsm-v1\twsm.exe |
No additional process exclusions are required.
API access
To access the API Gateway using a method other than the query explorer in the Tanium Console, you must first create an API Token. For more information, see Tanium Console User Guide: Create API tokens.
Use the following URL for API Gateway access:
| URL | Notes |
|---|---|
| <customerURL>-api.cloud.tanium.com/plugin/products/gateway/graphql | The maximum payload size for API requests and responses is 10 MB. |
| <taniumModuleServerURL>/plugin/products/gateway/graphql | The maximum payload size for API requests and responses is 10 MB. |
User role requirements
The following tables list the role permissions required to use API Gateway. For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.
Do not assign the API Gateway Service Account and API Gateway Service Account - All Content Sets roles to users. These roles are for internal purposes only.
| Permission | API Gateway User1 |
|---|---|
|
Gateway Api Access API Gateway |
EXECUTE |
|
Gateway Service Account Provides access for the API Gateway service. |
|
|
1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: User role requirements. |
|
| Permission | Permission Type | API Gateway User |
|---|---|---|
| Token - Use | Administration |
SPECIAL |
| Plugin | Platform Content |
EXECUTE1 READ1 |
|
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. 1 Grants access to content in the Interact content set. |
||
Last updated: 5/30/2023 4:11 PM | Feedback