Configuring network egress allow list rules in CMP

If you want to allow outbound communications from Tanium Cloud to specific destinations, you can configure network egress allow list rules. The configured rules apply to all outbound communications from solutions such as Tanium™ Connect, Tanium™ Discover, or Tanium package downloads.

Although any CMP user can view the network egress allow list, only the primary administrator can configure it.

Do not create egress allow list rules for domains where users can host arbitrary content. Some examples include but are not limited to the following:

  • *.dropbox.com
  • *.github.com
  • *.sourceforge.net
  • s3.*.amazonaws.com (AWS S3 bucket not tied to your own domain)
  • drive.google.com

Tanium reserves the right to restrict FQDNs from receiving proxy exceptions for security reasons. The network egress allow list does not override the list of sites that Tanium restricts.

Configure a new network egress rule

  1. From the CMP menu, click Network Egress Allow List.


  2. Click Add, specify values for the following fields, and then click Add.
    • FQDN: Fully qualified domain name for the network egress destination

      Some FQDN values might change what fields you see. If you enter a Regional AWS S3 FQDN value in the FQDN field, a Global FQDN field appears that is automatically populated with the appropriate value to ensure correct routing. Conversely, if you enter a Global AWS S3 FQDN value in the FQDN field, a Regional FQDN field appears, and you must manually enter the Regional AWS S3 FQDN value in this field to ensure correct routing.

    • Port: Port number for the network egress destination. See the help in CMP for commonly used ports for specific protocols.

      Tanium does not support sending data over TCP ports 22, 25, 111, 3128, 3129, 3130, 4000, 5000, 6000, 9100, 9301, 9302, 9901, and 9902. Use encrypted communication ports TCP 465 or TCP 587 instead. If you create a rule with external access for an SMTP email server destination (default TCP port 465 or TCP port 587), you can associate the port with only one FQDN.

    • Item Name: A unique vanity name to identify the rule
    • Client API Package URL: Select Yes if you plan to use the Tanium Client API to download files from the Internet to endpoints in your environment. Otherwise, select No.
    • Note: An optional note with more details about the rule

Allow a few minutes for the changes to take effect.

Edit an existing network egress rule

The following are the steps to edit a single egress rule. If you want to edit multiple rules at a time, you can export the list of rules to a CSV, edit the rules offline, and then import the rules back into CMP. See Export network egress rules and Import network egress rules.

  1. From the CMP menu, click Network Egress Allow List.


  2. Click Edit next to the rule that you want to update.


  3. Make any updates and then click Save.



Export network egress rules

  1. From the CMP menu, click Network Egress Allow List.


  2. In the header of the table, click Export .

The list of network egress rules downloads as a CSV file to the download folder of your local browser.

Import network egress rules

Importing network egress rules overwrites any existing rules in CMP. Be sure to include all rules in the imported CSV file.

  1. From the CMP menu, click Network Egress Allow List.


  2. Choose one of the following:
    • At the top of the page, click Import.
    • In the header of the table, click Import .
  3. From the Import Files dialog, either drag the CSV file into the drop area, or click Browse for File to select the CSV file that you want to import.
  4. After CMP validates the rules, click Confirm.



Delete an existing network egress rule

  1. From the CMP menu, click Network Egress Allow List.


  2. Click Delete next to the rule that you want to delete, and then click Delete to confirm the action.