QUESTION

I want to add Panther's IP address to my allow list for accessing some of my other tools, like Snowflake. How can I find this IP address?

ANSWER

Any services run by Panther from within your detections that need to access external resources do so from a common IP, unique to your instance. To view this in your Panther Console, navigate to Settings > General, and look for the Gateway Public IP at the bottom of the screen:

Screen Shot 2022-10-25 at 12.11.39 PM.png

Internal resources, like lambdas that access S3 buckets for log ingestion, may originate from randomly assigned AWS IPs, while others have a VPC config. The lambdas with a VPC config will egress using your Gateway Public IP shown above.
 

If you are unable to access your Panther Console via web browser after adding your Gateway Public IP to your allow list, you may need to follow additional steps below:

  1. Run this bash command:
    ns lookup<YOURINSTANCENAME>.runpanther.net

  2. IPs will be returned from the command. Add these to your allow list.

    • Please note that these IPs are dynamic and can change. 

To resolve these dynamic IP changes you can use any tools designed to resolve domain names to their DNS entries or a custom solution.  For ideas of a custom workflow that you can implement, feel free to use any of the following (bash or python) examples as templates to build upon:

bash-5.2$ IPS=$(dig +short <INSTANCE_NAME>.runpanther.net)
bash-5.2$ for IP in ${IPS[@]}; do echo $IP; done
00.000.000.00
88.888.8.8
import socket
>>> IPS=socket.gethostbyname_ex('<INSTANCE_NAME>.runpanther.net')[2]
>>> IPS
['00.000.000.00', '88.888.8.8']