Firewall & Network Requirements

Last updated: November 27, 2025

Configure your network infrastructure to enable secure communication between the Costif.ai agent and our cloud platform.

Quick Reference

For the Costif.ai agent to function properly, ensure the following outbound connection is allowed:

Required Firewall Rule 
Destination: api.costif.ai
Port: 443
Protocol: TCP/HTTPS (TLS 1.2+)
Direction: Outbound

Overview

The Costif.ai agent is a lightweight service that runs on your endpoints (servers, workstations, and other devices) to collect software inventory data and usage telemetry. To transmit this valuable data securely to our cloud platform, the agent requires outbound HTTPS connectivity to our API servers.

All communication between the agent and Costif.ai servers is:

  • Encrypted end-to-end using TLS 1.2 or higher
  • Authenticated using your organization's unique tenant credentials
  • Outbound-only — no inbound connections to your network are required
  • Lightweight — data is compressed and transmitted in small, periodic batches

Required Network Access

The following endpoint must be accessible from any machine running the Costif.ai agent. Without this connectivity, the agent cannot report data or receive configuration updates.

Endpoint
Port
Protocol
Direction
api.costif.ai Required
443
HTTPS/TLS 1.2+
Outbound

What this endpoint is used for:

  • Software Inventory Submission — The agent periodically sends discovered software, versions, and installation details to be processed by our AI engine
  • Usage Telemetry — Anonymous usage patterns help identify optimization opportunities (e.g., unused licenses)
  • Configuration Updates — The agent polls for configuration changes, policy updates, and scan schedules
  • Health Reporting — Heartbeat signals confirm agent connectivity and health status
  • Optimization Recommendations — Receive AI-generated cost-saving recommendations tailored to your environment

Optional Endpoints

The following endpoints are optional but recommended for full functionality:

Endpoint
Port
Protocol
Direction
get.costif.ai Optional
443
HTTPS/TLS 1.2+
Outbound

Purpose:

Used for downloading agent installers and receiving automatic agent updates. If blocked, agents can still be installed manually and updated through your internal software distribution system.

Technical Specifications

Encryption

TLS 1.2 minimum (TLS 1.3 preferred). All data in transit is encrypted using industry-standard cipher suites.

Certificate Validation

The agent validates SSL/TLS certificates against trusted root CAs. Certificate pinning is enabled for enhanced security.

Bandwidth Usage

Typical: 1-5 MB/day per endpoint. Data is compressed with gzip before transmission. Scans are scheduled during off-peak hours.

Connection Frequency

Heartbeat: Every 5 minutes. Full inventory sync: Configurable (default: every 4 hours). On-demand scans available.

IP Address Information

Costif.ai uses cloud-hosted infrastructure with dynamic IP addresses. We recommend configuring firewall rules using the fully qualified domain name (FQDN) rather than static IP addresses:

Recommended Approach 
# Allow by FQDN (recommended)
api.costif.ai:443

# If your firewall requires IP addresses, please contact
# support@costif.ai for current IP ranges

Proxy Server Configuration

If your organization routes outbound traffic through a proxy server, the Costif.ai agent supports HTTP/HTTPS proxy configuration. Configure proxy settings during installation or modify the agent configuration file:

Windows

Environment Variables 
HTTPS_PROXY=http://proxy.company.com:8080
NO_PROXY=localhost,127.0.0.1,.internal.company.com

Linux / macOS

/etc/costif/agent.conf 
proxy_url = "http://proxy.company.com:8080"
proxy_bypass = "localhost,.internal.company.com"

SSL Inspection Notice

If your proxy performs SSL/TLS inspection, you may need to add the proxy's root CA certificate to the agent's trust store. Contact your IT security team for the appropriate certificate and see our SSL Inspection Guide.

Firewall Configuration Examples

Below are example configurations for common enterprise firewall platforms. Adapt these to match your organization's naming conventions and policies.

Palo Alto Networks
Security Policy Rule 
# Create Address Object
set address Costif-API fqdn api.costif.ai

# Create Security Rule
set rulebase security rules Allow-Costif-Agent
  from trust
  to untrust
  source any
  destination Costif-API
  application ssl
  service application-default
  action allow
  log-end yes
Cisco ASA / Firepower
Access Control List 
! Create network object
object network COSTIF-API
  fqdn api.costif.ai

! Create access list entry
access-list OUTBOUND permit tcp any object COSTIF-API eq 443

! Apply to interface
access-group OUTBOUND in interface inside
Fortinet FortiGate
CLI Configuration 
config firewall address
  edit "Costif-API"
    set type fqdn
    set fqdn "api.costif.ai"
  next
end

config firewall policy
  edit 0
    set name "Allow-Costif-Agent"
    set srcintf "lan"
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "Costif-API"
    set action accept
    set service "HTTPS"
    set logtraffic all
  next
end
Windows Defender Firewall
PowerShell 
# Allow Costif.ai agent outbound communication
New-NetFirewallRule -DisplayName "Costif.ai Agent - API" `
  -Direction Outbound `
  -Protocol TCP `
  -RemotePort 443 `
  -RemoteAddress api.costif.ai `
  -Action Allow `
  -Profile Domain,Private,Public
Linux iptables / nftables
iptables 
# Allow HTTPS to api.costif.ai
iptables -A OUTPUT -p tcp -d api.costif.ai --dport 443 -j ACCEPT

# If using ipset for dynamic DNS resolution
ipset create costif_api hash:ip
iptables -A OUTPUT -p tcp -m set --match-set costif_api dst --dport 443 -j ACCEPT

Verifying Connectivity

After configuring your firewall rules, verify that endpoints can reach the Costif.ai API using these commands:

Windows (PowerShell)

Test Connectivity 
Test-NetConnection -ComputerName api.costif.ai -Port 443

Expected: TcpTestSucceeded: True

Linux / macOS

Test Connectivity 
curl -Is https://api.costif.ai/health | head -1

Expected: HTTP/2 200

Troubleshooting

Agent shows "Connection Failed" or "Unable to reach API"

The agent cannot establish a connection to api.costif.ai. Check:

  • Firewall rules allow outbound TCP/443 to api.costif.ai
  • DNS resolution is working (nslookup api.costif.ai)
  • Proxy settings are correctly configured (if applicable)
  • No SSL inspection is blocking the connection

SSL/TLS Certificate Errors

Certificate validation is failing. This usually occurs when:

  • A proxy is performing SSL inspection without the proper CA installed
  • System date/time is incorrect (certificates appear expired)
  • Root CA certificates are out of date

Solution: Install the proxy's root CA certificate or contact your security team.

Intermittent Connectivity

The agent connects sometimes but not consistently:

  • Check for rate limiting on your firewall or proxy
  • Verify DNS TTL caching isn't causing stale IP addresses
  • Look for network congestion during peak hours
  • Review firewall logs for dropped connections

Need Assistance?

If you're experiencing issues configuring network access for the Costif.ai agent, our support team is here to help:

Contact Support Agent Installation Guide
Previous Agent Installation Next Software Discovery