How do I whitelist Watchful IP addresses and user agents?

If you are are experiencing connection or validation issues on numerous sites, particularly on the same server, Watchful may be blocked/blacklisted by any of the following:

• your DNS firewall (i.e. Cloudflare)
• your server firewall (i.e. ConfigServer Security & Firewall in the case of WHM)
• an application firewall such as plugin on your website (i.e. Wordfence)

Below, we will walk you through whitelisting Watchful.

Table of contents

1. Whitelisting Watchful IP addresses
   1. What are the Watchful IP addresses
   2. Whitelisting IP Addresses in your DNS firewall
      1. Cloudflare Firewall
      2. Sucuri Firewall
   3. Whitelisting IP Addresses in your server firewall
      1. How to whitelist IP address in Linux via the CLI
      2. How to whitelist IP address in Linux via WHM
      3. How to whitelist Watchful in the nG Firewall
   4. Whitelisting IP Addresses in your application firewall
      1. WordFence
      2. iThemes Security
      3. Defender Security
      4. BBQ Pro
      5. Admin Tools Pro
      6. RS Firewall
      7. OSE Anti-Hacker
      8. SecurityCheck 
2. Whitelisting Watchful user agents

Whitelisting Watchful IP addresses

What are the Watchful IP addresses?

Watchful uses a set of IP addresses to power our service, including addresses across the globe to accurately detect website uptime:

If you are a developer you can view the Watchful IP Addresses using the link below. This is useful for automating whitelisting on your server firewall or other tools requiring whitelisting:

• https://app.watchful.net/ip-v4.txt

Whitelisting IP Addresses in your DNS firewall

Domain name server (DNS) service providers often manages their own firewall. Follow the instruction below to whitelist Watchful's IPs at Cloudflare and Sucuri.

A similar procedure may be used at other DNS providers. 

Cloudflare Firewall

1. Login to your account and navigate to your domain.
2. Click on the Firewall button at the top, then the Tools tab.
3. Enter first IP address (above) into the field as shown below.
4. Ensure the Whitelist option is selected.
5. Select the All websites in account option if all your websites will be added to Watchful.
6. Enter Watchful in the notes area.
7. Click the Add button.
8. Repeat for the other two IP addresses (above).

Sucuri Firewall

• Login to your account and navigate to your domain.
• Click on the Access Control link at the top. 
• Ensure that Whitelist IP Addresses is selected at the left.
• Add the first IP addresses (above) to the Add new IP field as shown below.
• Ensure the Permanently option is selected.
• Click the Whitelist button.
• Repeat for the other two IP addresses (above).

Whitelisting IP Addresses in your server firewall

For many site owners, the easiest way to add IP addresses to your server firewall is to contact your hosting provider, provide the IPs (above), and ask them to whitelist.

But if you have root or WHM access to your server, you can do this yourself.

How to whitelist IP address in Linux via the CLI

1. Login to your linux server using root or sudo user.
2. Go to the path /etc/csf/.
3. Inside the CSF directory, edit the file called csf.allow.
4. Add the three IP addresses (above) and save the file.
5. Use the csf -r command to restart the firewall.

How to whitelist IP address in Linux via WHM

Many website owners are using WHM/cPanel to manage their hosting account. If you have WHM access:

1. Login into WHM with the root account.
2. In the search bar at the top-left, enter firewall.
3. Select ConfigServer Security & Firewall from the Plugins area on the left.
4. Scroll down until the csf - Quick Actions area is visible.
5. Add the first IP addresses (above) to the Allow IP address field as shown below.
6. Click the Quick Allow button.
7. Repeat for the other two IP addresses (above).
8. If prompted, click the Restart csf+lfd button.

How to whitelist Watchful in the nG Firewall

The nG firewall series from Perishable Press is a server-level firewall for the Apache or Nginx web servers. As of 2022, the most recent version is the 7G Firewall, the 7th generation of the series. 

If you are using this firewall on your server, note that some parts of Watchful may trigger a false-positive and be blocked. For example, the Vulnerability Scanner is partially blocked by the nG Firewall.

if you are using this firewall, you will need to talk to your host about whitelisting the following rule: block_bad_querystring_rule_35

For example, if you are using RunCloud to manage your server and have enabled the 7G Firewall, the following code can be added to the Nginx config to whitelist block_bad_querystring_rule_35:

if ($gfwreason !~* "allow|block_bad_querystring_rule_35") {


set $gfwlog 1;
return 302 $scheme://$host/RUNCLOUD-$gfwversion-WAF-BLOCKED;
}

Whitelisting for the the nG Firewall series is highly dependent on both your web server and your specific software stack. We recommend contacting your host directly for full details on how to whitelist block_bad_querystring_rule_35.

Whitelisting IP Addresses in your application firewall

Whitelisting in your application firewall is similar across many applications. Typically, a large whitelist field is presented and a comma-separated list of IP addresses is entered. It may look something like the screenshot below. 

Instructions for a variety of application firewalls are listed below.

Application firewalls

• WordFence — The whitelisting options are found in the WordPress backend under WordFence > All Options > Firewall Options > AdvancedFirewall Options.
• iThemes Security — In this application, whitelisted IP addresses are called authorized hosts and are added in the setup wizard. Once the setup wizard is complete, you can also find enter/modify the IP addresses  under Security > Settings > Configure > Authorized Hosts.
• Defender Security — The whitelisting options are found in the WordPress backend under Defender > Firewall > IP Banning > Allowlist.
• BBQ Pro — The whitelisting options are found in the WordPress backend under BBQ Pro > Settings > Whitelist IPs.
• Admin Tools Pro — The Whitelisting options can be found in Components > Admin Tools > Web Application Firewall > Configure Exceptions from Blocking tab. 
• RS Firewall — The Whitelisting options can be found in Components > RSFirewall > Blacklist/Whitelist.
• OSE Anti-Hacker — The Whitelisting options can be found in Components > OSE Anti-Hacker > IP Management.
• SecurityCheck — The Whitelisting options can be found in Components > Securitycheck > Main menu > Web Firewall Configuration > Lists. 

Whitelisting Watchful User-Agents

Watchful uses two User-Agents to communicate with your site and monitor website uptime:

• Watchfulli/1.0 (+https://app.watchful.net)
• WebsiteOps (websiteops.io)

Whitelisting the user agents is not typically required. If you choose to do this, please contact your hosting provider or IT department to whitelist them.