Migrating from Cloud-Linux Agent to On-Demand Agent


Migration Completion Required

Partners should migrate any Inspectors currently running via a Cloud-Linux Agent that need allowlisting to a Self-Hosted Agent.

Liongard will migrate all eligible Inspectors running via Cloud-Linux Agent to our new On-Demand Agent soon.


We will officially be deprecating our Cloud-Linux Agents over the next few months. If you became a Partner with Liongard on or before April 7, 2021, this will affect your instance.

We're switching all eligible Inspectors running via a Cloud-Linux Agent to On-Demand Agents. These Agents will increase performance and enable Liongard to continue to innovate! Please review this doc for next steps.

Inspectors not supported by an On-Demand Agent

These Inspectors are recommended to be run by your On-Premises Agent; if allowlisting is needed you can use the Self-Hosted Agent in most cases.

Barracuda Firewall

Cisco ASA

Cisco IOS

Cisco Small Business Switch

Fortinet Fortigate

HP Procurve

Juniper Junos

Palo Alto Networks


Sophos SG

Sophos XG


Synology Nas

VMware vCenter Server

Veeam Availability Console

VMware ESXi


What is the difference between an On-Demand Agent, an On-Premises Agent, and a Self-Hosted Agent?

If you joined Liongard prior to April 7th, your instance came with a Cloud-Linux Agent. Its setup and maintenance are completely managed by us. This agent works with any cloud-based inspection.

On-Demand Agent
You will now see a new Agent managed by Liongard called On-Demand Agent. This Agent is used to run inspections that do not require any privileged access to your customers' networks.

On-Premises Agent
For those inspections that require privileged access, you should be using an On-Premises Agent.

Self-Hosted Agents
Finally, for inspections that require privileged access but have no access to an On-Premises Agent OR inspections that require allowlisting (edge devices), Partners can deploy a Self-Hosted Agent.

If you are currently allowlisting Inspectors running via a Cloud-Linux Agent you will need to run via the Self-Hosted Agent.

Like our On-Demand Agents, Self-Hosted Agents can handle inspections across multiple Liongard Environments and are hosted from your own infrastructure, without the need to allow cloud IP addresses through firewalls.

Instructions on deploying a Self-Hosted Agent can be found here.

How are Inspectors migrated from the Cloud-Linux Agent to the Self-Hosted Agent?

After deploying a Self-Hosted Agent, follow these steps:

  1. In Liongard, navigate to Admin > Agents > Liongard-Managed
  2. Click the Cloud-Linux Agent
  3. Scroll to the table titled "Inspectors using this Agent"
  4. Single or bulk select the checkbox(es) next to the Inspectors that need to be migrated
  5. Click Actions > Assign to New Agent
  6. In the right-hand menu that appears, select the Self-Hosted Agent, then select Save.
  7. Navigate to Admin > Agents > Self-Managed
  8. Click your Self-Hosted Agent and verify that your Inspectors appear in the "Inspectors using this Agent" table

Allowlisting requirements for a Self-Hosted Agent

If any of your networks heavily filter outbound traffic, you may need to allowlist some hosts in order for the Agent to send data back to Liongard. The Liongard Agent sends traffic outbound via HTTPS with a destination port of 443.

Please note 5 key URLs are used by the Agent and will need to be accessible in order for the Agent to properly function.

Find the URL below that closely matches your instance URL, allowlist it (replacing the question mark with the appropriate number) and allowlist the URLs shown under it.


  • ap-southeast-2.compute.amazonaws.com
  • sqs.ap-southeast-2.amazonaws.com
  • s3.ap-southeast-2.amazonaws.com
  • d2thwq4mlwsvm8.cloudfront.net
  • api.aus?.app.liongard.com (Replace the ? with the number listed in your Liongard URL. For example: api.aus1.app.liongard.com)


  • us-west-2.compute.amazonaws.com
  • sqs.us-west-2.amazonaws.com
  • s3.us-west-2.amazonaws.com
  • d2thwq4mlwsvm8.cloudfront.net
  • api.us?.app.liongard.com (Replace the ? with the number listed in your Liongard URL. For example: api.us1.app.liongard.com)


  • ca-central-1.compute.amazonaws.com
  • sqs.ca-central-1.amazonaws.com
  • s3.ca-central-1.amazonaws.com
  • d2thwq4mlwsvm8.cloudfront.net
  • api.ca?.app.liongard.com (Replace the ? with the number listed in your Liongard URL. For example: api.ca1.app.liongard.com)


  • eu-west-2.compute.amazonaws.com
  • sqs.eu-west-2.amazonaws.com
  • s3.eu-west-2.amazonaws.com
  • d2thwq4mlwsvm8.cloudfront.net
  • api.uk?.app.liongard.com (Replace the ? with the number listed in your Liongard URL. For example: api.uk1.app.liongard.com)


  • eu-central-1.compute.amazonaws.com
  • sqs.eu-central-1.amazonaws.com
  • s3.eu-central-1.amazonaws.com
  • d2thwq4mlwsvm8.cloudfront.net
  • api.eu?.app.liongard.com (Replace the ? with the number listed in your Liongard URL. For example: api.eu1.app.liongard.com)


  • sa-east-1.compute.amazonaws.com
  • sqs.sa-east-1.amazonaws.com
  • s3.sa-east-1.amazonaws.com
  • d2thwq4mlwsvm8.cloudfront.net
  • api.sa?.app.liongard.com (Replace the ? with the number listed in your Liongard URL. For example: api.sa1.app.liongard.com)

For Debugging Purposes:

Regardless of what region you are in, troubleshooting methods for debugging inspections may additionally require access to the following URL. If you need to engage in troubleshooting inspections or engage with Liongard Support, they may ask you to also allowlist this URL:

  • s3-us-west-2.amazonaws.com