Sentinel Appliance FAQ

  1. What protocol and port numbers does our appliance use to communicate to Synopsys' satellite controllers?
    See the tables in Network Requirements for information on the ports you can use for both DAST and SAST in EU and non-EU locations.

  2. Can the appliance use SSH over SSL?
    No.

  3. Why does Synopsys use these ports instead of port 80?
    Because the appliance protocol is not HTTP.

  4. Does the appliance use port forwarding?
    No.

  5. Can you point the appliance to our Proxy’s IP address?
    Yes.

  6. Is root access available for the appliance?
    No.

  7. Does the appliance use the customer’s network’s DNS to look up names?
    When you deploy an appliance you will have the opportunity to enter your DNS information. While it is possible to use only IPs, there are typically so many that it is burdensome to supply them all; entering your DNS information simplifies this process. The appliance can only go to locations for which we have the host-name/IP address.

  8. What does Synopsys do with the information provided for internal assets?
    Configure routes and DNS mappings used by our scanners.

  9. Can Synopsys access other applications beyond what is under contract?
    We are only able to reach applications to which the client has given us the hostname and IP address.

  10. Is the scanning happening from the appliance itself?
    For DAST, the appliance is simply acting as a router between our production servers and the customers' internal network. For SAST, source-code scanning engines run on premises.

  11. Does Synopsys use any of the customer’s network resources?
    The DAST or SAST appliances know just to call back to our production server. The appliance also depends on the customer’s Internet connection.

    WhiteHat Sentinel Source appliances will need to download the code and, in most cases, its dependencies; note that this download is to the appliance itself and the code as a whole is not transmitted to Synopsys.

  12. Are my internal IP addresses going back and forth over the Internet?
    For SAST appliances, DNS information will be stored on the appliance, along with any configuration files the customer uploads to Sentinel.

    For DAST appliances, only the DNS information is stored on the appliance.

    The appliance’s SSH key grants it access to the controller and allows the controller to send the configuration stored in Synopsys' datacenter over the encrypted tunnel to the appliance, which then configures itself appropriately. Double NAT is used to ensure no IP address(es) from either endpoint are exposed over the internet.

  13. What measures does Synopsys take to ensure the security of the appliance?
    The appliance is pen-tested by our IT department, and has undergone Synopsys Threat Research Center’s rigorous hardening process. In addition, Synopsys uses 2048 bit rsa keys with aes256-cbc key exchange and we enforce hmac-md5; there are no virtual terminal logins on the appliance, just the configuration script; and the grub configuration menu is turned off.

  14. What OS does the appliance run?
    DAST (Dynamic) appliances numbered 2309 or above in the US and 261 or above in the EU are running Ubuntu 22.04 LTS. Older appliances are running Ubuntu 18.04 LTS.

    SAST (Static/Source) appliances for Sentinel EU numbered 200 and above, along with SAST appliances for Sentinel US numbered 2000 and above, are running Ubuntu 18.04 LTS; all other SAST appliances are using older Ubuntu LTS versions.

  15. Is it possible to do a pen test on Synopsys' appliance?
    We encourage you to perform unauthenticated (noninvasive) pen tests to ensure you are comfortable with the Sentinel Appliance. However, we do not allow authenticated pen tests in order to protect the confidentiality and integrity of the Sentinel Appliance.

  16. What authentication mechanism does Synopsys use between the satellite and the controller?
    Each satellite has a unique cryptographic key and the public portion of our controller’s key. This is used by the appliance to verify that it is talking to the real controller as well as to enable the controller to know which appliance it’s talking to.