Installing Axonius Gateway
  • 11 Apr 2024
  • 5 Minutes to read
  • Dark
  • PDF

Installing Axonius Gateway

  • Dark
  • PDF

Article Summary


Axonius Gateway is only required to connect adapters whose sources are only accessible by an internal or segregated network. Configuring and installing the Axonius Gateway is not required to connect adapters that are accessible to the internet for Axonius-hosted, or the same network as the Axonius primary node, for Customer-hosted (on-premise / private cloud).

Axonius Gateway enables establishment of a link between an internal network and the primary Axonius instance, which may be an Axonius-hosted (SaaS) instance or Customer-hosted (on-premise / private cloud).

The Axonius-hosted (SaaS) instance resides in the cloud and is not part of your organization's internal network. Axonius securely fetches data from the organization's data sources, known as adapters. To connect adapters that are only accessible by an internal network or segregated network (for Customer-hosted (on-premise / private cloud)), you must configure and install an Axonius Gateway on a server that has access to those sources.

To establish the link between the primary Axonius instance and an internal/segregated network, you need to:

  1. Provision a server to be used as the Gateway server
  2. Install Docker Engine on the Gateway server
  3. Add a new Gateway Connection
  4. Install the Gateway installation package
  5. Configure and connect adapters to use an Axonius Gateway

1. Provision a server to be used as the Gateway server:

Provision a server that meets the following network requirements either by a direct connection or by HTTPS proxy:

  • Access to the internet via TCP port 443 from the Gateway server.
  • Access to the sources of the adapters that will be connected using this Gateway.
  • The folder/opt/axonius must be writeable.

If you are using the Palo Alto firewall, you must use 'OpenVPN APP-ID' for destination port 443 in order to establish the Gateway. If you are using an IDS or DPI on your system, define the destination port protocol/profile as OpenVPN (and not HTTPS) in order to establish the Gateway.

The server hardware requirements are:

  • An Intel x86 based architecture processor
  • At least 1 GB of free disk space
  • At least 1 GB of RAM dedicated to the Gateway container

For added security, when running Axonius Gateway on an AWS EC2 instance, we recommend disabling version 1 of AWS' Instance Metadata API (IMDSv1), as Axonius Gateway is fully-compatible with IMDSv2.

2. Install Docker Engine on the Gateway server

Install any Linux distribution that supports either Docker or Podman container engines. Axonius recommends using Docker for Debian-based OS Distributions such as Ubuntu and using Podman for RHEL/CentOS distributions, however the tunnel installation will detect and use whatever container engine is installed.

  1. Install a container engine (Docker or Podman)
  2. If using Docker as your container engine, ensure that it is started and enabled to run on boot: sudo systemctl enable --now docker

3. Add a new Gateway Connection

To add a new Gateway connection:

  1. On the Gateway page, click Add Gateway.

  2. The New Gateway Connection drawer appears.

  3. Specify the following Gateway settings:

    • Gateway name (optional, default: Gateway_x) - Specify an indicative name for the Gateway connection or use the system default. The Gateway name can always be changed.


  • Gateway status notification
    • Notify by email when gateway is disconnected
    • Notify by email when gateway is connected

Choose one or both of these options to send email notifications to the recipients defined when a Gateway is disconnected or connected. When you choose one of the options, the Recipient Email Address field is displayed.
Recipient Email Address - Specify a list of email addresses to be notified when the Axonius Gateway disconnects or is connected, depending on the notification options that you chose.

* Proxy settings (optional, default: empty) - To configure a proxy service to be used by the Axonius Gateway, select the Use Proxy checkbox. Once enabled, configure the Proxy address and Proxy port fields. Proxy user name and Proxy password are optional fields for proxy services.

  1. Click the Create and Download button.
    • A Gateway record is added to the table.
    • The Gateway installation package is downloaded.

4. Install the Gateway installation package

  1. Copy the Gateway installation package to the Gateway server.
  2. Execute the Gateway installation package as the “root” user. For example:
chmod +x

When the installation package has finished successfully, it shows the following message: “The Axonius Gateway has been successfully installed.”

After the installation finishes, refresh the Gateways page and track the Gateway record status on the Connection Status field.


To uninstall the Axonius Gateway, execute the following command: ./ uninstall

5. Configure and connect adapters to use an Axonius Gateway


Axonius Gateway is only required to connect adapters whose sources are only accessible by an internal or segregated network
Gateway should not be selected if the source for the adapter is accessible from the internet or from your network.

  1. Open the Adapters page. Click the image.png icon on the left navigation panel.
  2. Search for and click the relevant adapter. The Adapter Connections page opens displaying the list of configured connections.
  3. Add a new connection. click Add Connection. The Adapter Connection Configuration dialog opens.
  4. Populate the required information.
  5. Select the requested Gateway Connection on the Gateway Name field. Click Save.
  6. To save your changes and to establish a connection to the adapter connection using the configured credentials, click Save and Fetch.

Gateway Installation Best Practices

In order to ensure the principle of least privilege it is necessary to install the Gateway in a secure location within your network. This should ideally be a protected network where traffic in and out of the subnet can be strictly controlled. The default policy for traffic originating from your Axonius Gateway should be blocked. The ports and protocols required for the operation of an Axonius Gateway are listed on the table below, and only these connections should be permitted through your firewall. Replace * with your Axonius Hosted ID:

Axonius-hosted (SaaS)

Source IPDestinationPortApplicationNote
Gateway Server IP*.on.axonius.comTCP/443HTTPSGUI Access. Required for fetching the Gateway container.
Gateway Server IPtun-*.on.axonius.comTCP/443OpenVPNGateway Connection
Gateway Server IPInternal SystemsVariousVariousAdapter Data sources. Add one rule per adapter connection, using the correct destination IP/Port/Protocol

Customer-hosted (on-premise / private cloud)

Source IPDestinationPortApplicationNote
Gateway Server IPPrimary Axonius IPTCP/2212OpenVPNGateway Connection
Gateway Server IPPrimary Axonius IPTCP/443HTTPSRequired for fetching the Gateway container

For more details about configuring adapter connections, see:

Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.