Let Velprove through your firewall
Velprove is the uptime tool that watches your sites and APIs from 5 regions around the world, with free browser login monitors that log in like a real user. To do that, our monitors send real requests to your service. If those sit behind a firewall or WAF, you need to let them through, or you will get downtime alerts for a site that is actually fine. This page tells you exactly how, and it stays current automatically as our monitors change.
Best option: trust us by hostname (FCrDNS)
The cleanest way to allow Velprove is a small DNS round-trip called forward-confirmed reverse DNS, or FCrDNS. Your firewall does the work, not you. When a request reaches your firewall, it takes the source IPv4 address and looks up the name behind it. A real Velprove monitor resolves to a hostname ending in .probe.velprove.com. Your firewall then looks that hostname back up and confirms it returns the same IPv4 the request came from. It allows the request only when both directions agree. The hostnames never change, so this rule keeps working even when our IP addresses rotate. Set it once and you are done.
Simpler option: allow these IP addresses
If your firewall cannot match on hostnames, just allow the IPv4 addresses below. Every Velprove monitor reaches your service over IPv4, so there are no IPv6 rules to worry about. The one trade-off: these addresses can change as we add regions, so check back here now and then, or point a script at the live list further down. If you would rather set it and forget it, use the hostname method above instead.
| Region | FCrDNS hostname | IPv4 |
|---|---|---|
| North America | na1.probe.velprove.com | 148.113.233.70 |
| Europe | eu1.probe.velprove.com | 57.129.124.139 |
| United Kingdom | uk1.probe.velprove.com | 198.244.141.109 |
| Asia | asia1.probe.velprove.com | 51.79.140.29 |
| Oceania | oce1.probe.velprove.com | 139.99.222.50 |
This list reflects the workers that are active right now and refreshes within about a minute as we add or remove capacity. A region with several rows means more than one worker is running there at the moment. Hostnames stay valid even as rows come and go, so allowing by hostname (above) is the simplest way to never need to update your firewall.
Machine-readable copies of this list: /ips.json and /ips.txt. The text version has one IPv4 per line so a firewall script can read it directly, with the region for each one in leading # comment lines.
Frequently asked questions
What is the simplest way to let Velprove through my firewall?
The safest method is a small DNS round-trip called forward-confirmed reverse DNS, or FCrDNS. It sounds technical, but it is three steps your firewall or WAF can run automatically. When a request arrives, look up the name behind the source IP and confirm that name ends in .probe.velprove.com. Then look that name back up and confirm it points to the same IP the request came from. If both checks agree, the request is a real Velprove monitor and you can allow it. If your firewall cannot match on names, allowlist the IPv4 addresses listed on this page instead. We recommend FCrDNS because our IP addresses can change as we add monitoring regions, while the hostnames stay the same.
Do Velprove's IP addresses change?
Yes, sometimes. We add and refresh monitoring workers as we grow, so the IPv4 address for a region can change. The hostnames, like na1.probe.velprove.com, do not change, which is why allowlisting by hostname is the safer choice. If you do need to allowlist by IP, plan to re-fetch this list now and then. The /ips.json and /ips.txt links further down always reflect the current addresses, so you can point a script at them.
Do I need to set up any IPv6 firewall rules?
No. Every Velprove monitor reaches your service over IPv4 only, including our free browser login monitors. Your firewall or WAF will only ever see an IPv4 address coming from us, so there is nothing IPv6 to add. One less thing to configure.
How can I confirm a request really came from Velprove?
Take the source IPv4 of the request and do a reverse DNS, or PTR, lookup. That is just asking what name the IP belongs to. A real Velprove monitor resolves to a name ending in .probe.velprove.com. Then look that name back up and confirm it returns the exact IPv4 you started with. Both directions have to agree. An attacker who does not control our DNS cannot fake both halves of that round-trip, so this is the reliable way to know the traffic is ours and not someone pretending to be us.
Which regions do Velprove monitors run from?
Velprove runs monitors from 5 global regions: North America, Europe, United Kingdom, Asia, and Oceania. Each has its own stable hostname, listed in the table above. You pick which region each monitor runs from, and all 5 regions are included on every plan, including the free plan. If one region has an outage, the others automatically take over its monitors so you do not get a gap or a false alert. Because of that automatic failover, a check can briefly come from a different region's hostname. To stay covered, allow all 5 regions or, simpler, use FCrDNS so any of our hostnames is trusted.