In environments without direct internet access, you need to configure CrowdStrike Falcon Sensor to communicate through a **proxy server**. This guide covers configuring proxy settings for Falcon Sensor on Linux using the falconctl utility.
Understanding Falcon Proxy Settings
The Falcon sensor uses three key settings for proxy configuration:
| Flag | Name | Description |
|---|---|---|
| **--apd** | App Proxy Disable | TRUE = direct connection (default), FALSE = use proxy |
| **--aph** | App Proxy Host | The proxy server hostname or IP address |
| **--app** | App Proxy Port | The proxy server port number |
Important: By default, APD is TRUE, meaning the sensor attempts direct connections. You must set APD to FALSE to route traffic through your proxy.
Configuring Proxy During Installation
Configure the proxy when setting up the sensor for the first time:
Step 1: Install the Sensor Package
Ubuntu/Debian
sudo dpkg -i falcon-sensor__amd64.deb RHEL/CentOS/Amazon Linux
sudo yum install falcon-sensor-.rpm SUSE/SLES
sudo zypper install falcon-sensor-.rpm Step 2: Configure CID and Proxy Settings
sudo /opt/CrowdStrike/falconctl -s --cid= --apd=FALSE --aph=http://proxy.example.com --app=8080 Example with all settings
sudo /opt/CrowdStrike/falconctl -s \
--cid=ABCD1234EFGH5678IJKL9012MNOP3456-78 \
--apd=FALSE \
--aph=http://10.0.0.50 \
--app=3128Step 3: Start the Sensor
sudo systemctl start falcon-sensorConfiguring Proxy on Existing Installation
To add or modify proxy settings on a sensor that's already installed:
-
- **Stop the sensor:**
- Configure proxy settings:
- Start the sensor:
sudo systemctl stop falcon-sensorsudo /opt/CrowdStrike/falconctl -s --apd=FALSE --aph=http://proxy.example.com --app=8080sudo systemctl start falcon-sensorVerifying Proxy Configuration
Check current proxy settings:
sudo /opt/CrowdStrike/falconctl -g --apd --aph --appExpected output when proxy is configured:
apd=FALSE
aph=http://proxy.example.com
app=8080Testing Connectivity
Check sensor logs for connection status:
journalctl -u falcon-sensor | grep -i "cloud\|connect\|proxy"You can also verify the host appears in the Falcon Console under Host Management.
Removing Proxy Configuration
To return to direct connections without a proxy:
sudo /opt/CrowdStrike/falconctl -s --apd=TRUEThis re-enables direct connections. The sensor will attempt to connect directly to the CrowdStrike cloud.
Proxy Configuration for Master Images
When creating master images for VM cloning, include proxy settings in your template:
-
- Install the sensor
- Configure CID and proxy settings
- Remove the Agent ID (for cloning)
- Seal the image
Example workflow:
# Install and configure
sudo dpkg -i falcon-sensor__amd64.deb
sudo /opt/CrowdStrike/falconctl -s --cid= --apd=FALSE --aph=http://proxy.example.com --app=8080
# Remove AID for cloning
sudo /opt/CrowdStrike/falconctl -d -f --aid
# Shutdown for image capture
sudo shutdown -h now Troubleshooting
Sensor not connecting through proxy
- Verify APD is set to FALSE:
sudo /opt/CrowdStrike/falconctl -g --apd - Check proxy host and port are correct
- Ensure the proxy allows connections to CrowdStrike cloud endpoints
Proxy authentication issues
- Verify credentials are correct
- Check proxy logs for authentication failures
- Ensure the proxy supports the authentication method being used
Host not appearing in Console
- Check sensor service is running:
systemctl status falcon-sensor - Review sensor logs:
journalctl -u falcon-sensor - Verify network connectivity to proxy
- Ensure CID is correct
CrowdStrike Cloud Endpoints
Your proxy must allow connections to CrowdStrike cloud endpoints. The specific URLs depend on your cloud region:
- US-1: ts01-b.cloudsink.net
- US-2: ts01-gyr-maverick.cloudsink.net
- EU-1: ts01-lanner-lion.cloudsink.net
Consult CrowdStrike documentation for the complete list of required endpoints for your deployment.