Network access for your IT team
1 — Allow these hostnames (by name, not IP)
Bulwark is served from managed cloud platforms whose IP addresses rotate, so allowlist by hostname / SNI, not by IP. A single wildcard rule — *.bulwarkcompliance.ai — covers everything below. If your policy requires fixed egress IPs, contact us and we’ll arrange a static-IP endpoint.
| Hostname | What it serves | Priority |
|---|---|---|
www.bulwarkcompliance.ai | Marketing site + the free OFAC reference and name search (/ofac/*, /search). No login. | Required |
bulwarkcompliance.ai | Apex domain (redirects to www) and the signed-in Bulwark application. | Required |
recon.bulwarkcompliance.ai | Recon research agent. | If used |
gauntlet.bulwarkcompliance.ai | Gauntlet payment screening. | If used |
aegis.bulwarkcompliance.ai | AEGIS regulatory reporting. | If used |
api.bulwarkcompliance.ai | Data API endpoint (only if you use API access). | If used |
2 — Categorize the domain as Business / Finance
Many filters block domains that are simply uncategorized or “newly observed.” Ask your web-filtering vendor to categorize bulwarkcompliance.ai as Business / Finance / Regulatory-Compliance. Submission points:
| Vendor | Where to submit or review a category |
|---|---|
| Zscaler | sitereview.zscaler.com |
| Netskope | Web Category Lookup in the Netskope UI, or a support ticket |
| Palo Alto (PAN-DB) | urlfiltering.paloaltonetworks.com |
| Cisco Talos / Umbrella | talosintelligence.com/reputation_center |
| Forcepoint | csi.forcepoint.com/tools |
| Symantec / BlueCoat | sitereview.bluecoat.com |
| Trellix / McAfee | trustedsource.org |
3 — Connection details
- Protocol / port: HTTPS over TCP 443 only. No other ports, no UDP, no inbound.
- TLS: 1.2 and 1.3, standard cipher suites, certificate from a widely-trusted public CA.
- TLS inspection: supported. No certificate pinning, so your proxy may re-sign without breaking the site.
- Client certificates: not required. No mTLS on public pages.
- JavaScript: the reference and search pages render server-side and stay usable with JavaScript disabled.
- Third-party calls: none required to read the reference — pages don’t depend on external CDNs, fonts, or trackers to render.
- IP family: reachable over IPv4 (and IPv6). No IPv6 requirement.
- Authentication: the free reference needs none; the app supports corporate SSO (SAML / OIDC — Okta, Azure AD, Google, GitHub).
4 — Confirm reachability
- Browser: open
https://www.bulwarkcompliance.ai/ofac— the OFAC reference should load with no login prompt. - Command line:
curl -I https://www.bulwarkcompliance.ai/ofacshould returnHTTP/2 200. - A block usually shows your proxy’s own page (not ours), a category name, or a TLS/certificate error — capture that text and send it to us.
Still blocked? Email support@bulwarkcompliance.ai with the proxy/vendor name and the block message. Live service health is at /status.