In Deep Security as a Service (DSaaS), the preferred communication direction is Agent-initiated communication. This means that the Agent contacts the DSM at a given heartbeat. All policies done from the DSM console will be fetched by the Agent on the next heartbeat via port 443.
There are some administrators who want to use bidirectional communication direction. This means that the Agent initiates the heartbeat but listens to port 4118 for DSM connections. The DSM is also able to contact the Agent to perform operations as required. This allows the DSM to apply changes to the security configuration to Agent/appliance immediately as they occur.
To allow the DSM to push the policy or secuirty configuration to the Agent, the following should be allowed on your firewall:
Consult your network administrator on how to safelist the traffic to the firewall.
Source IP Address: 126.96.36.199/24
Destination IP: IP address/range of machines with DSA
Destination port: 4118