Regional Service Domains
Allow access to the Advanced IP Defense regional service domains to enable real-time IP attribute lookups and direct-to-IP detection from your enforcement points.
Advanced IP Defense uses a globally distributed cloud infrastructure to deliver real-time IP attribute lookups and direct-to-IP detection verdicts. When a firewall encounters a connection that requires a cloud lookup, it communicates with the nearest regional service domain over HTTPS (port 443) to retrieve IP attributes and cache them locally. The firewall automatically connects to the closest regional endpoint to minimize lookup latency.
To ensure uninterrupted Advanced IP Defense protection, you must allow outbound HTTPS access from your enforcement points to the Advanced IP Defense service domains listed below. If your environment uses a firewall, proxy, or other network security device that restricts outbound traffic, add these domains to your allowlist.
Global Service Domain
The global service domain uses anycast routing to direct traffic to the nearest available regional endpoint. This is the default endpoint used by all enforcement points.
| Type | Domain |
|---|
| Inspection (Global) | api.prod.aipd.service.paloaltonetworks.com (port 443) |
| Content Delivery (CDN) | static.prod.aipd.service.paloaltonetworks.com (port 443) |
Regional Service Domains
Regional service domains provide localized inspection endpoints. The firewall selects the appropriate regional endpoint based on its configured region or geographic proximity. All regional domains use port 443 (HTTPS).
| Location | Domain |
|---|
| Johannesburg, South Africa | api-za.prod.aipd.service.paloaltonetworks.com |
| Paris, France | api-fr.prod.aipd.service.paloaltonetworks.com |
| Ashburn, Northern Virginia, USA | api-us-va.prod.aipd.service.paloaltonetworks.com |
| Los Angeles, California, USA | api-us-ca.prod.aipd.service.paloaltonetworks.com |
| Frankfurt, Germany | api-de.prod.aipd.service.paloaltonetworks.com |
| Singapore | api-sg.prod.aipd.service.paloaltonetworks.com |
| Tokyo, Japan | api-jp.prod.aipd.service.paloaltonetworks.com |
| Sydney, Australia | api-au.prod.aipd.service.paloaltonetworks.com |
| London, England | api-uk.prod.aipd.service.paloaltonetworks.com |
| Eemshaven, Netherlands | api-nl.prod.aipd.service.paloaltonetworks.com |
| Council Bluffs, Iowa, USA | api-us-ia.prod.aipd.service.paloaltonetworks.com |
| The Dalles, Oregon, USA | api-us-or.prod.aipd.service.paloaltonetworks.com |
| Montreal, Canada | api-ca.prod.aipd.service.paloaltonetworks.com |
| Osasco, São Paulo, Brazil | api-br.prod.aipd.service.paloaltonetworks.com |
| Mumbai, India | api-in.prod.aipd.service.paloaltonetworks.com |
| Tel Aviv, Israel | api-il.prod.aipd.service.paloaltonetworks.com |
| Seoul, South Korea | api-kr.prod.aipd.service.paloaltonetworks.com |
| Qatar | api-qa.prod.aipd.service.paloaltonetworks.com |
| Hong Kong | api-hk.prod.aipd.service.paloaltonetworks.com |
| China |
The Advanced IP Defense regional service domain in China has two FQDN options:
- api-cn.prod.aipd.service.paloaltonetworks.com
- api-hk.prod.aipd.service.paloaltonetworks.com
Palo Alto Networks recommends using the api-cn.prod.aipd.service.paloaltonetworks.com FQDN. If you experience connectivity or access issues, use the Hong Kong endpoint as a fallback.
|
FedRAMP Service Domains
For deployments operating in FedRAMP environments (Moderate/IL2, High/IL4, or DoD/IL5), use the following service domains instead of the commercial endpoints.
| Impact Level | Domain |
|---|
| IL2 (FedRAMP Moderate) | api.il2.aipd.service.paloaltonetworks.com (port 443) |
| IL4 (FedRAMP High) | api.il4.aipd.service.paloaltonetworks.com (port 443) |
| IL5 (DoD) | api.il5.aipd.service.paloaltonetworks.com (port 443) |
Regional FedRAMP endpoints follow the pattern api-<region>.il2.aipd.service.paloaltonetworks.com for IL2 environments. Replace il2 with il4 or il5 for higher impact levels.
Server Certificates
All Advanced IP Defense service domains use TLS certificates issued under the following wildcard names. If your environment performs TLS inspection on outbound traffic, ensure these certificate names are trusted.
- Commercial—*.prod.aipd.service.paloaltonetworks.com
- FedRAMP IL2—*.il2.aipd.service.paloaltonetworks.com
- FedRAMP IL4—*.il4.aipd.service.paloaltonetworks.com
- FedRAMP IL5—*.il5.aipd.service.paloaltonetworks.com
