>
    Strata Copilot
    Setup Prerequisites for Enterprise DLP
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Activation & Onboarding
    4. Setup Prerequisites for Enterprise DLP
    Download PDF
    Enterprise DLP

    Setup Prerequisites for Enterprise DLP

    Table of Contents

    Setup Prerequisites for Enterprise DLP

    Ports, Fully Qualified Domain Names, and IP addressed required to enable Enterprise Data Loss Prevention (E-DLP).
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Allow specific secure and functional connections to Enterprise Data Loss Prevention (E-DLP) and supported services. This is required to successfully send traffic for inspection and verdict rendering and to utilize the various services for supported platforms.
    • Enterprise DLP Inline Inspection—Allow the required ports and FQDNs on your network for supported platforms to successfully forward traffic to Enterprise DLP for inspection and verdict rendering.
    • Evidence Storage, Syslog Forwarding, and ICAP Forwarding—Allow access to the region-specific IP addresses to automatically store copies of traffic scanned by Enterprise DLP, forward DLP incidents and audit syslogs to your third-party SIEM, SOAR, or automated ticketing systems, and integrate your existing on-premises third party DLP solutions using ICAP forwarding.
      Evidence Storage, Syslog Forwarding, and ICAP Forwarding services share the same IP addresses.
    • FQDNs for EDM—Allow access to all required FQDNs, and region-specific FQDNs, to create and upload Exact Data Matching (EDM) data sets to region-specific or FedRAMP Enterprise DLP storage buckets.
      EDM and Data Dictionaries uploads share the same IP addresses.
    • FQDNs for Data Dictionaries—Allow access to all required FQDNs, and region-specific FQDNs, to create and upload a data dictionary to region-specific or FedRAMP Enterprise DLP storage buckets.
      EDM and Data Dictionaries uploads share the same IP addresses.
    • End User Coaching—Minimum prerequisite agent, software, and plugin versions to display notifications to your end users in the Access Experience User Interface (UI) when they generate an Enterprise DLP or Endpoint DLP incident. End User Coaching is an agent-based alerting mechanism.
    • End User Alerting—Required integrations for Enterprise DLP and Cortex XSOAR to use End User Alerting and grant your team members the ability to self-service temporary exemptions for file uploads that match your Enterprise DLP data profile match criteria. End User Alerting is an agentless alerting mechanism.

    Prerequisite Ports and FQDNs for Enterprise DLP

    Allow access to the following IP addresses and open ports required to successfully forward traffic to Enterprise Data Loss Prevention (E-DLP).
    • Strata Cloud Manager Ports and FQDNs
      Enterprise DLP stores DLP incident data in regional storage buckets based on DLP incident traffic origin source. You must allow access to all of the listed FQDNs and ports on your network regardless regardless of the region and DLP incident source.
      The hawkeye.services-edge.paloaltonetworks.com FQDN automatically resolves to the closest Enterprise DLP server to scan forwarded traffic, and to store the traffic contents, evidence, time of scan, and snippets.
      (Switzerland and Brazil) Enterprise DLP scans forwarded traffic, stores traffic contents evidence, time of scan, and snippets in the respective regions. However, Enterprise DLP stores incident metadata in the region where you deployed your Strata Cloud Manager tenant.
      Regions
      		FQDNsPorts
      Australia
      APAC
      Brazil
      Canada
      Europe
      France
      India
      Japan
      Switzerland
      United Kingdom
      United States of America
      • http://ocsp.paloaltonetworks.com
      • http://crl.paloaltonetworks.com
      • http://ocsp.godaddy.com
      • http://crl.godaddy.com
      		TCP 80
      • https://api.paloaltonetworks.com
      • https://apitrusted.paloaltonetworks.com
      • certificatetrusted.paloaltonetworks.com
      • certificate.paloaltonetworks.com
      • hawkeye.services-edge.paloaltonetworks.com
      • dlp.hawkeye.services-edge.paloaltonetworks.com
      • ace.hawkeye.services-edge.paloaltonetworks.com
      • urlcat.hawkeye.services-edge.paloaltonetworks.com
      • enforcer-hawkeye.services-edge.paloaltonetworks.com
      		TCP 443
    • Panorama Country Ports and FQDNs
      You must allow access to all of the Enterprise DLP ports and FQDNs Required for All Regions on your network regardless of the region and DLP incident traffic source.
      Enterprise DLP stores DLP incident data in regional storage buckets based on DLP incident traffic source. You can allow the Default Cloud Content Server FQDN to automatically resolve to the closest Enterprise DLP server to scan forwarded traffic, and to store the file contents, evidence, time of scan, and snippets. Alternatively, you can configure a Regional Cloud Content Server FQDN to forward traffic to a specific Enterprise DLP server and storage bucket.
      The Cloud Content Server FQDN you allow on your network must be the same as the one you configure in the Cloud Content Settings to successfully forward traffic to Enterprise DLP.
      (Switzerland and Brazil) You must use the Default Regional Cloud Content Server FQDN. Enterprise DLP stores scans forwarded traffic, stores traffic contents evidence, time of scan, and snippets in the respective regions. However, Enterprise DLP stores incident metadata in the region where you deployed your Strata Cloud Manager tenant.
      Regions
      		FQDNsDLP Service Ports
      Required for All Regions
      • http://ocsp.paloaltonetworks.com
      • http://crl.paloaltonetworks.com
      • http://ocsp.godaddy.com
      • http://crl.godaddy.com
      TCP 80
      • https://api.paloaltonetworks.com
      • https://apitrusted.paloaltonetworks.com
      • certificatetrusted.paloaltonetworks.com
      • certificate.paloaltonetworks.com
      • dlp.hawkeye.services-edge.paloaltonetworks.com
      • ace.hawkeye.services-edge.paloaltonetworks.com
      • urlcat.hawkeye.services-edge.paloaltonetworks.com
      • enforcer-hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Regions
      		Regional Cloud Content Server FQDNPort
      Default
      Brazil
      Switzerland
      hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      APAC
      apac.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Australia
      au.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Canada
      ca.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Europe
      eu.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      France
      fr.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      India
      in.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Japan
      jp.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      United Kingdom
      uk.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      United States of America
      us.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
    • Panorama FedRAMP Ports and FQDNs
      Enterprise DLP supports FedRAMP Mod and High environments.
      FQDNsPorts
      FedRAMP Impact Level
      • http://ocsp.paloaltonetworks.com
      • http://crl.paloaltonetworks.com
      • http://ocsp.godaddy.com
      • http://crl.godaddy.com
      		TCP 80
      Moderate
      High
      • https://api.paloaltonetworks.com
      • https://apitrusted.paloaltonetworks.com
      • certificatetrusted.paloaltonetworks.com
      • certificate.paloaltonetworks.com
      • dlp.hawkeye.services-edge.paloaltonetworks.com
      • ace.hawkeye.services-edge.paloaltonetworks.com
      • urlcat.hawkeye.services-edge.paloaltonetworks.com
      • enforcer-hawkeye.services-edge.paloaltonetworks.com
      • (Moderate) hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
      • (High) gov-hawkeye.services-edge.paloaltonetworks.com
      		TCP 443

    Setup Prerequisites for Enterprise DLP Evidence Storage, Syslog Forwarding, and ICAP Forwarding

    Allow access to the IP addresses required for Enterprise Data Loss Prevention (E-DLP) Evidence Storage, Syslog Forwarding, and ICAP Forwarding services.
    Enterprise Data Loss Prevention (E-DLP) requires you to allow the same region-specific IP addresses on your network for Evidence Storage, Syslog Forwarding, and ICAP Forwarding. If you have already allowed these IP addresses for one service, you don't need to allow them again for the others.
    • Evidence Storage—Allow the IP addresses for the region or zone where Enterprise DLP scans traffic to— automatically store inspected files. To download stored files from your evidence storage bucket, you may also need to allow specific user IP addresses. If your organization uses a virtual private network (VPN), you must allow the subnets that can download files from your evidence storage bucket.
    • Syslog Forwarding—Allow the IP addresses to forward Enterprise Data Loss Prevention (E-DLP) incident syslogs to your third-party security information and event management (SIEM), Security Orchestration, Automation and Response (SOAR), or other automated ticketing systems. This enables your SOC analysts and incident admins to triage, review, and resolve data security risks in your organization.
    • ICAP Forwarding—Allow the IP addresses to integrate your existing on-premises third-party DLP solutions with Enterprise DLP using Internet Content Adaptation Protocol (ICAP). You can configure Enterprise DLP to forward inspected files to your on-premises ICAP server for further inspection while still leveraging the advanced inline ML-based detections that Enterprise DLP offers.
    You must allow the Default IP addresses to successfully connect to Enterprise DLP services. The region-specific IP addresses you need to allow depend on the region or zone where Enterprise DLP scans traffic.
    • Country IP Addresses
      RegionIP Address
      Date Introduced
      Australia
      13.54.198.248
      April 30, 2022
      52.63.9.154
      34.87.236.168
      May 7, 2025
      Brazil
      56.124.6.83
      56.125.134.63
      November 10, 2025
      Canada
      15.222.125.234
      April 30, 2022
      99.79.19.33
      34.118.182.133
      May 7, 2025
      France
      15.237.145.165
      April 30, 2022
      13.36.207.215
      34.155.50.15
      May 7, 2025
      Germany
      3.123.172.116
      April 30, 2022
      52.59.186.42
      35.198.73.41
      May 7, 2025
      India
      15.207.246.3
      April 30, 2022
      3.108.103.214
      34.47.134.16
      May 7, 2025
      Japan
      3.115.43.201
      April 30, 2022
      35.72.148.77
      35.74.96.38
      52.68.52.77
      34.84.142.203
      May 7, 2025
      Singapore
      13.228.151.58
      April 30, 2022
      52.74.82.77
      34.142.217.106
      May 7, 2025
      Switzerland
      34.65.89.231
      June 13, 2025
      United Kingdom
      13.43.141.10
      April 30, 2022
      18.169.44.228
      35.177.5.4
      52.56.54.90
      (London, England) 35.197.230.50
      May 7, 2025
      (Default) United States of America
      3.230.176.219
      April 30, 2022
      3.226.106.173
      18.190.146.204
      3.16.224.253
      34.223.123.78
      35.164.119.230
      52.27.148.95
      54.189.225.136
      34.135.174.89
      May 7, 2025
      34.173.206.52
      34.172.74.250
      34.48.104.244
      35.197.73.227
      34.94.161.165
      34.66.246.164
      35.225.238.124
      35.223.231.169
      34.58.60.130
      35.238.28.62
      34.67.76.48
      104.154.217.19
      35.202.179.253
      34.123.101.142
    • (Evidence Storage only) FedRAMP IP Addresses
      Supported for AWS storage buckets only. Not supported for Azure or SFTP storage buckets.
      Country
      IP Address
      FedRAMP Impact Level
      Date Introduced
      United States
      3.31.2.86
      3.31.9.107
      15.205.197.250
      Moderate
      April 30, 2022

    Prerequisite FQDNs for Exact Data Matching (EDM)

    Fully Qualified Domain Names (FQDN) required to upload data sets for Exact Data Matching (EDM).
    To ensure General Data Protection Regulation (GDPR) compliance, the EDM CLI app hashes and encrypts EDM data sets before upload to the Enterprise DLP EDM data set storage bucket. The EDM CLI app first hashes the data set using the SHA256 hash function when you initiate an EDM data set upload. The EDM CLI app then encrypts the EDM data set using AES Symmetric encryption before beginning the EDM data set upload to the Enterprise DLP EDM data set storage bucket. The raw data in your EDM data sets never leave your organization's network, and Enterprise DLP does not store or have access to the raw EDM data set data. Enterprise DLP stores only hashed and encrypted EDM data set data in the EDM data set storage bucket. Review the Enterprise DLP Privacy Datasheet for more information about how Enterprise DLP captures, processes, and stores personal information.
    You need to allow the following FQDNs on your network to use EDM:
    • API Egresshttps://api.dlp.paloaltonetworks.com
      Required for commercial and FedRAMP users to allow egress access to Enterprise DLP EDM API and allow EDM functionality on your network.
    • EDM Client Authorizationhttps://auth.apps.paloaltonetworks.com
      Required for Enterprise DLP to authorize EDM client tokens for commercial and FedRAMP users.
    • (FedRAMP High only) FedRAMP High Authorizationhttps://auth.fed.apps.paloaltonetworks.us
      Required by FedRAMP High users to authorize Enterprise DLP EDM functionality on your network.
    • EDM Data Set Uploads—The country-specific Public API URL and Storage Bucket FQDNs where you want EDM data sets stored.
      You must allow both FQDNs to successfully upload hashed and encrypted EDM data sets or a data dictionary to an Enterprise DLP storage bucket.
    • Country Storage Buckets
      For EDM CLI app 3.5 or earlier, allow the region-specific Public API URL and the Default FQDN.
      For EDM CLI app 4.0 or later, allow the region-specific Public API URL and FQDN.
      Country
      Public API URL
      FQDN for EDM CLI App 3.5 or Earlier
      FQDN for EDM CLI App 4.0 or Later
      United States
      https://nam-west-oauth.dss.paloaltonetworks.com
      (Default) https://prod-edm-dataset-bucket.s3.us-west-2.amazonaws.com
      https://prod-edm-dataset-bucket-us-west-2.s3.us-west-2.amazonaws.com
      Australia
      https://au-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-ap-southeast-2.s3.ap-southeast-2.amazonaws.com
      Canada
      https://ca-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-ca-central-1.s3.ca-central-1.amazonaws.com
      France
      https://fr-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-eu-west-3.s3.eu-west-3.amazonaws.com
      Germany
      https://emea-oauth.dss.paloaltonetworks.com
      Not Supported
      		https://prod-edm-dataset-bucket-eu-central-1.s3.eu-central-1.amazonaws.com
      India
      https://in-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-ap-south-1.s3.ap-south-1.amazonaws.com
      Japan
      https://jp-saas-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-ap-northeast-1.s3.ap-northeast-1.amazonaws.com
      Singapore
      https://apac-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-.ap-southeast-1.s3.ap-southeast-1.amazonaws.com
      Switzerland
      https://sui-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-eu-central-2.s3.eu-central-2.amazonaws.com
      United Kingdom
      https://uk-oauth.dss.paloaltonetworks.com
      Not Supported
      https://prod-edm-dataset-bucket-eu-west-2.s3.eu-west-2.amazonaws.com
    • FedRAMP Storage Buckets
      Country
      Public API URL
      FQDN for EDM CLI App 3.5 or Earlier
      		FQDN for EDM CLI App 4.0 or Later
      FedRAMP Impact Level
      United States
      https://apigov.dlp.pubsec-cloud.paloaltonetworks.com
      https://fm-prod-edm-dataset-bucket.s3.us-gov-west-1.amazonaws.com
      https://fm-prod-edm-dataset-bucket-us-gov-west-1.s3.us-gov-west-1.amazonaws.com
      Moderate
      United States
      https://api-gov.dlp.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.us-gov-west-1.amazonaws.com
      https://prod-edm-dataset-bucket-us-gov-west-1.s3.us-gov-west-1.amazonaws.com
      High

    Setup Prequisites for Enterprise DLP FQDNs for Data Dictionaries

    Fully Qualified Domain Names (FQDN) required to upload data dictionaries to Enterprise Data Loss Prevention (E-DLP).
    • (FedRAMP High only) FedRAMP High Authorizationhttps://auth.fed.apps.paloaltonetworks.us
      Required by FedRAMP High users to authorize Enterprise DLP functionality on your network.
    • Data Dictionary Uploads—The country-specific Public API URL and Storage Bucket FQDNs where you want your data dictionaries stored.
      You must allow both FQDNs to successfully upload a data dictionary to an Enterprise DLP storage bucket.
    • Country Storage Buckets
      Country
      Public API URL
      Storage Bucket
      Australia
      https://au-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.ap-southeast-2.amazonaws.com
      Canada
      https://ca-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.ca-central-1.amazonaws.com
      France
      https://fr-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.eu-west-3.amazonaws.com
      Germany
      https://emea-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.eu-central-1.amazonaws.com
      India
      https://in-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.ap-south-1.amazonaws.com
      Japan
      https://jp-saas-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.ap-northeast-1.amazonaws.com
      Singapore
      https://apac-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.ap-southeast-1.amazonaws.com
      Switzerland
      https://sui-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.eu-central-2.amazonaws.com
      United Kingdom
      https://uk-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.eu-west-2.amazonaws.com
      United States
      https://nam-west-oauth.dss.paloaltonetworks.com
      https://prod-edm-dataset-bucket.s3.us-west-2.amazonaws.com
    • FedRAMP Storage Buckets
      Country
      Public API URL
      Storage Bucket
      FedRAMP Impact Level
      United States
      https://apigov.dlp.pubsec-cloud.paloaltonetworks.com
      https://prod-edm-dataset-bucket.us-gov-west-1.amazonaws.com
      Moderate
      United States
      https://api-gov.dlp.paloaltonetworks.com
      https://prod-edm-dataset-bucket.us-gov-west-1.amazonaws.com
      High

    Setup Prerequisites for Enterprise DLP End User Coaching

    Agent and version minimum prerequisites for Enterprise Data Loss Prevention (E-DLP) End User Coaching to display notifications to your users when they generate DLP incident.
    Review GlobalProtect app, Prisma Access Agent, Prisma Access, and Enterprise DLP plugin documentation for detailed information about minimum and recommended versions.
    • Enterprise DLP (Inline)
      Requirement
      GlobalProtect app
      Prisma Access Agent
      Agent Version
      6.2.7 or later
      Palo Alto Networks recommends always installing the latest Prisma Access Agent version.
      Incident Notification
      Autonomous DEM version 5.0.0 or later
      Configuration Management
      Strata Cloud Manager
      Endpoint Operating System for Agent Notification
      • Windows 10 or later
      • macOS 13 or later
      • Ubuntu 20.04, 22.04, or 24.04
      • Red Hat Enterprise Linux (RHEL) 8.9, 9.1, 9.3 or later
      • Windows 10 version 2004 or later
      • macOS 14 (Sonoma) or later
      Prisma Access Version
      5.1 (Preferred or Innovation) or later
      Prisma Access Dataplane Version
      • PAN-OS 10.2.10-h19
      • PAN-OS 10.2.17 or later
      • PAN-OS 11.1.0 or later release
      • PAN-OS 11.2.6 or later
      • PAN-OS 10.2.10-h19
      • PAN-OS 10.2.17 or later 10.2 release
      • PAN-OS 11.2.6 or later
      Enterprise DLP Plugin Version
      Enterprise DLP plugin 3.0.10 or later
    • Endpoint DLP
      Requirement
      Prisma Access Agent
      Agent Version
      Palo Alto Networks recommends always installing the latest Prisma Access Agent version.
      Incident Notification
      Autonomous DEM version 5.3.4 or later
      Configuration Management
      Strata Cloud Manager
      Endpoint Operating System for Agent Notification
      • Windows 10 version 2004 or later
      • macOS 14 (Sonoma) or later
      Prisma Access Version
      5.1 (Preferred or Innovation) or later
      Prisma Access Dataplane Version
      • PAN-OS 10.2.10-h19
      • PAN-OS 10.2.17 or later 10.2 version
      • PAN-OS 11.2.6 or later

    Prerequisites for Enterprise DLP End User Alerting with Cortex XSOAR

    The integrated platforms, supported applications, and configuration prerequisites required to use the Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR.
    Review the Palo Alto Networks product portfolio integration, supported application, and configuration prerequisites required to use Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR.
    Requirements
    Panorama (Palo Alto Networks Next-Generation Firewalls)
    Prisma Access (Managed by Panorama)
    Strata Cloud Manager
    PAN-OS Release
    • All PAN-OS versions that support Enterprise DLP
    • All Enterprise DLP plugin versions
    N/A
    Palo Alto Networks Product Portfolio Integration
    Cortex XSOAR
    Supported Applications
    Slack, Microsoft Teams, Email
    IP Mapping to Email Addresses
    Integrate AWS - Identity and Access Management, Integrate MSGraphAzure Users, Integrate Okta v2, Integrate PingOne, Integrate SailPoint IdentityIQ, or Integrate SailPoint IdentityNow

    © 2026 Palo Alto Networks, Inc. All rights reserved.