Setup Prerequisites for Enterprise DLP
Focus
Focus
Enterprise DLP

Setup Prerequisites for Enterprise DLP

Table of Contents

Setup Prerequisites for Enterprise DLP

Ports, Fully Qualified Domain Names, and IP addressed required to enable Enterprise Data Loss Prevention (E-DLP).
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Below are the fully qualified domain names (FQDN), network ports, and IP addresses that must be allowed on your corporate network to forward traffic for inspection and verdict rendering to Enterprise Data Loss Prevention (E-DLP). These tables also include network settings required for other Enterprise DLP features.

Prerequisite Ports and FQDNs for Enterprise DLP

Allow access to the following IP addresses and open ports required to successfully forward traffic to Enterprise Data Loss Prevention (E-DLP).
Firewalls managed by a Panorama™ management server or Strata Cloud Manager need to access the following FQDNs and ports open on the network to successfully forward traffic for inspection by the DLP cloud service.
FQDNsPorts
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
  • http://crl.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • https://apitrusted.paloaltonetworks.com
  • certificatetrusted.paloaltonetworks.com
  • certificate.paloaltonetworks.com
  • hawkeye.services-edge.paloaltonetworks.com
  • dlp.hawkeye.services-edge.paloaltonetworks.com
  • ace.hawkeye.services-edge.paloaltonetworks.com
  • urlcat.hawkeye.services-edge.paloaltonetworks.com
  • enforcer.hawkeye.services-edge.paloaltonetworks.com
TCP 443

Prerequisite IP Addresses for Enterprise DLP Evidence Storage

Allow access to the IP addresses required to save evidence for investigative analysis with Enterprise Data Loss Prevention (E-DLP).
Allow access to the following IP addresses on your corporate network to automatically store and download traffic scanned by Enterprise Data Loss Prevention (E-DLP) that match your Enterprise DLP data profile for NGFW and Prisma Access tenants managed by Panorama or Strata Cloud Manager.
  • You must allow the Default IP addresses to successfully connect your evidence storage bucket to Enterprise DLP.
  • To automatically store inspected files of your inspected traffic, the IP addresses you need to allow access for are dependent on the region or zone where Enterprise DLP scans traffic.
  • To download stored files from your evidence storage bucket, you may also need to allow the specific user IP addresses as well. If your organization uses a virtual private network (VPN), you must allow the subnets allowed to download files from your evidence storage bucket.
Enterprise DLP requires that you allow the same IP addresses for Evidence Storage and Syslog Forwarding on your network. You don't need to allow any region-specific IP addresses for Evidence Storage if you have already allowed them for Syslog Forwarding.
RegionIP Address
Australia
13.54.198.248
52.63.9.154
34.87.236.168
Canada
15.222.125.234
99.79.19.33
34.118.182.133
France
15.237.145.165
13.36.207.215
34.155.50.15
Germany
3.123.172.116
52.59.186.42
35.198.73.41
India
15.207.246.3
3.108.103.214
34.47.134.16
Japan
3.115.43.201
35.72.148.77
35.74.96.38
52.68.52.77
34.84.142.203
Singapore
13.228.151.58
52.74.82.77
34.142.217.106
U.K
13.43.141.10
18.169.44.228
35.177.5.4
52.56.54.90
(London, England) 35.197.230.50
(Default) U.S.A
3.230.176.219
3.226.106.173
18.190.146.204
3.16.224.253
34.223.123.78
52.27.148.95
34.118.182.133
35.247.194.54
34.135.174.89
34.173.206.52
34.172.74.250
34.48.104.244
35.197.73.227
34.94.161.165
34.66.246.164
35.225.238.124
35.223.231.169
34.58.60.130
35.238.28.62
34.67.76.48
104.154.217.19
35.202.179.253
34.123.101.142

IP Addresses for Syslog Forwarding

Allow the IP addresses required to forward DLP incident syslogs from Enterprise Data Loss Prevention (E-DLP) to manage and create workflows.
Allow the following IP addresses on your network to successfully forward Enterprise Data Loss Prevention (E-DLP) incidents syslogs to your third-party security information and event management (SIEM), Security Orchestration, and Response (SOAR), or other automated ticketing systems. This enables your SOC Analysts and Incident admins to effectively triage, review, and resolve data security risks that occur in your organization. To forward DLP incident syslogs, the IP addresses you need to allow access for are dependent on region or zone where the file will be scanned by Enterprise DLP.
Evidence Storage and Syslog Forwarding require you allow the same IP addresses on your network. You don't need to allow any region-specific IP addresses for Syslog Forwarding if already allowed for Evidence Storage.
RegionIP Address
Australia
13.54.198.248
52.63.9.154
34.87.236.168
Canada
15.222.125.234
99.79.19.33
34.118.182.133
France
15.237.145.165
13.36.207.215
34.155.50.15
Germany
3.123.172.116
52.59.186.42
35.198.73.41
India
15.207.246.3
3.108.103.214
34.47.134.16
Japan
3.115.43.201
35.72.148.77
35.74.96.38
52.68.52.77
34.84.142.203
Singapore
13.228.151.58
52.74.82.77
34.142.217.106
U.K
13.43.141.10
18.169.44.228
35.177.5.4
52.56.54.90
(London, England) 35.197.230.50
(Default) U.S.A
3.230.176.219
3.226.106.173
18.190.146.204
3.16.224.253
34.223.123.78
52.27.148.95
34.118.182.133
35.247.194.54
34.135.174.89
34.173.206.52
34.172.74.250
34.48.104.244
35.197.73.227
34.94.161.165
34.66.246.164
35.225.238.124
35.223.231.169
34.58.60.130
35.238.28.62
34.67.76.48
104.154.217.19
35.202.179.253
34.123.101.142

Prerequisite FQDNs for Exact Data Matching (EDM)

Fully Qualified Domain Names (FQDN) required to upload data sets for Exact Data Matching (EDM).
To successfully create and upload data sets to Enterprise Data Loss Prevention (E-DLP) and use Exact Data Matching (EDM), you must allow access to the following FQDNs on your network.
The EDM CLI App first hashes the data set using the SHA256 hash function when you initiate an EDM data set upload. The EDM CLI App then encrypts the EDM data set using AES Symmetric encryption before beginning the EDM data set upload to the Enterprise DLP EDM data set storage bucket. The raw data in your EDM data sets never leave your organization's network, and Enterprise DLP does not store or have access to the raw EDM data set data. Enterprise DLP stores only hashed and encrypted EDM data set data in the EDM data set storage bucket.
  • https://api.dlp.paloaltonetworks.com
  • https://auth.apps.paloaltonetworks.com
  • https://prod-edm-dataset-bucket.s3.us-west-2.amazonaws.com

Prerequisites for Enterprise DLP End User Alerting with Cortex XSOAR

The integrated platforms, supported applications, and configuration prerequisites required to use the Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR.
Review the Palo Alto Networks product portfolio integration, supported application, and configuration prerequisites required to use Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR.

Requirements
Panorama (Palo Alto Networks Next-Generation Firewalls)
Prisma Access (Managed by Panorama)
Strata Cloud Manager
PAN-OS Release
  • All PAN-OS versions that support Enterprise DLP
  • All Enterprise DLP plugin versions
N/A
Palo Alto Networks Product Portfolio Integration
Cortex XSOAR
Supported Applications
Slack, Microsoft Teams, Email
IP Mapping to Email Addresses