>
    Setup Prerequisites for Enterprise DLP
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Enterprise DLP Overview
    5. Setup Prerequisites for Enterprise DLP
    Download PDF
    Enterprise DLP

    Setup Prerequisites for Enterprise DLP

    Table of Contents

    Setup Prerequisites for
    Enterprise DLP

    Ports, Fully Qualified Domain Names, and IP addressed required to enable
    Enterprise Data Loss Prevention (E-DLP)
    .
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security
    • NGFW (Managed by Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • NGFW (Managed by Panorama)
      —Support and
      Panorama
       device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)
      Prisma Access
       license
    • SaaS Security
      SaaS Security
       license
    • NGFW (Managed by Strata Cloud Manager)
      —Support and
      AIOps for NGFW Premium
       licenses
    Or any of the following licenses that include the
    Enterprise DLP
     license
    • Prisma Access
       CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
       license
    • Data Security
       license
    Below are the full qualified domain names (FQDN), network ports, and IP addresses that must be allowed. These tables describe the network settings required to forward traffic for inspection and verdict rendering
    Enterprise Data Loss Prevention (E-DLP)
    , as well as required network settings for specific
    Enterprise DLP
     features.

    Ports and FQDNs

    Allow access to the following IP addresses and open ports required to successfully forward traffic to
    Enterprise Data Loss Prevention (E-DLP)
    .
    Firewalls managed by a
    Panorama™ management server
     or
    Strata Cloud Manager
     need to access the following FQDNs and ports open on the network to successfully forward traffic for inspection by the DLP cloud service.
    FQDNs
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    • http://crl.godaddy.com
    TCP 80
    • https://api.paloaltonetworks.com
    • https://apitrusted.paloaltonetworks.com
    • certificatetrusted.paloaltonetworks.com
    • certificate.paloaltonetworks.com
    • hawkeye.services-edge.paloaltonetworks.com
    • dlp.hawkeye.services-edge.paloaltonetworks.com
    • ace.hawkeye.services-edge.paloaltonetworks.com
    • urlcat.hawkeye.services-edge.paloaltonetworks.com
    • enforcer.hawkeye.services-edge.paloaltonetworks.com
    TCP 443

    IP Addresses for Evidence Storage

    Allow access to the IP addresses required to save evidence for investigative analysis with
    Enterprise Data Loss Prevention (E-DLP)
    .
    Allow access to the following IP addressed on the hypervisor where you created the evidence storage bucket to automatically store files scanned by the DLP cloud service that match your
    Enterprise DLP
     data profile for firewalls managed by
    Panorama
     or
    Strata Cloud Manager
    .
    • You must allow the
      Default
       IP addresses to successfully connect your evidence storage bucket to
      Enterprise DLP
      .
    • To automatically store inspected files, the IP addresses you need to allow access for are dependent on region or zone where the file will be scanned by
      Enterprise DLP
      .
    • To download stored files from your evidence storage bucket, you may also need to allow the specific user IP addresses as well.
    Region
    IP Address
    APAC
    13.228.151.58
    52.74.82.77
    Australia
    13.54.198.248
    52.63.9.154
    Canada
    15.222.125.234
    99.79.19.33
    E.U
    3.123.172.116
    52.59.186.42
    India
    15.207.246.3
    3.108.103.214
    Japan
    3.115.43.201
    35.72.148.77
    35.74.96.38
    52.68.52.77
    U.K
    13.43.141.10
    18.169.44.228
    35.177.5.4
    52.56.54.90
    (
    Default
    ) U.S.A
    3.230.176.219
    3.226.106.173
    18.190.146.204
    3.16.224.253
    34.223.123.78
    52.27.148.95

    FQDNs for EDM

    Fully Qualified Domain Names (FQDN) required to upload data sets for Exact Data Matching (EDM).
    To successfully uploaded data sets to the DLP cloud service and use Exact Data Matching (EDM), you must allow access to the following FQDNs on your network.
    • https://api.dlp.paloaltonetworks.com
    • https://auth.apps.paloaltonetworks.com
    • https://prod-edm-dataset-bucket.s3.us-west-2.amazonaws.com

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.