Content Delivery Network Infrastructure
Focus
Focus

Content Delivery Network Infrastructure

Table of Contents

Content Delivery Network Infrastructure

Palo Alto Networks maintains a Content Delivery Network (CDN) infrastructure for delivering content updates to the Palo Alto Networks firewalls. The firewalls access the web resources in the CDN to perform various content and application identification functions.
The following table lists the web resources that the firewall accesses for a feature or application:
Resource
URL
Static Addresses (If a static server is required)
Application Database
  • updates.paloaltonetworks.com (Global, excluding mainland China)
  • updates.paloaltonetworks.cn (Mainland China only)
Add the following URLs to your firewall allow list if your firewall has limited access to the Internet:
  • downloads.paloaltonetworks.com:443
  • proditpdownloads.paloaltonetworks.com:443
As a best practice, set the update server to updates.paloaltonetworks.com. This allows the Palo Alto Networks firewall to receive content updates from the server closest to it in the CDN infrastructure.
If you want additional reference information or are experiencing connectivity and update download issues, please refer to: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UtRCAU
The Palo Alto Networks ThreatVault database includes information about vulnerabilities, exploits, viruses, and spyware threats. Firewall features, including DNS security and the Antivirus profile, use the following resource to retrieve threat ID information to create exceptions:
  • data.threatvault.paloaltonetworks.com
us-static.updates.paloaltonetworks.com
Add the following IPv4 or IPv6 static server address sets to your firewall allow list:
  • IPv4
    — 35.186.202.45:443 and 34.120.74.244:443
  • IPv6
    — [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443
Both IP addresses provided for a given protocol type must be added to the allow list for proper functionality.
Threat/Antivirus Database
PAN-DB URL Filtering
serverlist.urlcloud.paloaltonetworks.com
Resolves to the PAN-DB server list provider and is then redirected to one of the regional servers used to provide PAN-DB cloud services:
  • Default— s000new.urlcloud.paloaltonetworks.com
  • Americas East—pandb2dlprod.urlcloud.paloaltonetworks.com
  • Americas West—pandb2pdx1prod.urlcloud.paloaltonetworks.com
  • EMEA—pandb2am1prod.urlcloud.paloaltonetworks.com
  • APAC—pandb2ty6prod.urlcloud.paloaltonetworks.com
Static IP addresses are not available. However, you can manually resolve a URL to an IP address and allow access to the regional server IP address.

Recommended For You