Depending on the platform you are using, you must allow
traffic from different sources to connect to Strata Logging Service successfully.
If you route firewall log traffic to Strata Logging Service through a proxy
server, the firewall sends the destination IP address (not the FQDN) in the HTTP
CONNECT request for TCP/3978 connections. Connections on TCP/80, TCP/443, and
TCP/444 use FQDNs in their HTTP CONNECT requests. Proxy configurations that rely on
FQDNs or hostnames for access control will not work for TCP/3978.
To allow TCP/3978 log ingestion traffic through your proxy, configure your proxy to
permit connections to the IP addresses that the Firewall Log Ingestion FQDNs resolve
to for your region. See supported regions for the Firewall Log
Ingestion FQDNs by region, and resolve them to their current IP addresses to build
your proxy allowlist.
If you are using a Palo
Alto Networks firewall to secure traffic between Panorama, the firewalls,
and Strata Logging Service, use the following table to identify the App-IDs
and ports to which you must allow traffic to ensure that Panorama
and the firewalls can successfully connect to Strata Logging Service:
App-IDs
Ports
paloalto-logging-service (not
necessary if you are using only device telemetry and do
not have a Strata Logging Service license).
For OCSP, you must also allow the firewalls
to access ocsp.paloaltonetworks.com on port 80.
On firewalls
running PAN-OS 9.1.7 or earlier, you also need a Security policy
rule that allows SSL over port 444 to lic.lc.prod.us.cs.paloaltonetworks.com.
(PAN-OS 10.0 or later) If you are sending telemetry data to Strata Logging Service, then, in addition to the above App-IDs and ports
(except paloalto-logging-service), you must allow the
following:
App-IDs
Ports
paloalto-device-telemetry
google-base
TCP 443
TCP 5222-5224
TCP 5228
TCP 5229
FQDNs
for Panorama and PANW Firewalls
Panorama and Palo Alto
Networks firewalls need to access these FQDNs for the initial setup
and one-time password, ongoing certificate revocation checks, and
certificate renewals.
Global FQDNs
Ports
http://ocsp.paloaltonetworks.com
http://crl.paloaltonetworks.com
http://ocsp.godaddy.com
TCP 80
https://api.paloaltonetworks.com
https://apitrusted.paloaltonetworks.com
certificatetrusted.paloaltonetworks.com
certificate.paloaltonetworks.com
TCP 443
*.gpcloudservice.com
TCP 444 and TCP 443
lic.lc.prod.us.cs.paloaltonetworks.com
TCP 444
Region FQDNs
Additional region-specific FQDNs used by Panorama and Firewall to send logs to Strata Logging
Service are available here. If you have another vendor's
firewall in between your Palo Alto Networks firewall and Strata Logging Service, allow traffic to the FQDNs and ports for your Strata Logging Serviceregion.
