If you are using a Palo
Alto Networks firewall to secure traffic between Panorama, the firewalls,
and Strata Logging Service, use the following table to identify the App-IDs
and ports to which you must allow traffic to ensure that Panorama
and the firewalls can successfully connect to Strata Logging Service:
App-IDs
Ports
paloalto-logging-service (not
necessary if you are using only device telemetry and do
not have a Strata Logging Service license).
For OCSP, you must also allow the firewalls
to access ocsp.paloaltonetworks.com on port 80.
On firewalls
running PAN-OS 9.1.7 or earlier, you also need a Security policy
rule that allows SSL over port 444 to lic.lc.prod.us.cs.paloaltonetworks.com.
(PAN-OS 10.0 or later) If you are sending telemetry data to Strata Logging Service, then, in addition to the above App-IDs and ports
(except paloalto-logging-service), you must allow the
following:
App-IDs
Ports
paloalto-device-telemetry
google-base
TCP 443
TCP 5222-5224
TCP 5228
TCP 5229
FQDNs
for Panorama and PANW Firewalls
Panorama and Palo Alto
Networks firewalls need to access these FQDNs for the initial setup
and one-time password, ongoing certificate revocation checks, and
certificate renewals.
Global FQDNs
Ports
http://ocsp.paloaltonetworks.com
http://crl.paloaltonetworks.com
http://ocsp.godaddy.com
http://*.o.lencr.org
TCP 80
https://api.paloaltonetworks.com
https://apitrusted.paloaltonetworks.com
certificatetrusted.paloaltonetworks.com
certificate.paloaltonetworks.com
TCP 443
*.gpcloudservice.com
TCP 444 and TCP 443
lic.lc.prod.us.cs.paloaltonetworks.com
TCP 444
Region FQDNs
Additional region-specific FQDNs used by Panorama and Firewall to send logs to Strata Logging
Service are available here. If you have another vendor's
firewall in between your Palo Alto Networks firewall and Strata Logging Service, allow traffic to the FQDNs and ports for your Strata Logging Serviceregion.
