: TCP Ports and FQDNs Required for Cortex Data Lake
Focus
Focus

TCP Ports and FQDNs Required for Cortex Data Lake

Table of Contents

TCP Ports and FQDNs Required for
Cortex Data Lake

List of FQDNs and ports that you must allow to ensure connectivity to
Cortex Data Lake
.
Depending on the platform you are using, you must allow traffic from different sources to connect to
Cortex Data Lake
successfully.
If you're using a proxy, ensure that it allows connections to non-standard SSL ports 3978 and 444.

App-IDs for Palo Alto Networks Firewalls

If you are using a Palo Alto Networks firewall to secure traffic between Panorama, the firewalls, and
Cortex Data Lake
, use the following table to identify the App-IDs and ports to which you must allow traffic to ensure that Panorama and the firewalls can successfully connect to
Cortex Data Lake
:
App-IDs
Ports
  • paloalto-logging-service
    (not necessary if you are using only device telemetry and do not have a
    Cortex Data Lake
    license).
  • paloalto-shared-services
  • (
    Content version earlier than 8290
    )
    panorama
  • TCP 444
  • TCP 3978
For OCSP, you must also allow the firewalls to access ocsp.paloaltonetworks.com on port 80.
On firewalls running PAN-OS 9.1.7 or earlier, you also need a Security policy rule that allows SSL over port 444 to
lic.lc.prod.us.cs.paloaltonetworks.com
.
(
PAN-OS 10.0 or later
) If you are sending telemetry data to
Cortex Data Lake
, then, in addition to the above App-IDs and ports (except
paloalto-logging-service
), you must allow the following:
App-IDs
Ports
  • paloalto-device-telemetry
  • google-base
  • TCP 443
  • TCP 5222-5224
  • TCP 5228
  • TCP 5229

FQDNs for Panorama and PANW Firewalls

Panorama and Palo Alto Networks firewalls need to access these FQDNs for the initial setup and one-time password, ongoing certificate revocation checks, and certificate renewals.
FQDNs
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
  • http://r3.o.lencr.org
TCP 80
  • https://api.paloaltonetworks.com
  • https://apitrusted.paloaltonetworks.com
  • certificatetrusted.paloaltonetworks.com
  • certificate.paloaltonetworks.com
TCP 443
*.gpcloudservice.com
TCP 444 and TCP 443
lic.lc.prod.us.cs.paloaltonetworks.com
TCP 444

Vendor Firewalls

If you have another vendor's firewall in between your Palo Alto Networks firewall and
Cortex Data Lake
, allow traffic to the FQDNs and ports for your
Cortex Data Lake
region.

Recommended For You