TCP Ports and FQDNs Required for Cortex
Data Lake
Expand all | Collapse all
TCP Ports and FQDNs Required for
Cortex
Data Lake
List of FQDNs and ports that you must allow to ensure
connectivity to
Cortex
Data Lake
.
Depending on the platform you are using, you must allow
traffic from different sources to connect to
Cortex
Data Lake
successfully.
If you're using a proxy, ensure that it allows connections to non-standard SSL ports
3978 and 444.
App-IDs
for Palo Alto Networks Firewalls
If you are using a Palo
Alto Networks firewall to secure traffic between Panorama, the firewalls,
and
Cortex
Data Lake
, use the following table to identify the App-IDs
and ports to which you must allow traffic to ensure that Panorama
and the firewalls can successfully connect to
Cortex
Data Lake
:
paloalto-logging-service (not
necessary if you are using only device telemetry and do
not have a Cortex
Data Lake license).
| |
For OCSP, you must also allow the firewalls
to access ocsp.paloaltonetworks.com on port 80.
On firewalls
running PAN-OS 9.1.7 or earlier, you also need a Security policy
rule that allows SSL over port 444 to
lic.lc.prod.us.cs.paloaltonetworks.com
.
(
PAN-OS
10.0 or later
) If you are sending
telemetry data to Cortex
Data Lake, then, in addition to the above App-IDs and ports (except
paloalto-logging-service
),
you must allow the following:
paloalto-device-telemetry
| TCP 443 TCP 5222-5224 TCP 5228 TCP 5229
|
FQDNs
for Panorama and PANW Firewalls
Panorama and Palo Alto
Networks firewalls need to access these FQDNs for the initial setup
and one-time password, ongoing certificate revocation checks, and
certificate renewals.
http://ocsp.paloaltonetworks.com http://crl.paloaltonetworks.com
| TCP 80 |
https://api.paloaltonetworks.com https://apitrusted.paloaltonetworks.com certificatetrusted.paloaltonetworks.com certificate.paloaltonetworks.com
| TCP 443 |
Vendor
Firewalls
If you are using another vendor’s firewall, allow traffic to the FQDNs and ports for your
Cortex
Data Lake
region.