>
    TCP Ports and FQDNs Required for Strata Logging Service
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Deploy Strata Logging Service
    4. TCP Ports and FQDNs Required for Strata Logging Service
    Download PDF
    Strata Logging Service

    TCP Ports and FQDNs Required for Strata Logging Service

    Table of Contents

    TCP Ports and FQDNs Required for
    Strata Logging Service

    List of FQDNs and ports that you must allow to ensure connectivity to
    Strata Logging Service
    .
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • NGFW (PAN-OS or Panorama Managed)
    • NGFW (Managed by Strata Cloud Manager)
    • Strata Logging Service
    Depending on the platform you are using, you must allow traffic from different sources to connect to
    Strata Logging Service
     successfully.
    If you're using a proxy, ensure that it allows connections to non-standard SSL ports 3978 and 444.

    App-IDs for Palo Alto Networks Firewalls

    If you are using a Palo Alto Networks firewall to secure traffic between Panorama, the firewalls, and
    Strata Logging Service
    , use the following table to identify the App-IDs and ports to which you must allow traffic to ensure that Panorama and the firewalls can successfully connect to
    Strata Logging Service
    :
    App-IDs
    Ports
    • paloalto-logging-service
       (not necessary if you are using only device telemetry and do not have a
      Strata Logging Service
       license).
    • paloalto-shared-services
    • (
      Content version earlier than 8290
      )
      panorama
    • TCP 444
    • TCP 3978
    For OCSP, you must also allow the firewalls to access ocsp.paloaltonetworks.com on port 80.
    On firewalls running PAN-OS 9.1.7 or earlier, you also need a Security policy rule that allows SSL over port 444 to
    lic.lc.prod.us.cs.paloaltonetworks.com
    .
    (
    PAN-OS 10.0 or later
    ) If you are sending telemetry data to
    Strata Logging Service
    , then, in addition to the above App-IDs and ports (except
    paloalto-logging-service
    ), you must allow the following:
    App-IDs
    Ports
    • paloalto-device-telemetry
    • google-base
    • TCP 443
    • TCP 5222-5224
    • TCP 5228
    • TCP 5229

    FQDNs for Panorama and PANW Firewalls

    Panorama and Palo Alto Networks firewalls need to access these FQDNs for the initial setup and one-time password, ongoing certificate revocation checks, and certificate renewals.
    FQDNs
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    • http://r3.o.lencr.org
    TCP 80
    • https://api.paloaltonetworks.com
    • https://apitrusted.paloaltonetworks.com
    • certificatetrusted.paloaltonetworks.com
    • certificate.paloaltonetworks.com
    TCP 443
    *.gpcloudservice.com
    TCP 444 and TCP 443
    lic.lc.prod.us.cs.paloaltonetworks.com
    TCP 444

    Vendor Firewalls

    If you have another vendor's firewall in between your Palo Alto Networks firewall and
    Strata Logging Service
    , allow traffic to the FQDNs and ports for your
    Strata Logging Service
     region.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.