TCP Ports and FQDNs Required for Cortex Data Lake

List of FQDNs and ports that you must allow to ensure connectivity to Cortex Data Lake.

Depending on the platform you are using, you must allow traffic from different sources to connect to Cortex Data Lake successfully.

App-IDs for Palo Alto Networks Firewalls

FQDNs for Panorama and PANW Firewalls

Vendor Firewalls

App-IDs for Palo Alto Networks Firewalls

If you are using a Palo Alto Networks firewall to secure traffic between Panorama, the firewalls, and Cortex Data Lake, use the following table to identify the App-IDs and ports to which you must allow traffic to ensure that Panorama and the firewalls can successfully connect to Cortex Data Lake:

App-IDs	Ports
paloalto-logging-service (not necessary if you are using only device telemetry and do not have a Cortex Data Lake license). paloalto-shared-services (`Content version earlier than 8290`) panorama	TCP 444 TCP 3978

For OCSP, you must also allow the firewalls to access ocsp.paloaltonetworks.com on port 80.

On firewalls running PAN-OS 9.1.7 or earlier, you also need a Security policy rule that allows SSL over port 444 to

lic.lc.prod.us.cs.paloaltonetworks.com

(PAN-OS 10.0 or later) If you are sending telemetry data to Cortex Data Lake, then, in addition to the above App-IDs and ports (except

paloalto-logging-service

), you must allow the following:

App-IDs	Ports
paloalto-device-telemetry google-base	TCP 443 TCP 5222-5224 TCP 5228 TCP 5229

FQDNs for Panorama and PANW Firewalls

Panorama and Palo Alto Networks firewalls need to access these FQDNs for the initial setup and one-time password, ongoing certificate revocation checks, and certificate renewals.

FQDNs	Ports
http://ocsp.paloaltonetworks.com http://crl.paloaltonetworks.com http://ocsp.godaddy.com	TCP 80
https://api.paloaltonetworks.com https://apitrusted.paloaltonetworks.com certificatetrusted.paloaltonetworks.com certificate.paloaltonetworks.com	TCP 443
*.gpcloudservice.com	TCP 444 and TCP 443

Vendor Firewalls

If you are using another vendor’s firewall, use the following table to identify the fully qualified domain names (FQDNs) and ports to which you must allow traffic to ensure that Panorama and the firewalls can successfully connect to Cortex Data Lake.

FQDNs and Ports used per Region	Description
United States - Americas: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.us.cdl.paloaltonetworks.com (TCP 3978) firewall-prd1.us2.cent1.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.us.cdl.paloaltonetworks.com (TCP 444) fei-prd1.us.cdl.paloaltonetworks.com (TCP port 443) eal-prd1.us2.cent1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.us.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)	Use the FQDNs that match the Cortex Data Lake region to which your firewalls and Panorama connect: The firewalls use the FQDN on port 3978 and 444 to forward logs to Cortex Data Lake. Panorama uses the FQDNs on port 444 to connect to Cortex Data Lake for other log query and validity checks.
Netherlands - Europe: .lc.prod.eu.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.nl.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.nl.cdl.paloaltonetworks.com (TCP 444) fei-prd1.nl.cdl.paloaltonetworks.com (TCP port 443) br-prd1.nl.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
United Kingdom: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.uk.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.uk.cdl.paloaltonetworks.com (TCP 444) fei-prd1.uk.cdl.paloaltonetworks.com (TCP port 443) br-prd1.uk.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Singapore: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Canada: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Japan: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Australia: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Germany (DE): .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.de1.ew3.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.de1.ew3.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.de1.ew3.cdl.paloaltonetworks.com/ (TCP port 443) br-prd1.de1.ew3.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
India (IN): .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.in1.as1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.in1.as1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.in1.as1.cdl.paloaltonetworks.com (TCP 443) br-prd1.in1.as1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Switzerland (CH): .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP 443) br-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
United States - Government: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-gov.gov.cdl.paloaltonetworks.com (TCP port 3978) pcl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com (TCP port 444) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) br-gov1.us1.cent1.gov.cdl.paloaltonetworks.com (TCP port 443) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)

FQDNs and Ports used per Region	Description
United States - Americas: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.us.cdl.paloaltonetworks.com (TCP 3978) firewall-prd1.us2.cent1.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.us.cdl.paloaltonetworks.com (TCP 444) fei-prd1.us.cdl.paloaltonetworks.com (TCP port 443) eal-prd1.us2.cent1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.us.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)	Use the FQDNs that match the Cortex Data Lake region to which your firewalls and Panorama connect: The firewalls use the FQDN on port 3978 and 444 to forward logs to Cortex Data Lake. Panorama uses the FQDNs on port 444 to connect to Cortex Data Lake for other log query and validity checks.
Netherlands - Europe: .lc.prod.eu.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.nl.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.nl.cdl.paloaltonetworks.com (TCP 444) fei-prd1.nl.cdl.paloaltonetworks.com (TCP port 443) br-prd1.nl.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
United Kingdom: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.uk.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.uk.cdl.paloaltonetworks.com (TCP 444) fei-prd1.uk.cdl.paloaltonetworks.com (TCP port 443) br-prd1.uk.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Singapore: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Canada: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Japan: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.jp1.ne1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Australia: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.au1.se1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Germany (DE): .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.de1.ew3.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.de1.ew3.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.de1.ew3.cdl.paloaltonetworks.com/ (TCP port 443) br-prd1.de1.ew3.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
India (IN): .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.in1.as1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.in1.as1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.in1.as1.cdl.paloaltonetworks.com (TCP 443) br-prd1.in1.as1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
Switzerland (CH): .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP 443) br-prd1.ch1.ew6.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)
United States - Government: .lc.prod.us.cs.paloaltonetworks.com and .cdl.paloaltonetworks.com firewall-gov.gov.cdl.paloaltonetworks.com (TCP port 3978) pcl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com (TCP port 444) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) br-gov1.us1.cent1.gov.cdl.paloaltonetworks.com (TCP port 443) storage.googleapis.com (TCP port 443) registry.gov.cdl.paloaltonetworks.com (TCP port 443)

Document:Cortex Data Lake Getting Started

TCP Ports and FQDNs Required for Cortex Data Lake

Table of Contents

TCP Ports and FQDNs Required for Cortex Data Lake

App-IDs for Palo Alto Networks Firewalls

FQDNs for Panorama and PANW Firewalls

Vendor Firewalls

Most Popular

Recommended For You

Document:Cortex Data Lake Getting Started

TCP Ports and FQDNs Required for Cortex Data Lake

Table of Contents

TCP Ports and FQDNs Required for Cortex Data Lake

App-IDs for Palo Alto Networks Firewalls

FQDNs for Panorama and PANW Firewalls

Vendor Firewalls

Most Popular

Recommended For You

Recommended Videos