If you are using a Palo Alto Networks firewall to secure traffic between Panorama, the firewalls, and Cortex Data Lake, use the App-ID

paloalto-logging-service

in a Security policy rule to allow Panorama and the firewalls to connect to Cortex Data Lake and forward logs on TCP 444 and 3978, the default ports for the application. If your firewall has an Applications and Threats content earlier than 8290, you must also allow the

panorama

app-id in a security policy rule.

If you are using another vendor’s firewall, use the following table to identify the fully qualified domain names (FQDNs) and ports to which you must allow traffic to ensure that Panorama and the firewalls can successfully connect to Cortex Data Lake.

FQDNs and Ports used per Region	Description
Americas (US): *.lc.prod.us.cs.paloaltonetworks.com and *.cdl.paloaltonetworks.com firewall-prd1.us.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.us.cdl.paloaltonetworks.com (TCP 444) fei-prd1.us.cdl.paloaltonetworks.com (TCP port 443) br-prd1.us.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444)	Use the FQDNs that match the Cortex Data Lake region to which your firewalls and Panorama connect: The firewalls use the FQDN on port 3978 and 444 to forward logs to Cortex Data Lake. Panorama uses the FQDNs on port 444 to connect to Cortex Data Lake for other log query and validity checks.
Europe (Netherlands): *.lc.prod.eu.cs.paloaltonetworks.com and *.cdl.paloaltonetworks.com firewall-prd1.nl.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.nl.cdl.paloaltonetworks.com (TCP 444) fei-prd1.nl.cdl.paloaltonetworks.com (TCP port 443) br-prd1.nl.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444) A firewall forwarding logs to a Cortex Data Lake instance in the EU connects to this US-based domain only during the onboarding process.
UK: *.lc.prod.us.cs.paloaltonetworks.com and *.cdl.paloaltonetworks.com firewall-prd1.uk.cdl.paloaltonetworks.com (TCP 3978) pcl-prd1.uk.cdl.paloaltonetworks.com (TCP 444) fei-prd1.uk.cdl.paloaltonetworks.com (TCP port 443) br-prd1.uk.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444)
Singapore: *.lc.prod.us.cs.paloaltonetworks.com and *.cdl.paloaltonetworks.com firewall-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.sg1.se1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444)
Canada: *.lc.prod.us.cs.paloaltonetworks.com and *.cdl.paloaltonetworks.com firewall-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 3978) pcl-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 444) fei-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 443) br-prd1.ca1.ne1.cdl.paloaltonetworks.com (TCP port 443) lic.lc.prod.us.cs.paloaltonetworks.com (TCP port 444)
https://api.paloaltonetworks.com (TCP port 443) https://apitrusted.paloaltonetworks.com (TCP port 443) http://ocsp.paloaltonetworks.com/ http://crl.paloaltonetworks.com/ http://ocsp.godaddy.com/ (TCP port 80) *.gpcloudservice.com ( TCP port 444)	Panorama needs to access these FQDNs for the initial setup and one-time password, and for ongoing certificate revocation checks. For OCSP, you must also allow the firewalls to access ocsp.paloaltonetworks.com on port 80.