Resources Required to Enable Access to Cortex XDR Collectors
Cortex
XDR
CollectorsDepending on your network environment settings, you should
enable network access to the Cortex XDR Collectors resources.
To enable access to
Cortex
XDR
Collectors components,
you must allow access to various Palo Alto Networks resources. If
you use the specific Palo Alto Networks App-IDs indicated in the
table, you do not need to explicitly allow access to the resource.
A dash (—) indicates there is no App-ID coverage for a resource.Some of the IP addresses required for access are registered
in the United States. As a result, some GeoIP databases do not correctly
pinpoint the location in which IP addresses are used. All customer
data is stored in your deployment region, regardless of the IP address
registration and restricts data transmission through any infrastructure
to that region. For considerations, see Plan
Your Cortex XDR Deployment.
Throughout this topic, refers
to the chosen subdomain of your is
the region in which your Cortex Data Lake is deployed. For supported
regions, see Plan
Your Cortex XDR Deployment.
<xdr-tenant>
Cortex
XDR
tenant and <region>
Refer to the following tables for the FQDNs, IP addresses, ports,
and App-ID coverage for your deployment.
For IP address ranges in GCP, refer to the following
tables for IP address coverage for your deployment.
- https://www.gstatic.com/ipranges/goog.json—Refer to this list to look up and allow access to the IP address ranges subnets.
- https://www.gstatic.com/ipranges/cloud.json—Refer to this list to look up and allow access to the IP address ranges associated with your region.
FQDN | IP Addresses and Port | App-ID Coverage |
|---|---|---|
<xdr-tenant> .xdr.<region> .paloaltonetworks.comUsed
to connect to the Cortex XDR management
console. | IP address by region:
Port—443 | cortex-xdr |
distributions.traps.paloaltonetworks.com Used
for the first request in registration flow where the agent passes
the distribution id and obtains the ch- of
its tenant<xdr-tenant> .traps.paloaltonetworks.com |
| traps-management-service |
panw-xdr-installers-prod-us.storage.googleapis.com Used
to download installers for upgrade actions from the server. This
storage bucket is used for all regions. |
| cortex-xdr |
global-content-profiles-policy.storage.googleapis.com Used
to download content updates. |
| cortex-xdr |
ch- <xdr-tenant> .traps.paloaltonetworks.comUsed
for all other requests between the agent and its tenant server including
heartbeat, uploads, action results, and scan reports. | IP address by region:
Port—443 | traps-management-service |
api- <xdr-tenant> .xdr.<region> .paloaltonetworks.comUsed
for API requests and responses. | IP address by region:
| — |
Log Forwarding to a Syslog
Receiver | ||
FQDN | IP Addresses and Port | App-ID Coverage | Required for Cortex XDR Collectors |
|---|---|---|---|
distributions-prod-fed.traps.paloaltonetworks.com Used
for the first request in registration flow where the agent passes
the distribution ID and obtains the ch- of
its tenant<xdr-tenant> .traps.paloaltonetworks.com |
| traps-management-service |  |
panw-xdr-installers-prod-fr.storage.googleapis.com Used
to download installers for upgrade actions from the server. |
| cortex-xdr | |
global-content-profiles-policy-prod-fr.storage.googleapis.com Used
to download content updates. |
| cortex-xdr | |
ch- <xdr-tenant> .traps.paloaltonetworks.comUsed
for all other requests between the agent and its tenant server including
heartbeat, uploads, action results, and scan reports. |
| traps-management-service | |
api- <xdr-tenant> .xdr.federal.paloaltonetworks.comUsed
for API requests and responses. |
| — | |
Log Forwarding to a Syslog
Receiver | |||
