Resources Required to Enable Access to Cortex® XDR™

Depending on your network environment settings, you should enable network access to the Cortex® XDR™ resources.
To Enable Access to Cortex® XDR™ components, you must allow access to various Palo Alto Networks resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to explicitly allow access to the resource. A dash (—) indicates there is no App-ID coverage for a resource.
Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. In regard to customer data, Cortex Data Lake stores all data in your deployment region, regardless of the IP address registration and restricts data transmission through any infrastructure to that region. For considerations, see Plan Your Cortex® XDR™ Deployment.
Throughout this topic,
<xdr-tenant>
refers to the chosen subdomain of your Cortex XDR tenant and
<region>
is the region in which your Cortex Data Lake is deployed (see Plan Your Cortex® XDR™ Deployment for supported regions).
Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your deployment:
For IP address ranges in GCP, refer to the following tables for IP address coverage for your deployment:
Required Resources by Region
FQDN
IP Addresses and Port
App-ID Coverage
<xdr-tenant>
.xdr.
<region>
.paloaltonetworks.com
Used to connect to the Cortex XDR management console.
IP address by region:
  • US—35.244.250.18
  • EU— 35.227.237.180
  • CA—34.120.31.199
  • UK— 34.120.87.77
  • JP—35.241.28.254
  • SG— 34.117.211.129
  • AU—34.120.229.65
  • DE—34.98.68.183
  • IN—35.186.207.80
Port—443
cortex-xdr
distributions.traps.paloaltonetworks.com
Used for the first request in registration flow where the agent passes the distribution id and obtains the
ch-
<xdr-tenant>
.traps.paloaltonetworks.com
of its tenant
  • IP address—35.223.6.69
  • Port—443
traps-management-service
wss://lrc-
<region>
.paloaltonetworks.com
Used in live terminal flow.
IP address by region:
  • US—35.190.88.43
  • EU—35.244.251.25
  • CA—35.203.99.74
  • UK—35.242.159.176
  • JP—34.84.201.32
  • SG—34.87.61.186
  • AU—35.244.66.177
  • DE—34.107.61.141
  • IN—35.200.146.253
Port—443
cortex-xdr
panw-xdr-installers-prod-us.storage.googleapis.com
Used to download installers for upgrade actions from the server.
This storage bucket is used for all regions.
  • IP ranges in GCP
  • Port—443
cortex-xdr
panw-xdr-payloads-prod-us.storage.googleapis.com
Used to download the executable for live terminal for Cortex XDR agents earlier than version 7.1.0.
This storage bucket is used for all regions.
  • IP ranges in GCP
  • Port—443
cortex-xdr
global-content-profiles-policy.storage.googleapis.com
Used to download content updates.
  • IP ranges in GCP
  • Port—443
cortex-xdr
panw-xdr-evr-prod-
<region>
.storage.googleapis.com
Used to download extended verdict request results in scanning.
  • IP ranges in GCP
  • Port—443
cortex-xdr
dc-
<xdr-tenant>
.traps.paloaltonetworks.com
Used for EDR data upload.
IP address by region:
  • US—34.98.77.231
  • EU—34.102.140.103
  • CA—34.96.120.25
  • UK—35.244.133.254
  • JP—34.95.66.187
  • SG—34.120.142.18
  • AU—34.102.237.151
  • DE—34.107.161.143
  • IN—34.120.213.187
Port—443
traps-management-service
ch-
<xdr-tenant>
.traps.paloaltonetworks.com
Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.
IP address by region:
  • US—34.98.77.231
  • EU—34.102.140.103
  • CA— 34.96.120.25
  • UK—35.244.133.254
  • JP—34.95.66.187
  • SG—34.120.142.18
  • AU—34.102.237.151
  • DE—34.107.161.143
  • IN—34.120.213.188
Port—443
traps-management-service
api-
<xdr-tenant>
.xdr.
<region>
.paloaltonetworks.com
Used for API requests and responses.
IP address by region:
  • US—35.222.81.194
  • EU— 34.90.67.58
  • CA—35.203.82.121
  • UK— 34.89.56.78
  • JP—34.84.125.129
  • SG—34.87.83.144
  • AU—35.189.18.208
  • DE—34.107.57.23
  • IN—35.200.158.164
Port—443
cc-
<xdr-tenant>
.traps.paloaltonetworks.com
Used for get-verdict requests.
IP address by region:
  • US—35.224.140.142
  • EU—2 34.90.71.103
  • CA—35.203.35.23
  • UK—34.89.42.214
  • JP—34.84.225.105
  • SG—35.247.161.94
  • AU—35.201.23.188
  • DE—34.90.71.103
  • IN—35.244.57.196
Port—443
traps-management-service
Broker VM Resources
Required for deployments that use Broker VM features
br-
<xdr-tenant>
.xdr.
<region>
.paloaltonetworks.com
IP address by region:
  • US—104.155.131.72
  • EU— 34.91.128.226
  • CA— 34.95.8.232
  • UK—35.197.219.110
  • JP— 34.85.74.43
  • SG—34.87.167.125
  • AU—35.244.93.0
  • DE—35.198.112.13
  • IN—35.200.234.99
Port—443
distributions-prod-us.traps.paloaltonetworks.com
  • IP address—35.223.6.69
  • Port—443
cortex-xdr
  • time.google.com
  • pool.ntp.org
UDP port—123
App Login and Authentication
identity.paloaltonetworks.com
(SSO)
  • IP address—34.107.215.35
  • Port—443
login.paloaltonetworks.com
(SSO)
  • IP address—34.107.190.184
  • Port—443
In-App Help Center and Notifications
data.pendo.io
Port—443
pendo-static-5664029141630976.storage.googleapis.com
Port—443
Log Forwarding to a Syslog Receiver
Required Resources for Federal (United States - Government)
FQDN
IP Addresses and Port
App-ID Coverage
distributions-prod-fed.traps.paloaltonetworks.com
Used for the first request in registration flow where the agent passes the distribution ID and obtains the
ch-
<xdr-tenant>
.traps.paloaltonetworks.com
of its tenant
  • IP address—104.198.132.24
  • Port—443
traps-management-service
wss://lrc-fed.paloaltonetworks.com
Used in live terminal flow.
  • IP address—35.188.188.91
  • Port—443
cortex-xdr
panw-xdr-installers-prod-fr.storage.googleapis.com
Used to download installers for upgrade actions from the server.
  • IP ranges in GCP
  • Port—443
cortex-xdr
panw-xdr-payloads-prod-fr.storage.googleapis.com
Used to download the executable for live terminal for Cortex XDR agents earlier than version 7.1.0.
  • IP ranges in GCP
  • Port—443
cortex-xdr
global-content-profiles-policy-prod-fr.storage.googleapis.com
Used to download content updates.
  • IP ranges in GCP
  • Port—443
cortex-xdr
panw-xdr-evr-prod-fr.storage.googleapis.com
Used to download extended verdict request results in scanning.
  • IP ranges in GCP
  • Port—443
cortex-xdr
app-proxy.federal.paloaltonetworks.com
  • IP address—104.155.148.118
  • Port—443
dc-
<xdr-tenant>
.traps.paloaltonetworks.com
Used for EDR data upload.
  • IP address—130.211.195.231
  • Port—443
traps-management-service
ch-
<xdr-tenant>
.traps.paloaltonetworks.com
Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.
  • IP address—130.211.195.231
  • Port—443
traps-management-service
api-
<xdr-tenant>
.xdr.federal.paloaltonetworks.com
Used for API requests and responses.
  • IP address—130.211.195.231
  • Port—443
cc-
<xdr-tenant>
.traps.paloaltonetworks.com
Used for get-verdict requests.
  • IP address—35.222.50.74
  • Port—443
traps-management-service
Broker VM Resources
Required for deployments that use Broker VM features
br-
<xdr-tenant>
.xdr.federal.paloaltonetworks.com:443
  • IP address—34.71.185.11
  • Port—443
  • time.google.com
  • pool.ntp.org
UDP port—123
App Login and Authentication
identity.paloaltonetworks.com
(SSO)
  • IP address—34.107.215.35
  • Port—443
login.paloaltonetworks.com
(SSO)
  • IP address—34.107.190.184
  • Port—443
In-App Help Center and Notifications
data.pendo.io
Port—443
pendo-static-5664029141630976.storage.googleapis.com
Port—443
Log Forwarding to a Syslog Receiver

Recommended For You