: Setup Prerequisites for Enterprise DLP
Focus
Focus

Setup Prerequisites for Enterprise DLP

Table of Contents

Setup Prerequisites for
Enterprise DLP

Ports, Fully Qualified Domain Names, and IP addressed required to enable
Enterprise Data Loss Prevention (E-DLP)
.
Where Can I Use This?
What Do I Need?
  • Panorama
  • Strata Cloud Manager
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • (
    Panorama
    ) Device management license
  • (
    Panorama
    ) Support license
  • (
    Strata Cloud Manager
    )
    Prisma Access
    license
  • (
    Strata Cloud Manager
    )
    AIOps for NGFW Premium
    license
  • (
    Strata Cloud Manager
    )
    AIOps for NGFW Free
    license
Below are the full qualified domain names (FQDN), network ports, and IP addresses that must be allowed. These tables describe the network settings required to forward traffic for inspection and verdict rendering
Enterprise Data Loss Prevention (E-DLP)
, as well as required network settings for specific
Enterprise DLP
features.

Ports and FQDNs

Firewalls managed by a
Panorama™ management server
or
Strata Cloud Manager
need to access the following FQDNs and ports open on the network to successfully forward traffic for inspection by the DLP cloud service.
FQDNs
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
  • http://crl.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • https://apitrusted.paloaltonetworks.com
  • certificatetrusted.paloaltonetworks.com
  • certificate.paloaltonetworks.com
  • hawkeye.services-edge.paloaltonetworks.com
  • dlp.hawkeye.services-edge.paloaltonetworks.com
  • ace.hawkeye.services-edge.paloaltonetworks.com
  • urlcat.hawkeye.services-edge.paloaltonetworks.com
  • enforcer.hawkeye.services-edge.paloaltonetworks.com
TCP 443

IP Addresses for Evidence Storage

Allow access to the following IP addressed on the hypervisor where you created the evidence storage bucket to automatically store files scanned by the DLP cloud service that match your
Enterprise DLP
data profile for firewalls managed by
Panorama
or
Strata Cloud Manager
.
  • You must allow the
    Default
    IP addresses to successfully connect your evidence storage bucket to
    Enterprise DLP
    .
  • To automatically store inspected files, the IP addresses you need to allow access for are dependent on region or zone where the file will be scanned by
    Enterprise DLP
    .
  • To download stored files from your evidence storage bucket, you may also need to allow the specific user IP addresses as well.
Region
IP Address
APAC
13.228.151.58
52.74.82.77
Australia
13.54.198.248
52.63.9.154
Canada
15.222.125.234
99.79.19.33
E.U
3.123.172.116
52.59.186.42
India
15.207.246.3
3.108.103.214
Japan
3.115.43.201
35.72.148.77
35.74.96.38
52.68.52.77
U.K
13.43.141.10
18.169.44.228
35.177.5.4
52.56.54.90
(
Default
) U.S.A
3.230.176.219
3.226.106.173
18.190.146.204
3.16.224.253
34.223.123.78
52.27.148.95

FQDNs for Exact Data Matching (EDM)

To successfully uploaded data sets to the DLP cloud service and use Exact Data Matching (EDM), you must allow access to the following FQDNs on your network.
  • https://api.dlp.paloaltonetworks.com
  • https://auth.apps.paloaltonetworks.com
  • https://prod-edm-dataset-bucket.s3.us-west-2.amazonaws.com

Recommended For You