Prisma SASE FedRAMP Moderate and High FQDNs

Table of Contents

Prisma SASE FedRAMP Moderate and High Locations

Prisma SASE FedRAMP Moderate and High CDL IP Address Blocks

Prisma SASE FedRAMP Moderate and High FQDNs

Learn which fully qualified domains (FQDNs) are supported for use in Prisma SASE FedRAMP Moderate and High environments.

Because Palo Alto Networks enforces strict incoming Security policy rules for Prisma SASE FedRAMP tenants, you must provide Palo Alto Networks customer services with a list of fully qualified domains (FQDNs) for the administrative users who will be accessing your environment. After you submit a support ticket with these FQDNs, customer services will create an allow list for them, which will let users log in from these FQDNs and access the environment.

Moderate FQDNs

The following are FedRAMP Moderate FQDNs.

Product	Domain
ADEM	agents.dem.prismaaccess.com api-fed-mod-prod-1-us-central1.dem.prismaaccess.com agents-fed-mod-prod-1-us-central1.dem.prismaaccess.com probes-fed-mod-prod-1-us-central1.dem.prismaaccess.com controller-fed-mod-prod-1-us-central1.dem.prismaaccess.com updates-fed-mod-prod-1-us-central1.dem.prismaaccess.com features-fed-mod-prod-1-us-central1.dem.prismaaccess.com
API Gateway	https://api.fed.prismaaccess.com/getPrismaAccessIP/v2
App Services (Hub & CIE)	Hub apps.paloaltonetworks.com Logging Service Portal logging-service.apps.paloaltonetworks.com SASE Portal stratacloudmanager.paloaltonetworks.com Auth Service auth.apps.paloaltonetworks.com App Registry app-registry-service.apps.paloaltonetworks.com Directory Sync Portal directory-sync.gov.apps.paloaltonetworks.com Directory Sync API app-directory-sync.gov.apps.paloaltonetworks.com Directory Sync Agent agent-directory-sync.gov.apps.paloaltonetworks.com Cloud Auth cloud-auth.gov.apps.paloaltonetworks.com Cloud Auth Service cloud-auth-service.gov.apps.paloaltonetworks.com SCIM Sync Service scim-sync.gov.apps.paloaltonetworks.com
CASB (SaaS API / SSPM)	https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com https://api.saas.pubsec-cloud.paloaltonetworks.com https://app.saas.pubsec-cloud.paloaltonetworks.com https://orchestrator-api.saas.pubsec-cloud.paloaltonetworks.com https://authz.saas.pubsec-cloud.paloaltonetworks.com https://filecache.saas.pubsec-cloud.paloaltonetworks.com
CASB (SaaS Inline)	https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com https://api-prod-us.saas-inline.pubsec-cloud.paloaltonetworks.com
Cloud Management	https://admin.mod.gov.panorama.paloaltonetworks.com https://paas-2.mod.gov.panorama.paloaltonetworks.com 34.122.198.113 34.60.19.192
`Strata Logging Service`	Source IP Addresses for Log Forwarding 34.67.50.64/28 Firewall Log Ingestion firewall-gov.gov.cdl.paloaltonetworks.com Port 3978 .in2-lc-prod-gov-us.gpcloudservice.com Port 3978 Enhanced Application Log Ingestion fei-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 443 .fei-lc-prod-gov-us.gpcloudservice.com Port 444 Telemetry and GlobalProtect Troubleshooting Log Ingestion br-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 443 storage.googleapis.com Port 443 Log Access from Panorama pcl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 444 cdl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 443 *.api2-lc-prod-gov-us.gpcloudservice.com Port 444
DLP	https://gov.dlp.pubsec-cloud.paloaltonetworks.com
Insights	HTTPS: pa-usgov01.api.prismaaccess.com MTLS: pa-service-api-usgov01.api.prismaaccess.com
IoT	https://fedramp-banff-api-elb.iot-gov.paloaltonetworks.com 34.208.130.221 52.11.205.69 44.236.140.29
Lumos V&R	api.mod.prod.reporting.paloaltonetworks.com 34.29.53.115
Prisma SASE Multitenant Portal	https://pa-us01.api.prismasasegov.com/api/cloud/2.0/agg https://api.paloaltonetworks.com/mt/monitor/v1/agg with x-panw-region header as gov
`Prisma SD-WAN`	*.prismasasegov.com
Panorama	`Strata Logging Service`-gov1.us1.cent1.gov.`Strata Logging Service`.paloaltonetworks.com .api2-lc-prod-gov.gpcloudservice.com .fei-lc-prod-gov.gpcloudservice.com Br-gov1.us1.cent1.gov.`Strata Logging Service`.paloaltonetworks.com lic.lc.prod.us.cs.paloaltonetworks.com api.us1.cent1.gov.`Strata Logging Service`.paloaltonetworks.com sdwanapps-pa-panorama-autofedramptf.hood.cloudgenix.com sdwanapps-pa-panorama.rogers.prismasasegov.com sdwanapps-pa-panorama.campbel.prismasasegov.com
PanOS Cloud Component	hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com enforcer.hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com iot.services-edge.pubsec-cloud.paloaltonetworks.com enforcer.iot.services-edge.pubsec-cloud.paloaltonetworks.com
Wildfire	pubsec-cloud.wildfire.paloaltonetworks.com 35.230.63.175
ZTNA Connector	locator.cgnx.net controller-autofedramptf.rogers.cgnx.net

High FQDNs

The following are FedRAMP High FQDNs.

Product	Domain
ADEM	api.dem.prismasasegov.com api-il4-prod-us-central1.dem.prismasasegov.com agents.dem.prismasasegov.com agents-il4-prod-us-central1.dem.prismasasegov.com probes.dem.prismasasegov.com probes-il4-prod-us-central1.dem.prismasasegov.com controller.dem.prismasasegov.com controller-il4-prod-us-central1.dem.prismasasegov.com
API Gateway	https://api.highprod.prismasasegov.com/getPrismaAccessIP/v2
`Strata Logging Service`	United States Government (High) Source IP Addresses for Log Forwarding 34.132.154.128/28 Firewall Log Ingestion Firewall-highgov.us1.cent1.highgov.cdl.paloaltonetworks.com Port 3978 .in2-lc-prod-gov-us.gpcloudservice.com Port 3978 Enhanced Application Log Ingestion Fei-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 443 .fei-lc-prod-gov-us.gpcloudservice.com Port 444 Telemetry and GlobalProtect Troubleshooting Log Ingestion br-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 443 Storage.googleapis.com Port 443 Log Access from Panorama Pcl-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 444 Cdl-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 443 .api2-lc-prod-gov-us.gpcloudservice.com Port 444 License and Tenant Mapping Check lic.lc.prod.us.cs.paloaltonetworks.com Port 444 registry.highgov.cdl.paloaltonetworks.com Port 443 Firewall Log Ingestion firewall-highgov.us1.cent1.highgov.cdl.paloaltonetworks.com Port 3978 .in2-lc-prod-gov-us.gpcloudservice.com Port 3978 Enhanced Application Log Ingestion fei-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 443 .fei-lc-prod-gov-us.gpcloudservice.com Port 444 Telemetry and GlobalProtect Troubleshooting Log Ingestion br-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 443 storage.googleapis.com Port 443 Log Access from Panorama pcl-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 444 cdl-highgov1.us1.cent1.highgov.cdl.paloaltonetworks.com Port 443 .api2-lc-prod-gov-us.gpcloudservice.com Port 444
CIE/DSS	agent-directory-sync.fed.apps.paloaltonetworks.us
Cloud Management	admin.gov.panorama.paloaltonetworks.com paas-1.gov.panorama.paloaltonetworks.com
DLP	gov.dss.paloaltonetworks.com ui-gov.dss.paloaltonetworks.com api.dlp.paloaltonetworks.com vault-fh.dss.paloaltonetworks.com mongoe-fh0.dss.paloaltonetworks.com mongoe-fh1.dss.paloaltonetworks.com mongoe-fh2.dss.paloaltonetworks.com mongodb-fh-prod.dss.paloaltonetworks.com _mongodb._tcp.mongoe-fh0.dss.paloaltonetworks.com _mongodb._tcp.mongoe-fh1.dss.paloaltonetworks.com _mongodb._tcp.mongoe-fh2.dss.paloaltonetworks.com _mongodb._tcp.mongodb-fh-prod.dss.paloaltonetworks.com
`hub`	fed.apps.paloaltonetworks.us
Insights	*.prismasasegov.com
IoT Security	https://fedramp-banff-pentest1.iot-gov.paloaltonetworks.com
Prisma SASE Multitenant Portal	*.prismasasegov.com
Panorama	`Strata Logging Service`-gov1.us1.cent1.gov.`Strata Logging Service`.paloaltonetworks.com .api2-lc-prod-gov.gpcloudservice.com .fei-lc-prod-gov.gpcloudservice.com Br-gov1.us1.cent1.gov.`Strata Logging Service`.paloaltonetworks.com Lic.lc.prod.us.cs.paloaltonetworks.com api.us1.cent1.gov.`Strata Logging Service`.paloaltonetworks.com
PanOS CC (Cloud Component)	dlp.gov-hawkeye.services-edge.paloaltonetworks.com urlcat.gov-hawkeye.services-edge.paloaltonetworks.com ace.gov-hawkeye.services-edge.paloaltonetworks.com enforcer.gov-hawkeye.services-edge.paloaltonetworks.com gov-hawkeye.services-edge.paloaltonetworks.com
`Prisma Access`	*.prismasasegov.com
SaaS	https://ingestion-prod-us.gov.adv-saas-vis.paloaltonetworks.com/ https://api-prod-us.gov.adv-saas-vis.paloaltonetworks.com/ https://*.gov.saasprod.paloaltonetworks.com/ enforcer.gov-iot.services-edge.paloaltonetworks.com gov-iot.services-edge.paloaltonetworks.com
SASE Portal	fed.sase.paloaltonetworks.us
`Prisma SD-WAN`	*.prismasasegov.com
Wildfire	gov-cloud.wildfire.paloaltonetworks.com govgvs.wildfire.paloaltonetworks.com

Prisma SASE FedRAMP Moderate and High Locations

Prisma SASE FedRAMP Moderate and High CDL IP Address Blocks

FedRAMP Docs

Prisma SASE FedRAMP Moderate and High FQDNs

FedRAMP Docs

Prisma SASE FedRAMP Moderate and High FQDNs

Moderate FQDNs

High FQDNs

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security