>
    Strata Copilot
    Prisma SASE FedRAMP Moderate FQDNs
    Focus
    Download PDF
    Focus
    1. Home
    2. FedRAMP
    3. Prisma SASE FedRAMP Moderate and High Requirements
    4. Prisma SASE FedRAMP Moderate FQDNs
    Download PDF
    FedRAMP

    Prisma SASE FedRAMP Moderate FQDNs

    Table of Contents

    Prisma SASE FedRAMP Moderate FQDNs

    Learn which fully qualified domains (FQDNs) are supported for use in Prisma SASE FedRAMP Moderate environments.
    Because Palo Alto Networks enforces strict incoming Security policy rules for Prisma SASE FedRAMP tenants, you must provide Palo Alto Networks customer services with a list of fully qualified domains (FQDNs) for the administrative users who will be accessing your environment. After you submit a support ticket with these FQDNs, customer services will create an allow list for them, which will let users log in from these FQDNs and access the environment.
    The following are FedRAMP Moderate FQDNs.
    ProductDomain
    ADEM
    • agents.dem.prismaaccess.com
    • api-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    • agents-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    • probes-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    • controller-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    • updates-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    • features-fed-mod-prod-1-us-central1.dem.prismaaccess.com
    ADNSdns-fedm.service.paloaltonetworks.com
    In PAN-OS 12.2 (and later) ADNS includes APIs that are hosted by filemgr. Both sets of APIs (those hosted independently and managed by filemgr) work in tandem; you need to set the FQDN for both to target your respective environment. The FQDN for filemgr is hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com.
    API Gatewayhttps://api.fed.prismaaccess.com/getPrismaAccessIP/v2
    App Services (Hub & CIE)
    • Hub
      apps.paloaltonetworks.com
    • Logging Service Portal
      logging-service.apps.paloaltonetworks.com
    • SASE Portal
      stratacloudmanager.paloaltonetworks.com
    • Auth Service
      auth.apps.paloaltonetworks.com
    • App Registry
      app-registry-service.apps.paloaltonetworks.com
    • Directory Sync Portal
      directory-sync.gov.apps.paloaltonetworks.com
    • Directory Sync API
      app-directory-sync.gov.apps.paloaltonetworks.com
    • Directory Sync Agent
      agent-directory-sync.gov.apps.paloaltonetworks.com
    • Cloud Auth
      cloud-auth.gov.apps.paloaltonetworks.com
    • Cloud Auth Service
      cloud-auth-service.gov.apps.paloaltonetworks.com
    • SCIM Sync Service
      scim-sync.gov.apps.paloaltonetworks.com
    CASB (SaaS API / SSPM)
    • https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com
    • https://api.saas.pubsec-cloud.paloaltonetworks.com
    • https://app.saas.pubsec-cloud.paloaltonetworks.com
    • https://orchestrator-api.saas.pubsec-cloud.paloaltonetworks.com
    • https://authz.saas.pubsec-cloud.paloaltonetworks.com
    • https://filecache.saas.pubsec-cloud.paloaltonetworks.com
    CASB (SaaS Inline)
    • https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com
    • https://api-prod-us.saas-inline.pubsec-cloud.paloaltonetworks.com
    Cloud Management
    • https://admin.mod.gov.panorama.paloaltonetworks.com
    • https://paas-2.mod.gov.panorama.paloaltonetworks.com
    • 34.122.198.113
    • 34.60.19.192
    Strata Logging Service
    • Source IP Addresses for Log Forwarding
      34.67.50.64/28
    • Firewall Log Ingestion
      firewall-gov.gov.cdl.paloaltonetworks.com
      Port 3978
      *.in2-lc-prod-gov-us.gpcloudservice.com
      Port 3978
    • Enhanced Application Log Ingestion
      fei-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
      Port 443
    • *.fei-lc-prod-gov-us.gpcloudservice.com
      Port 444
    • Telemetry and GlobalProtect Troubleshooting Log Ingestion
      br-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
      Port 443
      storage.googleapis.com
      Port 443
    • Log Access from Panorama
      pcl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
      Port 444
      cdl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
      Port 443
      *.api2-lc-prod-gov-us.gpcloudservice.com
      Port 444
    DLPhttps://gov.dlp.pubsec-cloud.paloaltonetworks.com
    Insights
    • HTTPS: pa-usgov01.api.prismaaccess.com
    • MTLS: pa-service-api-usgov01.api.prismaaccess.com
    IoT
    • https://fedramp-banff-api-elb.iot-gov.paloaltonetworks.com
    • 34.208.130.221
    • 52.11.205.69
    • 44.236.140.29
    Lumos V&R
    • api.mod.prod.reporting.paloaltonetworks.com
    • 34.29.53.115
    Prisma SASE Multitenant Portal
    • https://pa-us01.api.prismasasegov.com/api/cloud/2.0/agg
    • https://api.paloaltonetworks.com/mt/monitor/v1/agg with x-panw-region header as gov
    Prisma SD-WAN*.prismasasegov.com
    Panorama
    • Strata Logging Service-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
    • *.api2-lc-prod-gov.gpcloudservice.com
    • *.fei-lc-prod-gov.gpcloudservice.com
    • Br-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
    • lic.lc.prod.us.cs.paloaltonetworks.com
    • api.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
    • sdwanapps-pa-panorama-autofedramptf.hood.cloudgenix.com
    • sdwanapps-pa-panorama.rogers.prismasasegov.com
    • sdwanapps-pa-panorama.campbel.prismasasegov.com
    PanOS Cloud Component
    • hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
    • enforcer.hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
    • iot.services-edge.pubsec-cloud.paloaltonetworks.com
    • enforcer.iot.services-edge.pubsec-cloud.paloaltonetworks.com
    Wildfire
    • pubsec-cloud.wildfire.paloaltonetworks.com
    • 35.230.63.175
    ZTNA Connector
    • locator.cgnx.net
    • controller-autofedramptf.rogers.cgnx.net

    © 2025 Palo Alto Networks, Inc. All rights reserved.