NGFW FedRAMP Moderate and High FQDNs
Focus
Focus
FedRAMP

NGFW FedRAMP Moderate and High FQDNs

Table of Contents

NGFW FedRAMP Moderate and High FQDNs

Learn which fully qualified domains (FQDNs) are supported for use in Prisma SASE FedRAMP Moderate and High environments.
Because Palo Alto Networks enforces strict incoming Security policy rules for NetSec FedRAMP tenants, you must provide Palo Alto Networks customer services with a list of fully qualified domains (FQDNs) for the administrative users who will be accessing your environment. After you submit a support ticket with these FQDNs, customer services will create an allow list for them, which will let users log in from these FQDNs and access the environment.

Moderate FQDNs

The following are FedRAMP Moderate FQDNs.
ProductDomain
CASB (SaaS API / SSPM)
  • https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com
  • https://api.saas.pubsec-cloud.paloaltonetworks.com
  • https://app.saas.pubsec-cloud.paloaltonetworks.com
  • https://orchestrator-api.saas.pubsec-cloud.paloaltonetworks.com
  • https://authz.saas.pubsec-cloud.paloaltonetworks.com
  • https://filecache.saas.pubsec-cloud.paloaltonetworks.com
CASB (SaaS Inline)
  • https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com
  • https://api-prod-us.saas-inline.pubsec-cloud.paloaltonetworks.com
Cloud Management
  • admin-mod-prod.gov.panorama.paloaltonetworks.com
  • paas-1-mod-prod.gov.panorama.paloaltonetworks.com
  • 35.232.6.182
  • 34.170.216.242
Strata Logging Service
  • Source IP Addresses for Log Forwarding
    34.67.50.64/28
  • Firewall Log Ingestion
    firewall-gov.gov.cdl.paloaltonetworks.com
    Port 3978
    *.in2-lc-prod-gov-us.gpcloudservice.com
    Port 3978
  • Enhanced Application Log Ingestion
    fei-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
    Port 443
  • *.fei-lc-prod-gov-us.gpcloudservice.com
    Port 444
  • Telemetry and GlobalProtect Troubleshooting Log Ingestion
    br-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
    Port 443
    storage.googleapis.com
    Port 443
  • Log Access from Panorama
    pcl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
    Port 444
    cdl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com
    Port 443
    *.api2-lc-prod-gov-us.gpcloudservice.com
    Port 444
DLPhttps://gov.dlp.pubsec-cloud.paloaltonetworks.com
IoT
  • https://fedramp-banff-api-elb.iot-gov.paloaltonetworks.com
  • 34.208.130.221
  • 52.11.205.69
  • 44.236.140.29
Lumos V&R
  • api.mod.prod.reporting.paloaltonetworks.com
  • 34.29.53.115
Panorama
  • Strata Logging Service-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
  • *.api2-lc-prod-gov.gpcloudservice.com
  • *.fei-lc-prod-gov.gpcloudservice.com
  • Br-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
  • lic.lc.prod.us.cs.paloaltonetworks.com
  • api.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
  • sdwanapps-pa-panorama-autofedramptf.hood.cloudgenix.com
  • sdwanapps-pa-panorama.rogers.prismasasegov.com
  • sdwanapps-pa-panorama.campbel.prismasasegov.com
PanOS Cloud Component
  • hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
  • enforcer.hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
  • iot.services-edge.pubsec-cloud.paloaltonetworks.com
  • enforcer.iot.services-edge.pubsec-cloud.paloaltonetworks.com
Advanced Wildfire
  • pubsec-cloud.wildfire.paloaltonetworks.com
  • 35.230.63.175

High FQDNs

The following are FedRAMP High FQDNs.
ProductDomain
Cloud Management
  • admin.gov.panorama.paloaltonetworks.com
  • paas-1.gov.panorama.paloaltonetworks.com
DLP[ul]
  • gov.dss.paloaltonetworks.com
  • ui-gov.dss.paloaltonetworks.com
  • api.dlp.paloaltonetworks.com
  • vault-fh.dss.paloaltonetworks.com
  • mongoe-fh0.dss.paloaltonetworks.com
  • mongoe-fh1.dss.paloaltonetworks.com
  • mongoe-fh2.dss.paloaltonetworks.com
  • mongodb-fh-prod.dss.paloaltonetworks.com
  • _mongodb._tcp.mongoe-fh0.dss.paloaltonetworks.com
  • _mongodb._tcp.mongoe-fh1.dss.paloaltonetworks.com
  • _mongodb._tcp.mongoe-fh2.dss.paloaltonetworks.com
  • _mongodb._tcp.mongodb-fh-prod.dss.paloaltonetworks.com
hubfed.apps.paloaltonetworks.us
IoT Securityhttps://fedramp-banff-pentest1.iot-gov.paloaltonetworks.com
Panorama
Strata Logging Service-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
*.api2-lc-prod-gov.gpcloudservice.com
*.fei-lc-prod-gov.gpcloudservice.com
Br-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
Lic.lc.prod.us.cs.paloaltonetworks.com
api.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
PanOS CC (Cloud Component)
  • dlp.gov-hawkeye.services-edge.paloaltonetworks.com
  • urlcat.gov-hawkeye.services-edge.paloaltonetworks.com
  • ace.gov-hawkeye.services-edge.paloaltonetworks.com
  • enforcer.gov-hawkeye.services-edge.paloaltonetworks.com
  • gov-hawkeye.services-edge.paloaltonetworks.com
SaaS
  • https://ingestion-prod-us.gov.adv-saas-vis.paloaltonetworks.com/
  • https://api-prod-us.gov.adv-saas-vis.paloaltonetworks.com/
  • https://*.gov.saasprod.paloaltonetworks.com/
  • enforcer.gov-iot.services-edge.paloaltonetworks.com
  • gov-iot.services-edge.paloaltonetworks.com
SASE Portalfed.sase.paloaltonetworks.us
Advanced Wildfire
  • gov-cloud.wildfire.paloaltonetworks.com
  • govgvs.wildfire.paloaltonetworks.com