Focus

Next-Generation Firewall

TCP Ports and FQDNs Required for Strata Cloud Manager

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

TCP Ports and FQDNs Required for Strata Cloud Manager

Review the TCP ports and FQDNs required to managed Palo Alto Networks Next-Gen Firewalls (NGFW) from Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Cloud Managed)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)`

Review the TCP ports and Fully Qualified Domain Names (FQDN) that you must enable on your network communication and between the Palo Alto Networks Next-Gen Firewall (NGFW) and Strata Cloud Manager. Communication on these TCP ports and FQDNs must allowed on your network to successfully manage your firewalls from Strata Cloud Manager.

Connections to Strata Cloud Manager

You must allow the following app, FQDNs, and TCP ports on your network to enable connectivity between the firewall and Strata Cloud Manager.

Required App-ID and Port for Strata Cloud Manager
App-ID	TCP Port
panorama	3978

Required FQDNs and Ports for Strata Cloud Manager
Service	FQDN	TCP Ports
OCSP	ocsp.paloaltonetworks.com/ ocsp.godaddy.com	80
Virtus	US—.us.ngfw.cloudmgmt.paloaltonetworks.com EU—.eu.ngfw.cloudmgmt.paloaltonetworks.com	3978
Discovery Service	ds.cloudmgmt-paloaltonetworks.com	443

Connections to Cortex Data Lake

You must allow the following apps, FQDNs, and TCP ports on your network to forward logs from the managed firewall to Cortex Data Lake (CDL). For more details, see the TCP Ports and FQDNs Required for Cortex Data Lake (CDL).

Required App-ID and Ports for CDL
App-ID	TCP Port
paloalto-shared-services panorama	444 3978
`Required if you’re sending device telemetry data to CDL`. paloalto-device-telemetry google-base	443 5222-5224 5228 5229

Required FQDNs and Ports for CDL
Service	FQDN	TCP Ports
OCSP	ocsp.paloaltonetworks.com/ crl.paloaltonetworks.com/ ocsp.godaddy.com	80
CDL Certificates	api.paloaltonetworks.com apitrusted.paloaltonetworks.com certificatetrusted.paloaltonetworks.com certificate.paloaltonetworks.com	3978
Prisma Access	*.gpcloudservice.com	443

Connections for Firewall Certificates

You must allow the following FQDNs, and TCP ports on your network to enable your managed firewalls to install the device certificates for Strata Cloud Manager.

Service	FQDN	TCP Ports
API	api.paloaltonetworks.com apitrusted.paloaltonetworks.com	443
Device Certificates	certificatetrusted.paloaltonetworks.com certificate.paloaltonetworks.com	443

Next-Generation Firewall Docs

TCP Ports and FQDNs Required for Strata Cloud Manager

Next-Generation Firewall Docs

TCP Ports and FQDNs Required for Strata Cloud Manager

Connections to Strata Cloud Manager

Connections to Cortex Data Lake

Connections for Firewall Certificates

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner