Content Delivery Network Infrastructure

Palo Alto Networks maintains a Content Delivery Network (CDN) infrastructure for delivering content updates to the Palo Alto Networks firewalls. The firewalls access the web resources in the CDN to perform various content and application identification functions.
The following table lists the web resources that the firewall accesses for a feature or application:
Resource
URL
Static Addresses (If a static server is required)
Application Database
  • updates.paloaltonetworks.com (Global, excluding mainland China)
  • updates.paloaltonetworks.cn (Mainland China only)
Add the following URLs to your firewall allow list if your firewall has limited access to the Internet:
  • downloads.paloaltonetworks.com:443
  • proditpdownloads.paloaltonetworks.com:443
As a best practice, set the update server to updates.paloaltonetworks.com. This allows the Palo Alto Networks firewall to receive content updates from the server closest to it in the CDN infrastructure.
If you want additional reference information or are experiencing connectivity and update download issues, please refer to: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UtRCAU
The Palo Alto Networks ThreatVault database includes information about vulnerabilities, exploits, viruses, and spyware threats. Firewall features, including DNS security and the Antivirus profile, use the following resource to retrieve threat ID information to create exceptions:
  • data.threatvault.paloaltonetworks.com
us-static.updates.paloaltonetworks.com
Add the following IPv4 or IPv6 static server address sets to your firewall allow list:
  • IPv4
    — 35.186.202.45:443 and 34.120.74.244:443
  • IPv6
    — [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443
Both IP addresses provided for a given protocol type must be added to the allow list for proper functionality.
Threat/Antivirus Database
PAN-DB URL Filtering | Advanced URL Filtering
*.urlcloud.paloaltonetworks.com
Resolves to the primary URL s0000.urlcloud.paloaltonetworks.com and is then redirected to the regional server that is closest:
  • s0100.urlcloud.paloaltonetworks.com
  • s0200.urlcloud.paloaltonetworks.com
  • s0300.urlcloud.paloaltonetworks.com
  • s0500.urlcloud.paloaltonetworks.com
Static IP addresses are not available. However, you can manually resolve a URL to an IP address and allow access to the regional server IP address.
DNS Security
  • Cloud—dns.service.paloaltonetworks.com:443
  • Telemetry—io.dns.service.paloaltonetworks.com:443
When downloading an allow list, dns.service.paloaltonetworks.com resolves to the following server:
  • static.dns.service.paloaltonetworks.com:443
  • data.threatvault.paloaltonetworks.com (used to create DNS exceptions)
Static IP addresses are not available.
Firewall-based inline ML:
  • URL Filtering Inline ML
  • WildFire Inline ML
  • ml.service.paloaltonetworks.com:443
Static IP addresses are not available.
WildFire
  • Cloud (report retrieval)—wildfire.paloaltonetworks.com:443
WildFire cloud regions:
  • Global—wildfire.paloaltonetworks.com
  • European Union—eu.wildfire.paloaltonetworks.com
  • Japan—jp.wildfire.paloaltonetworks.com
  • Singapore—sg.wildfire.paloaltonetworks.com
  • United Kingdom—uk.wildfire.paloaltonetworks.com
  • Canada—ca.wildfire.paloaltonetworks.com
  • Australia—au.wildfire.paloaltonetworks.com
  • Germany—de.wildfire.paloaltonetworks.com
  • India—in.wildfire.paloaltonetworks.com
Static IP addresses are not available.

Recommended For You