Content Delivery Network Infrastructure

Palo Alto Networks maintains a Content Delivery Network (CDN) infrastructure for delivering content updates to the Palo Alto Networks firewalls. The firewalls access the web resources in the CDN to perform various content and application identification functions.
The following table lists the web resources that the firewall accesses for a feature or application:
Static Addresses (If a static server is required)
Application Database
  • (Global, excluding mainland China)
  • (Mainland China only)
Add the following URLs to your firewall allow list if your firewall has limited access to the Internet:
As a best practice, set the update server to This allows the Palo Alto Networks firewall to receive content updates from the server closest to it in the CDN infrastructure.
If you want additional reference information or are experiencing connectivity and update download issues, please refer to:
Add the following IPv4 or IPv6 static server address sets to your firewall allow list:
  • IPv4
    — and
  • IPv6
    — [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443
Both IP addresses provided for a given protocol type must be added to the allow list for proper functionality.
Threat/Antivirus Database
PAN-DB URL Filtering
Resolves to the PAN-DB server list provider and is then redirected to one of the regional servers used to provide PAN-DB cloud services:
  • Default—
  • Americas East—
  • Americas West—
  • EMEA—
  • APAC—
Static IP addresses are not available. However, you can manually resolve a URL to an IP address and allow access to the regional server IP address.

Recommended For You