Verify Panorama Port Usage
To ensure that Panorama can communicate with managed
firewalls, Log Collectors, and WildFire appliances and appliance
clusters, and its high availability (HA) peer, use the following
table to verify the ports that you must open on your network. Panorama
uses TCP protocol for port communications.
By default, Panorama uses the management (MGT) interface to manage
devices (firewalls, Log Collectors, and WildFire appliances and
appliance clusters), collect logs, communicate with Collector Groups,
and deploy software and content updates to devices. However, you
can optionally assign the log collection and Collector Group communication
functions to the Eth1 or Eth2 interfaces on an M-600, M-500 or M-200
appliance running Panorama 6.1 through 7.1. If the appliance runs
Panorama 8.0 or a later release, you can assign any function to
the Eth1, Eth2, Eth3, Eth4, or Eth5 interfaces on the M-600, M-500,
or M-200 appliance. The ports listed in the following table apply
regardless of which function you assign to which interface. For
example, if you assign log collection to MGT and assign Collector
Group communication to Eth2, then MGT will use port 3978 and Eth2 will
use port 28270. (The Panorama virtual appliance can only use the
MGT interface for all these functions.)
Communicating Systems &
Direction of Connection Establishment | Ports Used in Panorama
5.x | Ports Used in Panorama 6.x
to 7.x | Ports Used in Panorama
8.x and later | Description |
---|---|---|---|---|
Panorama and Panorama (HA) Direction:
Each peer initiates its own connection to the other | 28 | 28 | 28 | For HA connectivity and synchronization
if encryption is enabled. Used for communication between Log
Collectors in a Collector Group for log distribution. |
Panorama and Panorama (HA) Direction:
Each peer initiates its own connection to the other | 28769 and 28260 (5.1) 28769 and 49160 (5.0) | 28260 and 28769 | 28260 and 28769 | For HA connectivity and synchronization
if encryption is not enabled. |
Panorama and managed firewalls Direction:
Initiated by the firewall | 3978 | 3978 | 3978 | A bi-directional connection where the logs
are forwarded from the firewall to Panorama; and configuration changes
are pushed from Panorama to the managed firewalls. Context switching commands
are sent over the same connection. |
Panorama and Log Collector Direction:
Initiated by the Log Collector | 3978 | 3978 | 3978 | For management and log collection/reporting. Used
for communication between the local Log Collector on a Panorama
in Panorama mode, and for communicating with Log Collectors in a
distributed log collection deployment. |
Panorama and managed devices (firewalls,
Log Collectors, and WildFire appliances and appliance clusters) Direction:
| 3978 | 3978 | 28443 | Devices running PAN-OS 8.x or later releases
use port 28443 to retrieve software and content update files from Panorama. Devices
running 7.x or earlier releases do not retrieve update files from Panorama;
Panorama pushes the update files to the devices over port 3978. Support
for Panorama management of WildFire appliances and appliance clusters
requires PAN-OS 8.0.1 or later installed on the managed WildFire appliances.
We recommend that Panorama runs 8.0.1 or later to manage WildFire appliances
and appliance clusters. |
Log Collector to Log Collector Direction:
Each Log Collector initiates a connection to the other Log Collectors
in the Collector Group | 49190 | 28270 | 28270 | For distributing blocks and all
binary data between Log Collectors. |
Panorama to Cortex Data Lake | NA | NA | 444 Version 8.0.5 and later. | For setting up a secure communication channel with
the Cortex Data Lake. The managed firewalls use port 3978 to |
Recommended For You
Recommended Videos
Recommended videos not found.