: Verify Panorama Port Usage
Focus
Focus

Verify Panorama Port Usage

Table of Contents

Verify Panorama Port Usage

To ensure that Panorama can communicate with managed firewalls, Log Collectors, and WildFire appliances and appliance clusters, and its high availability (HA) peer, use the following table to verify the ports that you must open on your network. Panorama uses TCP protocol for port communications.
By default, Panorama uses the management (MGT) interface to manage devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters), collect logs, communicate with Collector Groups, and deploy software and content updates to devices. However, you can optionally assign the log collection and Collector Group communication functions to the Eth1 or Eth2 interfaces on an M-600, M-500 or M-200 appliance running Panorama 6.1 through 7.1. If the appliance runs Panorama 8.0 or a later release, you can assign any function to the Eth1, Eth2, Eth3, Eth4, or Eth5 interfaces on the M-600, M-500, or M-200 appliance. The ports listed in the following table apply regardless of which function you assign to which interface. For example, if you assign log collection to MGT and assign Collector Group communication to Eth2, then MGT will use port 3978 and Eth2 will use port 28270. (The Panorama virtual appliance can only use the MGT interface for all these functions.)
Communicating Systems & Direction of Connection Establishment
Ports Used in Panorama 5.x
Ports Used in Panorama 6.x to 7.x
Ports Used in Panorama 8.x and later
Description
Panorama and Panorama (HA)
Direction: Each peer initiates its own connection to the other
28
28
28
For HA connectivity and synchronization if encryption is enabled.
Used for communication between Log Collectors in a Collector Group for log distribution.
Panorama and Panorama (HA)
Direction: Each peer initiates its own connection to the other
28769 and 28260 (5.1)
28769 and 49160 (5.0)
28260 and 28769
28260 and 28769
For HA connectivity and synchronization if encryption is not enabled.
Panorama and managed firewalls
Direction: Initiated by the firewall
3978
3978
3978
A bi-directional connection where the logs are forwarded from the firewall to Panorama; and configuration changes are pushed from Panorama to the managed firewalls. Context switching commands are sent over the same connection.
Panorama and Log Collector
Direction: Initiated by the Log Collector
3978
3978
3978
For management and log collection/reporting.
Used for communication between the local Log Collector on a Panorama in Panorama mode, and for communicating with Log Collectors in a distributed log collection deployment.
Panorama and managed devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters)
Direction:
  • Initiated by managed devices running PAN-OS 8.x or later releases.
  • Initiated by Panorama for devices running PAN-OS 7.x or earlier releases.
3978
3978
28443
Devices running PAN-OS 8.x or later releases use port 28443 to retrieve software and content update files from Panorama.
Devices running 7.x or earlier releases do not retrieve update files from Panorama; Panorama pushes the update files to the devices over port 3978.
Support for Panorama management of WildFire appliances and appliance clusters requires PAN-OS 8.0.1 or later installed on the managed WildFire appliances. We recommend that Panorama runs 8.0.1 or later to manage WildFire appliances and appliance clusters.
Log Collector to Log Collector
Direction: Each Log Collector initiates a connection to the other Log Collectors in the Collector Group
49190
28270
28270
For distributing blocks and all binary data between Log Collectors.
Panorama to Strata Logging ServiceNANA444
Version 8.0.5 and later.
For setting up a secure communication channel with the Strata Logging Service.
The managed firewalls use port 3978 to communicate with Strata Logging Service.