To ensure that Panorama can communicate with managed firewalls, Log Collectors, and its high availability (HA) peer, use the following table to verify the ports that you must open on your network. Panorama uses TCP protocol for port communications
On an M-Series appliance running Panorama 6.1 or later releases, you can optionally assign the log collection and Collector Group communication functions to the Eth1 or Eth2 interfaces (instead of to the default MGT interface). The ports listed in the following table apply regardless of which function you assign to which interface. For example, if you assign log collection to MGT and assign Collector Group communication to Eth2, then MGT will use port 3978 and Eth2 will use port 28270. (The Panorama virtual appliance can only use the MGT interface for all these functions.)
Communicating Systems & Direction of Connection Establishment Ports Used in Panorama 5.x Ports Used in Panorama 6.x and later Description
Panorama and Panorama (HA) Direction: Each peer initiates its own connection to the other 28 28 For HA connectivity and synchronization if encryption is enabled.
Panorama and Panorama (HA) Direction: Each peer initiates its own connection to the other 28769 and 28260 (5.1) 28769 and 49160 (5.0) 28260 and 28769 For HA connectivity and synchronization if encryption is not enabled.
Panorama and managed firewalls Direction: Initiated by the firewall 3978 3978 A bi-directional connection where the logs are forwarded from the firewall to Panorama; and configuration changes are pushed from Panorama to the managed firewalls. Context switching commands are sent over the same connection.
Panorama and Log Collector Direction: Initiated by the Log Collector 3978 3978 For management and log collection/reporting. Used for communication between the default Log Collector on a Panorama in Panorama mode, and for communicating with Log Collectors in a distributed log collection deployment.
Log Collector to Log Collector Direction: Each Log Collector initiates a connection to the other Log Collectors in the Collector Group 49190 28270 For distributing blocks and all binary data between Log Collectors.

Related Documentation