Enable Access to the Prisma Cloud Console
So that Prisma Cloud can connect to your cloud environments for monitoring and you can log in to the Prisma Cloud administrative console, you must allow the following IP addresses and hostnames that are used by different components which comprise the service.
NAT Gateway IP Addresses for Prisma Cloud
Prisma™ Cloud uses the following NAT gateway IP addresses. To ensure that you can access Prisma Cloud and the API for any integrations that you enabled between Prisma Cloud and your incidence response workflows, or your agentless deployment or the Prisma Cloud Defenders to communicate with the Prisma Cloud Compute Console, review the list and update the IP addresses in your allow lists.
In the event of disruption due to a disaster, to help backup data in a timely manner, add the Disaster Recovery (DR) IP addresses to your allow lists.
To add these IP addresses to an allow list, you may need to work with your network security team. The configuration for where you set up the allow list is dependent on your network architecture and it could be your firewall, proxy, or the server itself.
- The Prisma Cloud URL indicates the region where your tenant is deployed. For example, your tenant is on app3 if your URL is https://app3.prismacloud.io/.
- On the, find the region in the URL forComputeManageSystemUtilitiesPath to Console. Use that region to identify the destination IP address, which you must allow or add as trusted to access the Prisma Cloud Compute console. For example, if the URL is https://us-west1.cloud.twistlock.com/us-xxxxxx,us-west1indicates your Compute console region.
Use the table below to review the IP addresses to allow:
Egress
-From Defenders to Console; Ingress
-From Console in to your environment.On app3, which is https://app3.prismacloud.io/ for example, will need an outbound security rule for the Egress IP address 34.82.51.12.
Compute requires only an outbound rule to Console for Agentless and Defender deployments communications.
For sending alerts to your environment, you’d add an inbound security rule to the Ingress IP address 104.198.109.73.
To install Prisma Cloud Defenders in Kubernetes cluster, in addition to being able to connect to the Prisma Cloud Compute Console, the nodes in your cluster must be able to access the Prisma Cloud cloud registry at registry-auth.twistlock.com.
Prisma Cloud URL (AWS Region) | Source IP Address to Allow (Ingress) | Compute SaaS Console Region (GCP) | DR IP Address to Allow |
app.prismacloud.io us-east-1 (N.Virginia) | 3.210.133.47 34.235.13.250 44.207.239.90 3.217.51.44 3.218.144.244 34.199.10.120 34.205.176.82 34.228.96.118 52.201.19.205 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| us-east1 (South Carolina) Egress: 34.75.54.101Ingress: 34.74.84.51 | 52.25.108.159/32 34.213.129.111/32 44.242.81.208/32 52.40.100.6/32 54.71.172.241/32 44.236.217.120/32 |
app2.prismacloud.io us-east-2 (Ohio) | 18.116.185.157 18.223.154.151 3.136.199.10 3.16.7.30 13.59.164.228 18.191.115.70 18.218.243.39 18.221.72.80 18.223.141.221 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| us-east1 (South Carolina) Egress: 34.75.54.101Ingress: 34.74.84.51 | 54.176.152.228/32 54.193.231.56/32 54.219.105.0/32 52.8.73.14/32 52.52.91.251/32 54.215.34.77/32 |
app3.prismacloud.io us-west-2 (Oregon) | 44.233.39.196 52.12.85.11 54.70.207.107 34.208.190.79 52.24.59.168 52.39.60.41 52.26.142.61 54.213.143.171 54.218.131.166 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| us-west1 (Oregon) Egress: 34.82.51.12Ingress: 104.198.109.73 | 34.192.147.35/32 34.205.10.23/32 54.221.206.73/32 54.145.56.75/32 54.152.99.85/32 52.73.209.182/32 |
app4.prismacloud.io us-west-1 (N.California) | 184.72.47.199 54.193.251.180 54.241.31.130 13.52.27.189 13.52.105.217 13.52.157.154 13.52.175.228 52.52.50.152 52.52.110.223 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| us-west1 (Oregon) Egress: 35.233.225.166, 34.82.51.12, 35.230.69.118, 34.82.138.152Ingress: 104.198.109.73 | 3.18.55.196/32 3.18.59.163/32 3.141.248.48/32 3.135.129.242/32 3.22.165.22/32 3.141.146.82/32 |
app5.prismacloud.io us-east-2 (Ohio) | 3.128.141.242 3.129.241.104 3.130.104.173 3.136.191.187 13.59.109.178 18.190.115.80 | us-east1 (South Carolina) Egress: 35.196.73.150, 34.75.54.101Ingress: 34.74.84.51 | |
app.anz.prismacloud.io ap-southeast-2 (Sydney) | 13.55.65.214 3.104.84.8 54.66.162.181 3.104.252.91 13.210.254.18 13.239.110.68 52.62.75.140 52.62.194.176 54.66.215.148 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| asia-northeast1 (Tokyo, Japan) or australia-southeast1 (Sydney, Australia) Egress: 35.194.113.255 or 35.244.121.190Ingress: 35.200.123.236 or 35.189.44.184 | |
app.ca.prismacloud.io ca-central-1 (Canada - Central) | 3.97.19.141 3.97.195.202 3.97.251.220 15.223.59.158 15.223.96.201 15.223.127.111 52.60.127.179 99.79.30.121 35.182.209.121 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| northamerica-northeast1 (Montréal, Québec) Egress: 35.203.59.190Ingress: 35.203.31.67 | |
app.prismacloud.cn cn-northwest-1 (Ningxia) | 52.82.89.61 52.82.102.153 52.82.104.173 52.83.179.1 52.83.70.13 52.83.77.73 | Compute SaaS not supported | |
app.ind.prismacloud.io | 13.126.142.108 3.108.78.191 65.0.233.228 15.207.175.101 15.207.56.212 3.108.163.21 3.109.149.80 35.154.114.39 65.1.154.7 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| asia-south1-a (Mumbai) Egress: 35.200.249.161Ingress: 35.200.140.118 | |
app.uk.prismacloud.io eu-west2 (London) | 13.42.159.205 3.8.248.150 35.176.28.215 3.9.200.0 18.133.126.85 18.134.251.157 18.168.9.241 18.168.51.89 35.176.57.39 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| europe-west2 (London) Egress: 34.105.197.208Ingress: 34.89.87.128 | |
app.eu.prismacloud.io eu-central-1 (Frankfurt) | 18.184.42.114 3.73.209.143 3.75.34.63 3.121.64.255 3.121.248.165 3.121.107.154 18.184.105.224 18.185.81.104 52.29.141.235 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| europe-west3 (Frankfurt, Germany) Egress: 34.107.65.220Ingress: 34.107.91.105 | 34.247.199.145/32 3.248.43.139/32 54.73.199.140/32 52.209.24.141/32 52.211.138.79/32 52.208.61.249/32 |
app2.eu.prismacloud.io eu-west-1 (Ireland) | 52.208.88.215 54.170.230.172 54.72.135.50 18.200.200.125 3.248.26.245 99.81.226.57 52.208.244.121 18.200.207.86 63.32.161.197 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| europe-west3 (Frankfurt, Germany) Egress: 34.89.249.72, 34.107.65.220Ingress: 34.107.91.105 | 3.65.146.60/32 18.198.160.165/32 18.194.43.28/32 3.65.81.38/32 3.65.16.200/32 3.65.81.86/32 |
app.fr.prismacloud.io eu-west-3 (Paris) | 13.36.26.86 13.37.138.49 13.37.20.19 15.188.106.72 15.188.116.74 13.38.189.211 15.188.209.236 15.188.0.67 35.181.110.153 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| europe-west9 (Paris, France) Egress: 34.163.186.175 Ingress: 34.163.33.98 | |
app.gov.prismacloud.io us-gov-west-1 (AWS GovCloud US-West) | 15.200.146.166 15.200.89.211 | us-west1 (Oregon) Egress: 35.233.225.166, 34.82.51.12Ingress: 104.198.109.73 | |
app.jp.prismacloud.io ap-northeast-1 (Tokyo) | 18.178.170.193 18.182.113.156 3.114.23.157 13.114.192.248 13.230.74.246 18.180.127.96 35.75.84.20 35.76.22.242 54.249.107.1 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| asia-northeast1-a (Tokyo, Japan, APAC) Egress: 35.200.123.236 Ingress: 35.194.113.255 | |
app.sg.prismacloud.io ap-southeast-1 (Singapore) | 13.251.200.128 18.136.72.0 18.139.106.36 13.250.248.219 18.139.183.196 52.76.28.40 52.76.70.227 52.221.36.124 52.221.157.53 Required for Code Security integrations with network restrictions, such as self-hosted code environments.
| asia-southeast1 (Singapore) Egress: 35.198.194.238 Ingress: 34.87.137.141 | |
Data Security on Prisma Cloud US | 3.128.230.117 3.14.212.156 3.22.23.119 20.9.80.30 20.9.81.254 20.228.128.132 20.228.250.145 20.253.198.116 20.253.198.147 | ||
Data Security on Prisma Cloud EU | 3.64.66.135 18.198.52.216 3.127.191.112 20.223.237.240 20.238.97.44 20.26.194.122 51.142.252.210 51.124.198.75 51.124.199.134 |
Due to compliance reasons, backup/Disaster Recovery (DR) IP addresses are not supported in some regions.
Prisma Cloud Administrative Console
Allow access to the following domains, to use the Prisma Cloud user interface:
- Palo Alto Networks sub domains.You can add *.paloaltonetworks.com to include all of the following URLs:
- apps.paloaltonetworks.com
- autofocus.paloaltonetworks.com
- docs.paloaltonetworks.com
- identity.paloaltonetworks.com
- live.paloaltonetworks.com
- login.paloaltonetworks.com
- support.paloaltonetworks.comSome additional URLs are also required for the Prisma Cloud Administrative Console.
- Prisma Cloud tenant URLThe URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed. Your welcome email will include one of the following URLs that is specific to the tenant provisioned for you:
- Prisma Cloud API interfaceapi*.*.prismacloud.io. See API URLs for your Prisma Cloud tenant.
- URLs associated with the sign-in and status updates for Prisma Cloud
- assets.adobedtm.com
- cloudfront.net
- dpm.demdex.net
- google.com
- google.com/recaptcha/
- gstatic.com
- gstatic.com/recaptcha/
- polyfill.io
- wss://*.prismacloud.io
- Cloud Workload Protection (CWP) capabilities*.twistlock.com, for access to the CWP capabilities available on theComputetab on the Prisma Cloud console.
- Cloud Network Security (CNS) /Microsegmentation capabilities*.network.prismacloud.io, for access to the Microsegmentation capabilities that are enabled on theNetwork Securitytab on the Prisma Cloud console.
- Code Security capabilities
- *.bridgecrew.cloud, for the Code Security capabilities that are enabled on theCodeandSettingstab on the Prisma Cloud console.
- When using Checkov to scan repositories and report the findings, you must allow access to the following domains if:You’re running Checkov within your pipeline, enable access for the machine running Checkov.If you’re running the IDE extension on your local machine, enable access on the local machine.Prisma Cloud URL is onAPI GatewayS3 bucket for uploading findingsS3 bucket for routing to the correct S3 bucketapp3api3.prismacloud.iobc-scanner-results-890234264427-prod.s3.us-west-2.amazonaws.combc-scanner-results-890234264427-prod.s3.us-west-2.amazonaws.comapp0api0.prismacloud.iobc-scanner-results-469330042197-prod.s3.us-east-1.amazonaws.combc-scanner-results-469330042197-prod.s3.us-west-2.amazonaws.comappapi.prismacloud.iobc-scanner-results-838878234734-prod.s3.us-east-1.amazonaws.combc-scanner-results-838878234734-prod.s3.us-west-2.amazonaws.comapp2api2.prismacloud.iobc-scanner-results-612480224350-prod.s3.us-east-2.amazonaws.combc-scanner-results-612480224350-prod.s3.us-west-2.amazonaws.comapp4api4.prismacloud.iobc-scanner-results-540411623009-prod.s3.us-west-1.amazonaws.combc-scanner-results-540411623009-prod.s3.us-west-2.amazonaws.comapp5api5.prismacloud.iobc-scanner-results-700766934309-prod.s3.us-east-2.amazonaws.combc-scanner-results-700766934309-prod.s3.us-west-2.amazonaws.comapp.caapi.ca.prismacloud.iobc-scanner-results-205367576728-prod.s3.ca-central-1.amazonaws.combc-scanner-results-205367576728-prod.s3.us-west-2.amazonaws.comapp.euapi.eu.prismacloud.iobc-scanner-results-836922451682-prod.s3.eu-central-1.amazonaws.combc-scanner-results-836922451682-prod.s3.us-west-2.amazonaws.comapp2.euapi2.eu.prismacloud.iobc-scanner-results-800009193461-prod.s3.eu-west-1.amazonaws.combc-scanner-results-800009193461-prod.s3.us-west-2.amazonaws.comapp.indapi.ind.prismacloud.iobc-scanner-results-018169107740-prod.s3.ap-south-1.amazonaws.combc-scanner-results-018169107740-prod.s3.us-west-2.amazonaws.comapp.frapi.fr.prismacloud.iobc-scanner-results-063178804405-prod.s3.eu-west-3.amazonaws.combc-scanner-results-063178804405-prod.s3.us-west-2.amazonaws.comapp-ukapi.uk.prismacloud.iobc-scanner-results-580360239683-prod.s3.eu-west-2.amazonaws.combc-scanner-results-580360239683-prod.s3.us-west-2.amazonaws.comapp.jpapi.jp.prismacloud.iobc-scanner-results-510882576293-prod.s3.ap-northeast-1.amazonaws.combc-scanner-results-510882576293-prod.s3.us-west-2.amazonaws.comapp.sgapi.sg.prismacloud.iobc-scanner-results-277833049433-prod.s3.ap-southeast-1.amazonaws.combc-scanner-results-277833049433-prod.s3.us-west-2.amazonaws.comapp.anzapi.anz.prismacloud.iobc-scanner-results-607751493482-prod.s3.ap-southeast-2.amazonaws.combc-scanner-results-607751493482-prod.s3.us-west-2.amazonaws.com
- Adoption Advisor *.ingest.sentry.io
- Launch Darkly*.launchdarkly.com, to enable preview access to features. Also refer to the public IP address list for Launch Darkly.
- PendoPrisma Cloud uses Pendo for in-app analytics.
- app.pendo.io
- data.pendo.io
- cdn.pendo.io
- us.pendo.io, *.us.pendo.io
- *.storage.googleapis.com
- Feature request submissions
- prismacloud.ideas.aha.io cdn.aha.io
- secure.gravatar.com
- s3.amazonaws.com
- Images and fonts
- use.typekit.net
- p.typekit.net
- fonts.googleapis.com
- *.storage.googleapis.com
- fonts.gstatic.com
- mt.google.com
- Palo Alto Support Portal and LiveCommunity
- static.cloud.coveo.com
- platform.cloud.coveo.com
- nebula-cdn.kampyle.com
- maxcdn.bootstrapcdn.com
- use.fontawesome.com
- ajax.googleapis.com
- prod.hosted.lithcloud.com
- static.hotjar.com
- vars.hotjar.com
- assets.adobedtm.com
- paloaltonetworks.hosted.panopto.com
- cdn.embed.ly
- tag.demandbase.com
- paloaltonetworks.d1.sc.omtrdc.net
- cloudfront.net
- cdn.pendo.io
- data.pendo.io
- firestore.googleapis.com
- use.typekit.net
- p.typekit.net
- *.youtube.com
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
