>
    Strata Copilot
    Allow IP Addresses in Firewall Configuration
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Sites and Devices
    5. Allow IP Addresses in Firewall Configuration
    Download PDF
    Prisma SD-WAN

    Allow IP Addresses in Firewall Configuration

    Table of Contents

    Allow IP Addresses in Firewall Configuration

    Lets learn about the allowed IP addresses in Firewall configurations in Prisma SD-WAN.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    The purpose of this document is to maintain all services that run on the ION device that require you to open ports on external firewalls.
    The public IP addresses for customer firewall configurations use a domain-based ACL / Firewall Rule. These public IPs are subject to change.
    To ensure smooth functioning of the Prisma SD-WAN services, allow the following IP URLs and/or IP addresses.
    Although we have provided Static IP addresses for each URL, we recommend that you use DNS for resolution.
    Service NameProtocolPortDirectionSource Interface IPDestination and IP Addresses
    IPSec for Prisma SD-WAN and Standard VPNsUDP4500
    Outbound at both Data Center and Branch.
    Inbound at least at one side of the connection.
    Internet Port IP on both ION devices.
    Private WAN port IP on Branch for VPNoMPLS.
    Peering Port on the Data Center side for VPNoMPLS.
    Internet Port IP on both ION devices.
    Private WAN port IP on Branch for VPNoMPLS.
    Peering Port on the Data Center side for VPNoMPLS.
    ESP for Prisma SD-WAN and Standard VPNsIP proto 50NAOutbound and Inbound
    Internet Port IP on both ION devices.
    Private WAN port IP on Branch for VPNoMPLS.
    Peering Port on the Data Center side for VPNoMPLS.
    Internet Port IP on both ION devices.
    Private WAN port IP on Branch for VPNoMPLS.
    Peering Port on the Data Center side for VPNoMPLS.
    Prisma SD-WAN access to web interfaceTCP443OutboundClient PC
    https://login.cloudgenix.com
    https://portal.cloudgenix.com
    https://api.cloudgenix.com
    https://login.elcapitan.cloudgenix.com
    https://portal.elcapitan.cloudgenix.com
    https://api.elcapitan.cloudgenix.com
    https://login.hood.cloudgenix.com
    https://portal.hood.cloudgenix.com
    https://api.hood.cloudgenix.com
    https://login.sugarloaf.cloudgenix.com
    https://portal.sugarloaf.cloudgenix.com
    https://api.sugarloaf.cloudgenix.com
    https://sase.paloaltonetworks.com
    https://stratacloudmanager.paloaltonetworks.com
    Prisma SD-WAN access to API EndpointsTCP443OutboundClient PC
    https://api.sase.paloaltonetworks.com
    https://api.elcapitan.cloudgenix.com
    https://api.sugarloaf.cloudgenix.com
    https://api.hood.cloudgenix.com
    https://api.faber.cloudgenix.com
    https://api.townsend.cloudgenix.com
    https://api.bowfell.cloudgenix.com
    https://api.everest.cloudgenix.com
    https://api.ae.bowfell.cloudgenix.com
    https://api.au.elcapitan.cloudgenix.com
    https://api.au.hood.cloudgenix.com
    https://api.au.townsend.cloudgenix.com
    https://api.br.elcapitan.cloudgenix.com
    https://api.br.hood.cloudgenix.com
    https://api.ca.elcapitan.cloudgenix.com
    https://api.ca.hood.cloudgenix.com
    https://api.ch.sugarloaf.cloudgenix.com
    https://api.cn.faber.cloudgenix.com
    https://api.de.sugarloaf.cloudgenix.com
    https://api.es.sugarloaf.cloudgenix.com
    https://api.eu.sugarloaf.cloudgenix.com
    https://api.fr.sugarloaf.cloudgenix.com
    https://api.id.faber.cloudgenix.com
    https://api.il.bowfell.cloudgenix.com
    https://api.in.elcapitan.cloudgenix.com
    https://api.in.hood.cloudgenix.com
    https://api.it.sugarloaf.cloudgenix.com
    https://api.jp.elcapitan.cloudgenix.com
    https://api.jp.hood.cloudgenix.com
    https://api.kr.faber.cloudgenix.com
    https://api.pl.sugarloaf.cloudgenix.com
    https://api.qa.bowfell.cloudgenix.com
    https://api.sa.bowfell.cloudgenix.com
    https://api.sg.elcapitan.cloudgenix.com
    https://api.sg.faber.cloudgenix.com
    https://api.sg.hood.cloudgenix.com
    https://api.tw.faber.cloudgenix.com
    https://api.uk.bowfell.cloudgenix.com
    https://api.uk.sugarloaf.cloudgenix.com
    https://api.us.elcapitan.cloudgenix.com
    https://api.us.hood.cloudgenix.com
    https://api.za.bowfell.cloudgenix.com
    ION Device to Prisma SD-WAN Cloud ControllerTCP443Outbound
    ION Controller Port IP Address (primary)
    ION Internet Port IP Address (backup)
    https://locator.cgnx.net
    Address: 18.223.78.55
    Address: 52.15.45.235
    hood:
    52.40.98.31
    34.218.98.185
    sugarloaf:
    18.200.102.82
    18.200.135.33
    faber:
    18.139.242.53
    54.255.61.109
    https://controller.elcapitan.cgnx.net
    Address: 3.23.240.174
    Address: 3.136.181.240
    https://vmfg.elcapitan.cgnx.net
    Address: 52.53.122.104
    Address: 52.53.102.7
    https://controller.hood.cgnx.net
    Address: 52.32.167.5
    Address: 54.70.168.33
    https://vmfg.hood.cgnx.net
    Address: 50.112.136.184
    Address: 34.210.34.87
    https://controller.sugarloaf.cgnx.net
    Address: 108.128.176.192
    Address: 18.200.144.58
    https://vmfg.sugarloaf.cgnx.net
    Address: 99.81.179.99
    Address: 99.80.52.255
    https://controller.faber.cgnx.net
    Address: 52.74.47.220
    Address: 13.251.109.27
    https://vmfg.faber.cgnx.net
    Address: 18.142.153.59
    Address: 52.74.58.219
    https://controller.townsend.cgnx.net
    Address: 13.55.31.41
    Address: 3.106.168.215
    https://vmfg.townsend.cgnx.net
    Address: 52.64.177.240
    Address: 13.55.164.51
    https://controller.bowfell.cgnx.net
    Address: 13.41.243.90
    Address: 18.171.17.23
    https://vmfg.bowfell.cgnx.net
    Address: 52.56.224.242
    Address: 52.56.35.36
    https://controller.everest.prismaaccess.cn
    Address: 52.81.123.152
    Address: 54.222.193.91
    https://vmfg.everest.prismaaccess.cn
    Address: 54.223.127.107
    Address: 54.223.31.31
    https://sdwan-stats-bowfell-ae.cgnx.net
    https://sdwan-stats-bowfell-il.cgnx.net
    https://sdwan-stats-bowfell-qa.cgnx.net
    https://sdwan-stats-bowfell-sa.cgnx.net
    https://sdwan-stats-bowfell-uk.cgnx.net
    https://sdwan-stats-bowfell-za.cgnx.net
    https://sdwan-stats-elcapitan-au.cgnx.net
    https://sdwan-stats-elcapitan-br.cgnx.net
    https://sdwan-stats-elcapitan-ca.cgnx.net
    https://sdwan-stats-elcapitan-in.cgnx.net
    https://sdwan-stats-elcapitan-jp.cgnx.net
    https://sdwan-stats-elcapitan-sg.cgnx.net
    https://sdwan-stats-elcapitan-us.cgnx.net
    https://sdwan-stats-everest-cn.prismaaccess.cn
    https://sdwan-stats-faber-cn.cgnx.net
    https://sdwan-stats-faber-id.cgnx.net
    https://sdwan-stats-faber-kr.cgnx.net
    https://sdwan-stats-faber-sg.cgnx.net
    https://sdwan-stats-faber-tw.cgnx.net
    https://sdwan-stats-hood-au.cgnx.net
    https://sdwan-stats-hood-br.cgnx.net
    https://sdwan-stats-hood-ca.cgnx.net
    https://sdwan-stats-hood-in.cgnx.net
    https://sdwan-stats-hood-jp.cgnx.net
    https://sdwan-stats-hood-sg.cgnx.net
    https://sdwan-stats-hood-us.cgnx.net
    https://sdwan-stats-jade-cn.cgnx.net
    https://sdwan-stats-sugarloaf-ch.cgnx.net
    https://sdwan-stats-sugarloaf-de.cgnx.net
    https://sdwan-stats-sugarloaf-es.cgnx.net
    https://sdwan-stats-sugarloaf-eu.cgnx.net
    https://sdwan-stats-sugarloaf-fr.cgnx.net
    https://sdwan-stats-sugarloaf-it.cgnx.net
    https://sdwan-stats-sugarloaf-pl.cgnx.net
    https://sdwan-stats-sugarloaf-uk.cgnx.net
    https://sdwan-stats-townsend-au.cgnx.net
    Bandwidth MonitoringTCP and UDP443Outbound
    ION Controller Port IP Address
    ION Internet Port IP Address
    Peer DC ION 7K Peering Interface IP Addresses
    Cloud service at pcm.cgnx.net
    52.25.78.62
    34.212.76.47
    54.172.15.178
    52.207.248.9
    Link QualityTCP and UDP443Outbound
    ION Controller Port IP Address
    VPN Tunnel Internal IP Address
    		Peer DC ION Peering Interface IP Addresses
    Prisma SD-WAN Web InterfaceTCP443OutboundClient PC (or NAT IP on ION)
    portal.cloudgenix.com
    login.cloudgenx.com
    api.cloudgenix.com
    portal.elcapitan.cloudgenix.com
    login.elcapitan.cloudgenx.com
    api.elcapitan.cloudgenix.com
    52.8.33.74
    52.8.122.116
    NTPUDP123Outbound
    ION Controller Port IP Address
    ION Internet Port IP Address
    		time.nist.gov
    DNSUDP and TCP53Outbound
    ION Controller Port IP Address
    ION Internet Port IP Address
    		Customer or Provider DNS servers
    WAN Layer 3
    Reachability
    		ICMPOutboundION Internet Port IP Address
    8.8.8.8
    8.8.4.4
    208.67.222.222
    208.67.220.220
    WAN Layer 3
    Reachability
    		TCP80OutboundION Internet Port IP Address
    captive.apple.com
    clients3.google.com
    Prisma SD-WAN access to SLS endpointsTCPTo access the Strata Logging Service (SLS) endpoints see, Enhanced Application Log Ingestion in every region with the FQDN or IP Address and TCP Port details in Strata Logging Service Regions based on the region that you select when you activate SLS.

    Related CLIs

    © 2026 Palo Alto Networks, Inc. All rights reserved.