Enable Access to the Traps Management Service

After you receive your account details, enable and verify access to Traps management service.
  1. To establish secure communication (TLS) to Traps management service, the endpoints, or other devices that initiate a TLS connection with Traps management service, must trust the following root CA certificates:
    • Go Daddy Secure Certificate Authority - G2
    • Baltimore CyberTrust Root
  2. If you use SSL decryption, we recommend that you do not decrypt *.traps.paloaltonetworks.
    To exclude Traps services from decryption, add
    *.traps.paloaltonetworks.com
    to your SSL Decryption Exclusion list. In PAN-OS 8.0 and later releases, you can configure the list in
    Device
    Certificate Management
    SSL Decryption Exclusion
    .
  3. In your firewall configuration, enable access to Traps management service communication servers.
    With Palo Alto Networks firewalls, we recommend that you use the App-ID
    traps-management-service
    to allow communication between Traps agents and Traps management service. To use the App-ID
    traps-management-service
    , you must install Applications and Threats content update version 793 or a later release.
    If you do not use a Palo Alto Networks firewall with App-ID:
    • Enable access to the following addresses over port 443 where
      <tenant>
      is your chosen subdomain.
      • contentprod.traps.paloaltonetworks.com
        —Used to host content updates.
      • distributions.traps.paloaltonetworks.com
        —Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
      • ch-
        <tenant>
        .traps.paloaltonetworks.com
        —Used for communication between the Traps agent and the preferred Traps management service for the home region.
      • cc-
        <tenant>
        .traps.paloaltonetworks.com
        —Used for communication between roaming Traps agents and Traps management service.
      • <tenant>
        .traps.paloaltonetworks.com
        —Used to access your tenant of Traps management service.
      • dc-
        <tenant>
        .traps.paloaltonetworks.com
        —Used for EDR data collection between the Traps agent and the Traps management service.
    • Enable access to the following URLs to allow Traps agents to access Palo Alto Networks S3 buckets in AWS:
      • US region:
        • https://traps-prodng-distributions-10.s3.amazonaws.com
        • https://traps-prodng-agent-uploads-10.s3.amazonaws.com
        • https://traps-prodng-scanning-results-10.s3.amazonaws.com
        • https://traps-prodng-installers-origin-10.s3.amazonaws.com
      • EU region:
        • https://traps-prodng-distributions-70.s3.eu-central-1.amazonaws.com
        • https://traps-prodng-agent-uploads-70.s3.eu-central-1.amazonaws.com
        • https://traps-prodng-scanning-results-70.s3.central-1.amazonaws.com
        • https://traps-prodng-installers-origin-70.s3.eu-central-1.amazonaws.com
    • Enable access to the following URLs to allow Live Terminal communication from Traps agents to Traps management service:
      • US region:
        • wss://lrc-us.paloaltonetworks.com
      • EU region:
        • wss://lrc-eu.paloaltonetworks.com
  4. Verify that you can access your tenant of Traps management service.
    After you download and install the Traps software on your endpoints (see Create an Installation Package) and Manage Endpoint Policy, verify that the Traps agents can receive changes to the policy.

Related Documentation