Enable Access to the Traps Management Service

After you receive your account details, enable and verify access to Traps management service.
  1. If you enabled SSL Decryption on your Palo Alto Networks firewall, install the certificate used for decryption as a trusted root CA certificate for the system.
    Otherwise, you must add *.traps.paloaltonetworks.com to your SSL Decryption Exclusion list. In PAN-OS 8.0 and later releases, you can configure the list in DeviceCertificate ManagementSSL Decryption Exclusion.
  2. In your firewall configuration, enable access to Traps management service communication servers.
    With Palo Alto Networks firewalls, we recommend that you use the App-IDtraps-management-service to allow communication between Traps agents and Traps management service. To use the App-IDtraps-management-service, you must install Applications and Threats content update version 793 or a later release.
    If you do not use a Palo Alto Networks firewall with App-ID:
    • Enable access to the following addresses over port 443 where <tenant> is your chosen subdomain.
      • contentprod.traps.paloaltonetworks.com—Used to host content updates.
      • distributions.traps.paloaltonetworks.com—Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
      • ch- <tenant>.traps.paloaltonetworks.com —Used for communication between the Traps agent and the preferred Traps management service for the home region.
      • cc- <tenant>.traps.paloaltonetworks.com —Used for communication between roaming Traps agents and Traps management service.
      • <tenant>.traps.paloaltonetworks.com —Used to access your tenant of Traps management service.
      • dc- <tenant>.traps.paloaltonetworks.com —Used for EDR data collection between the Traps agent and the Traps management service.
    • Enable access to the following URLs to allow Traps agents to access Palo Alto Networks S3 buckets in AWS:
      • US region:
        • https://traps-prodng-distributions-10.s3.amazonaws.com
        • https://traps-prodng-agent-uploads-10.s3.amazonaws.com
        • https://traps-prodng-scanning-results-10.s3.amazonaws.com
        • https://traps-prodng-installers-origin-10.s3.amazonaws.com
      • EU region:
        • https://traps-prodng-distributions-70.s3.eu-central-1.amazonaws.com
        • https://traps-prodng-agent-uploads-70.s3.eu-central-1.amazonaws.com
        • https://traps-prodng-scanning-results-70.s3.eu-central-1.amazonaws.com
        • https://traps-prodng-installers-origin-70.s3.eu-central-1.amazonaws.com
  3. Verify that you can access your tenant of Traps management service.
    After you download and install the Traps software on your endpoints (see Create an Installation Package) and Manage Endpoint Policy, verify that the Traps agents can receive changes to the policy.

Related Documentation