Enable Access to the Traps Management Service

After you receive your account details, enable and verify access to Traps management service.
  1. If you enabled SSL Decryption on your Palo Alto Networks firewall, install the certificate used for decryption as a trusted root CA certificate for the system.
    Otherwise, you must add *.traps.paloaltonetworks.com to your SSL Decryption Exclusion list. In PAN-OS 8.0 and later releases, you can configure the list in DeviceCertificate ManagementSSL Decryption Exclusion.
  2. In your firewall configuration, enable access to Traps management service communication servers.
    With Palo Alto Networks firewalls, we recommend that you use the App-IDtraps-management-service to allow communication between Traps agents and Traps management service. To use the App-IDtraps-management-service, you must install Applications and Threats content update version 793 or a later release.
    If you do not use a Palo Alto Networks firewall with App-ID:
    • Enable access to the following addresses over port 443 where <tenant> is your chosen subdomain.
      • contentprod.traps.paloaltonetworks.com—Used to host content updates.
      • distributions.traps.paloaltonetworks.com—Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
      • ch-<tenant>.traps.paloaltonetworks.com—Used for communication between the Traps agent and the preferred Traps management service for the home region.
      • cc-<tenant>.traps.paloaltonetworks.com—Used for communication between roaming Traps agents and Traps management service.
      • <tenant>.traps.paloaltonetworks.com—Used to access your tenant of Traps management service.
      • dc-<tenant>.traps.paloaltonetworks.com—Used for EDR data collection between the Traps agent and the Traps management service.
    • Enable access to the following URLs to allow Traps agents to access Palo Alto Networks S3 buckets in AWS:
      • EU region:
        • https://s3.eu-central-1.amazonaws.com/proda2-agent-uploads-70—Used for uploading files from the Traps agent to Traps management service in the EU region.
        • https://s3.eu-central-1.amazonaws.com/distributions-proda2-frankfurt—Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
        • https://scanning-results-proda2-frankfurt.s3.eu-central-1.amazonaws.com—Used by Traps management service to store the results of a scanning report with the Traps agent.
        • https://s3.eu-central-1.amazonaws.com/installers-origin-proda2-frankfurt—Used by Traps management service to host the installers used to upgrade the Traps agents.
      • US region:
        • https://s3.amazonaws.com/proda-agent-uploads-10—Used by Traps agents to upload files to Traps management service in the US region.
        • https://s3.amazonaws.com/distributions-proda-n.virginia—Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
        • https://s3.amazonaws.com/scanning-results-proda-n.virginia—Used by Traps agents to upload files that require analysis as indicated in a scan of the endpoint.
        • https://s3.amazonaws.com/installers-origin-proda-n.virginia—Used by Traps management service to host the installers used to upgrade the Traps agents.
    In May, Palo Alto Networks will begin migrating the URLs used for communication with Traps management service. To avoid disrupting communication we recommend that you add both sets of URLs to your configuration. Note that Palo Alto Networks will also release an update to the traps-management-service App-ID to include the new URLs. The new URLs are as follows:
    • US region:
      • https://traps-prodng-distributions-10.s3.amazonaws.com
      • https://traps-prodng-agent-uploads-10.s3.amazonaws.com
      • https://traps-prodng-scanning-results-10.s3.amazonaws.com
      • https://traps-prodng-installers-origin-10.s3.amazonaws.com
    • EU region:
      • https://traps-prodng-distributions-70.s3-eu-central-1.amazonaws.com
      • https://traps-prodng-agent-uploads-70.s3-eu-central-1.amazonaws.com
      • https://traps-prodng-scanning-results-70.s3-eu-central-1.amazonaws.com
      • https://traps-prodng-installers-origin-70.s3-eu-central-1.amazonaws.com
  3. Verify that you can access your tenant of Traps management service.
    After you download and install the Traps software on your endpoints (see Create an Installation Package) and Manage Endpoint Policy, verify that the Traps agents can receive changes to the policy.

Related Documentation