Enable Access to the Traps Management Service

After you receive your account details, enable and verify access to Traps management service.
  1. Before you begin, identify the storage buckets for your Traps management service.
    Region
    Storage Buckets
    US region
    • traps-prodng-distributions-10.s3.amazonaws.com
    • traps-prodng-agent-uploads-10.s3.amazonaws.com
    • traps-prodng-scanning-results-10.s3.amazonaws.com
    • traps-prodng-installers-origin-10.s3.amazonaws.com
    EU region
    • traps-prodng-distributions-70.s3.eu-central-1.amazonaws.com
    • traps-prodng-agent-uploads-70.s3.eu-central-1.amazonaws.com
    • traps-prodng-scanning-results-70.s3.central-1.amazonaws.com
    • traps-prodng-installers-origin-70.s3.eu-central-1.amazonaws.com
  2. To establish secure communication (TLS) to Traps management service, the endpoints, or other devices that initiate a TLS connection with Traps management service, must trust the following root CA certificates:
    • Go Daddy Root Certificate Authority - G2
    • Baltimore CyberTrust Root
  3. If you use SSL decryption, we recommend that you do not decrypt
    *.traps.paloaltonetworks.com
    and the regional storage buckets that you identified in Step 1.
    To exclude Traps services and storage buckets from decryption, add the domains to your SSL Decryption Exclusion list. In PAN-OS 8.0 and later releases, you can configure the list in
    Device
    Certificate Management
    SSL Decryption Exclusion
    .
  4. In your firewall configuration, enable access to Traps management service communication servers.
    With Palo Alto Networks firewalls, we recommend that you use the App-ID
    traps-management-service
    to allow communication between Traps agents and Traps management service. To use the App-ID
    traps-management-service
    , you must install Applications and Threats content update version 793 or a later release.
    If you do not use a Palo Alto Networks firewall with App-ID:
    • Enable access to the following addresses over port 443 where
      <tenant>
      is your chosen subdomain.
      • contentprod.traps.paloaltonetworks.com
        —Used to host content updates.
      • distributions.traps.paloaltonetworks.com
        —Used for provisioning Traps agents for the first time to obtain the agent provisioning URL for the tenant.
      • ch-
        <tenant>
        .traps.paloaltonetworks.com
        —Used for communication between the Traps agent and the preferred Traps management service for the home region.
      • cc-
        <tenant>
        .traps.paloaltonetworks.com
        —Used for communication between roaming Traps agents and Traps management service.
      • <tenant>
        .traps.paloaltonetworks.com
        —Used to access your tenant of Traps management service.
      • dc-
        <tenant>
        .traps.paloaltonetworks.com
        —Used for EDR data collection between the Traps agent and the Traps management service.
    • Enable HTTPS access to the storage buckets you identified in Step 1 to allow Traps agents to access Palo Alto Networks S3 buckets in AWS.
    • Enable access to allow Live Terminal communication from Traps agents to Traps management service:
      wss://lrc-
      <region>
      .paloaltonetworks.com
      where
      <region>
      is your deployment region, either
      us
      or
      eu
      .
  5. Verify that you can access your tenant of Traps management service.
    After you download and install the Traps software on your endpoints (see Create an Installation Package) and Manage Endpoint Policy, verify that the Traps agents can receive changes to the policy.

Recommended For You