Enable access to required PANW resources - Learn more about enabling network access to the Cortex XDR resources. - Administrator Guide - Cortex XSIAM - Cortex XDR - Cortex

Enable access to required PANW resources - Learn more about enabling network access to the Cortex XDR resources. - Administrator Guide - Cortex XSIAM - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Note

<tenant-name> refers to the selected subdomain of your Cortex XDR tenant, and <region> is the region in which your tenant is deployed. For more information, see Cortex XDR supported regions.

The following table lists the required resources by region, including FQDNs, IP addresses, ports, and App-ID coverage for your deployment:

FQDN	IP Addresses and Port	App-ID Coverage
Egress
`<tenant-name>.xdr.<region>.paloaltonetworks.com` Used to connect to the Cortex XDR tenant.	IP address by region: US (United States): 35.244.250.18:443 EU (Europe): 35.227.237.180:443 CA (Canada): 34.120.31.199:443 UK (United Kingdom): 34.120.87.77:443 JP (Japan): 35.241.28.254:443 SG (Singapore): 34.117.211.129:443 AU (Australia): 34.120.229.65:443 DE (Germany): 34.98.68.183:443 IN (India): 35.186.207.80:443 DL (Delhi): 34.8.67.192:443 CH (Switzerland): 34.111.6.153:443 PL (Poland): 34.117.240.208:443 TW (Taiwan): 34.160.28.41:443 QT (Qatar): 35.190.0.180:443 FA (France): 34.111.134.57:443 IL (Israel): 34.111.129.144:443 SA (Saudi Arabia): 35.244.157.127:443 ID (Indonesia): 34.111.58.152:443 ES (Spain): 34.111.188.248:443 IT (Italy): 34.8.224.70:443 KR (South Korea): 34.54.5.247:443 ZA (South Africa): 34.149.165.12:443 BR (Brazil): 34.96.83.202:443	`cortex-xdr`
`distributions.traps.paloaltonetworks.com` Used for the first request in registration flow where the agent passes the distribution id and obtains the `ch-<tenant-name>.traps.paloaltonetworks.com` of its tenant.	IP address: 35.223.6.69 Port: 443	`traps-management-service`
`https://lrc-<region>.paloaltonetworks.com` `wss://lrc-<region>.paloaltonetworks.com` Used in live terminal flow.	IP address by region: US (United States): 35.190.88.43:443 EU (Europe): 35.244.251.25:443 CA (Canada): 35.203.99.74:443 UK (United Kingdom): 35.242.159.176:443 JP (Japan): 34.84.201.32:443 SG (Singapore): 34.87.61.186:443 AU (Australia): 35.244.66.177:443 DE (Germany): 34.107.61.141:443 IN (India): 35.200.146.253:443 DL (Delhi): 34.131.116.135:443 CH (Switzerland): 34.65.213.226:443 PL (Poland): 34.118.62.80:443 TW (Taiwan): 34.80.34.30:443 QT (Qatar): 34.18.34.73:443 FA (France): 34.163.57.57:443 IL (Israel): 34.165.43.106:443 SA (Saudi Arabia): 34.166.54.6:443 ID (Indonesia): 34.101.214.157:443 ES (Spain): 34.175.18.78:443 IT (Italy): 34.154.154.5:443 KR (South Korea): 34.22.66.91:443 ZA (South Africa): 34.35.56.170:443 BR (Brazil): 34.151.236.197:443	`cortex-xdr`
`panw-xdr-installers-prod-us.storage.googleapis.com` Used to download installers for upgrade actions from the server. This storage bucket is used for all regions.	IP ranges in GCP Port: 443	`cortex-xdr`
`panw-xdr-payloads-prod-us.storage.googleapis.com` Used to download the executable for the live terminal for XDR agents earlier than version 7.1.0. This storage bucket is used for all regions.	IP ranges in GCP Port: 443	`cortex-xdr`
`global-content-profiles-policy.storage.googleapis.com` Used to download content updates.	IP ranges in GCP Port: 443	`cortex-xdr`
`panw-xdr-evr-prod-<region>.storage.googleapis.com` Used to download extended verdict request results in scanning.	IP ranges in GCP Port: 443	`cortex-xdr`
`https://<region>-docker.pkg.dev` Used to download the Kubernetes image from the registry for Kubernetes agents installation. Note Refer to Regional Docker registry mapping for your specific tenant location and corresponding Docker registry URL.	IP ranges in GCP Port: 443
Regional Docker registry mapping
Tenant location	GCP region	Registry URL
UK Netherlands (EU) United States (US) Canada (CA) South Korea (KR) Singapore (SG) Australia (AU) Japan (JP) India (IN) Germany (DE) France (FR)	europe-west2 europe-west4 us-central1 northamerica-northeast1 asia-northeast3 asia-southeast1 australia-southeast1 asia-northeast1 asia-south1 europe-west3 europe-west9	europe-west2-docker.pkg.dev europe-west4-docker.pkg.dev us-central1-docker.pkg.dev northamerica-northeast1-docker.pkg.dev asia-northeast3-docker.pkg.dev asia-southeast1-docker.pkg.dev australia-southeast1-docker.pkg.dev asia-northeast1-docker.pkg.dev asia-south1-docker.pkg.dev europe-west3-docker.pkg.dev europe-west9-docker.pkg.dev
`dc-<tenant-name>.traps.paloaltonetworks.com` Used for EDR data upload.	IP address by region: US (United States): 34.98.77.231:443 EU (Europe): 34.102.140.103:443 CA (Canada): 34.96.120.25:443 UK (United Kingdom): 35.244.133.254:443 JP (Japan): 34.95.66.187:443 SG (Singapore): 34.120.142.18:443 AU (Australia): 34.102.237.151:443 DE (Germany): 34.107.161.143:443 IN (India): 34.120.213.187:443 DL (Delhi): 136.110.132.208:443 CH (Switzerland): 34.149.180.250:443 PL (Poland): 35.190.13.237:443 TW (Taiwan): 34.149.248.76:443 QT (Qatar): 34.107.129.254:443 FA (France): 34.36.155.211:443 IL (Israel): 34.128.157.130:443 SA (Saudi Arabia): 34.107.213.85:443 ID (Indonesia): 34.128.156.84:443 ES (Spain): 34.120.102.147:443 IT (Italy): 34.8.234.58:443 KR (South Korea): 34.54.155.245:443 ZA (South Africa): 35.190.79.68:443 BR (Brazil): 136.110.146.246:443	`traps-management-service`
`ch-<tenant-name>.traps.paloaltonetworks.com` Used for all other requests between the agent and its tenant server, including heartbeat, uploads, action results, and scan reports.	IP address by region: US (United States): 34.98.77.231:443 EU (Europe): 34.102.140.103:443 CA (Canada): 34.96.120.25:443 UK (United Kingdom): 35.244.133.254:443 JP (Japan): 34.95.66.187:443 SG (Singapore): 34.120.142.18:443 AU (Australia): 34.102.237.151:443 DE (Germany): 34.107.161.143:443 IN (India): 34.120.213.188:443 DL (Delhi): 136.110.132.208:443 CH (Switzerland): 34.149.180.250:443 PL (Poland): 35.190.13.237:443 TW (Taiwan): 34.149.248.76:443 QT (Qatar): 34.107.129.254:443 FA (France): 34.36.155.211:443 IL (Israel): 34.128.157.130:443 SA (Saudi Arabia): 34.107.213.85:443 ID (Indonesia): 34.128.156.84:443 ES (Spain): 34.120.102.147:443 IT (Italy): 34.8.234.58:443 KR (South Korea): 34.54.155.245:443 ZA (South Africa): 35.190.79.68:443 BR (Brazil): 136.110.146.246:443	`traps-management-service`
`api-<tenant-name>.xdr.<region>.paloaltonetworks.com` Used for API requests and responses and to connect to an engine.	IP address by region: US (United States): 35.222.81.194:443 EU (Europe): 34.90.67.58:443 CA (Canada): 35.203.82.121:443 UK (United Kingdom): 34.89.56.78:443 JP (Japan): 34.84.125.129:443 SG (Singapore): 34.87.83.144:443 AU (Australia): 35.189.18.208:443 DE (Germany): 34.107.57.23:443 IN (India): 35.200.158.164:443 DL (Delhi): 34.131.165.103:443 CH (Switzerland): 34.65.248.119:443 PL (Poland): 34.116.216.55:443 TW (Taiwan): 35.234.8.249:443 QT (Qatar): 34.18.46.240:443 FA (France): 34.155.222.152:443 IL (Israel): 34.165.156.139:443 SA (Saudi Arabia): 34.166.58.79:443 ID (Indonesia): 34.128.115.238:443 ES (Spain): 34.175.30.176:443 IT (Italy): 34.154.195.120:443 KR (South Korea): 34.64.54.175:443 ZA (South Africa): 34.35.64.191:443 BR (Brazil): 34.39.136.78:443	—
`cc-<tenant-name>.traps.paloaltonetworks.com` Used for get-verdict requests. Note For agents on endpoints, you must allow the IP address for the closest region to ensure connectivity. Endpoints use latency-based routing. An agent that belongs to a US tenant, for example, but that is physically located in Singapore, routes to Singapore to get the verdict.	IP address by region: US (United States): 35.224.140.142:443 EU (Europe): 34.90.71.103:443 CA (Canada): 35.203.35.23:443 UK (United Kingdom): 34.89.42.214:443 JP (Japan): 34.84.225.105:443 SG (Singapore): 35.247.161.94:443 AU (Australia): 35.201.23.188:443 DE (Germany): 35.242.201.199:443 IN (India): 35.244.57.196:443 DL (Delhi): 34.131.47.126:443 CH (Switzerland): 34.65.137.215:443 PL (Poland): 34.116.213.71:443 TW (Taiwan): 35.229.186.216:443 QT (Qatar): 34.18.53.229:443 FA (France): 34.155.110.169:443 IL (Israel): 34.165.2.110:443 SA (Saudi Arabia): 34.166.53.160:443 ID (Indonesia): 34.101.155.198:443 ES (Spain): 34.175.205.166:443 IT (Italy): 34.154.230.76:443 KR (South Korea): 34.64.228.117:443 ZA (South Africa): 34.35.13.198:443 BR (Brazil): 34.39.195.104:443	`traps-management-service`
Broker VM Resources Required for deployments that use Broker VM features
xdr-ova-installers-prod-us.storage.googleapis.com Used to download Broker VM images from the server. This storage bucket is used for all regions.	IP ranges in GCP Port: 443	`cortex-xdr`
`br-<tenant-name>.xdr.<region>.paloaltonetworks.com`	IP address by region: US (United States): 104.155.131.72:443 EU (Europe): 34.91.128.226:443 CA (Canada): 34.95.8.232:443 UK (United Kingdom): 35.197.219.110:443 JP (Japan):34.85.74.43:443 SG (Singapore): 34.87.167.125:443 AU (Australia): 35.244.93.0:443 DE (Germany): 35.198.112.13:443 IN (India): 35.200.234.99:443 DL (Delhi): 34.131.131.141:443 CH (Switzerland): 34.65.51.103:443 PL (Poland): 34.116.176.97:443 TW (Taiwan): 34.80.230.166:443 QT (Qatar): 34.18.37.73:443 FA (France): 34.155.90.61:443 IL (Israel): 34.165.24.222:443 SA (Saudi Arabia): 34.166.55.153:443 ID (Indonesia): 34.101.101.170:443 ES (Spain): 34.175.182.55:443 IT (Italy): 34.154.168.139:443 KR (South Korea): 34.64.46.249:443 ZA (South Africa): 34.35.45.251:443 BR (Brazil): 35.198.38.182:443	—
`distributions.traps.paloaltonetworks.com`	IP address: 35.223.6.69 Port: 443	`traps-management-service`
`time.google.com` `pool.ntp.org`	UDP port: 123	—
App Login and Authentication
identity.paloaltonetworks.com (SSO)	IP address: 34.120.119.85 Port: 443	—
login.paloaltonetworks.com (SSO)	IP address: 34.102.139.110 Port: 443	—
In-App Help Center and Notifications
data.pendo.io	Port: 443	—
pendo-static-5664029141630976.storage.googleapis.com	Port: 443	—
Email Notifications
—	IP address for all regions: 159.183.150.248	—
Ingress These IPs are used for communication between Cortex XDR and your resources. Use them when sending data out from your tenant.
	US (United States) 34.132.108.184 34.69.63.16 EU (Europe) 34.147.107.51 34.91.26.125 CA (Canada) 35.203.108.13 35.203.101.162 UK (United Kingdom) 35.242.180.163 34.105.173.229 JP (Japan) 35.200.3.131 34.146.181.233 SG (Singapore) 35.240.243.57 34.126.183.208 AU (Australia) 34.151.83.236 34.116.67.90 DE (Germany) 35.234.118.195 34.89.183.45 IN (India) 35.200.175.78 34.93.9.198 CH (Switzerland) 34.65.108.153 34.65.155.169 PL (Poland) 34.118.48.171 34.116.202.235 TW (Taiwan) 34.80.133.68 35.234.18.10 QT (Qatar) 34.18.34.118 34.18.39.155 FA (France) 34.155.5.117 34.155.41.247 IL (Israel) 34.165.33.165 34.165.27.131 SA (Saudi Arabia) 34.166.61.81 34.166.58.213 ID (Indonesia) 34.128.126.138 34.128.82.158 ES (Spain) 34.175.46.46 34.175.80.182 IT (Italy) 34.154.23.156 34.154.186.12 KR (South Korea) 34.64.93.168 34.64.237.45 ZA (South Africa): 34.35.42.196 34.35.79.219	`cortex-xdr`
Outbound IPs for engines
	IP addresses by region US (United States) 35.225.156.101 34.69.88.119 EU (Europe) 34.147.67.188 34.90.16.31 CA (Canada) 35.203.57.162 35.203.90.79 UK (United Kingdom) 34.142.3.42 34.142.44.136 JP (Japan) 34.146.60.215 34.84.93.160 SG (Singapore) 35.240.144.192 35.240.255.15 AU (Australia) 35.244.73.76 35.201.22.63 DE (Germany) 34.107.83.197 34.159.53.97 IN (India) 35.244.5.205 34.93.118.113 DL (Delhi) 34.131.207.151 34.126.212.40 CH (Switzerland) 34.65.222.25 34.65.233.60 PL (Poland) 34.118.92.214 34.116.223.119 TW (Taiwan) 104.199.223.229 34.81.38.132 QT (Qatar) 34.18.39.0 34.18.32.96 FA (France) 34.155.197.131 34.155.5.100 IL (Israel) 34.165.46.47 34.165.17.246 SA (Saudi Arabia) 34.166.58.243 34.166.54.238 ID (Indonesia) 34.101.125.66 34.101.218.184 ES (Spain) 34.175.255.99 34.175.230.35 IT (Italy) 34.154.173.134 34.154.229.60 KR (South Korea) 34.64.189.205 34.64.45.118 ZA (South Africa) 34.35.70.193 34.35.80.189 BR (Brazil) 35.199.96.109 34.39.161.254	—
Collect third-party data from your SaaS and Cloud resources
—	IP address by region. US (United States) 34.66.69.154 35.202.21.123 AU (Australia) 35.197.181.108 35.197.175.44 CA (Canada) 34.95.33.72 34.95.62.136 SG (Singapore) 35.247.148.38 35.247.173.40 JP (Japan) 34.85.68.167 34.84.99.239 IN (India) 34.93.3.196 34.93.175.218 DL (Delhi) 34.131.111.87 34.131.101.138 DE (Germany) 34.89.197.46 34.107.3.224 UK (United Kingdom) 34.105.227.146 34.105.137.22 EU (Europe) 34.90.70.107 35.204.129.196 CH (Switzerland) 34.65.225.124 34.65.89.6 PL (Poland) 34.118.71.237 34.118.124.130 TW (Taiwan) 35.201.142.86 35.189.176.163 QT (Qatar) 34.18.44.71 34.18.30.132 FA (France) 34.163.125.167 34.163.155.105 IL (Israel) 34.165.131.171 34.165.120.206 SA (Saudi Arabia) 34.166.59.20 34.166.53.242 ID (Indonesia) 34.101.158.32 34.101.79.159 ES (Spain) 34.175.27.251 34.175.198.50 IT (Italy) 34.154.208.247 34.154.243.11 KR (South Korea) 34.64.107.163 34.64.84.25 ZA (South Africa): 34.35.69.156 34.35.60.86 BR (Brazil) 34.39.177.125 34.39.140.36	`cortex-xdr`
Log Forwarding to a Syslog Receiver
See Integrate a syslog receiver.

FedRAMP and US Federal Government required resources

The following table lists the required resources for the federal government of the United States, including FQDNs, IP addresses, ports, and App-ID coverage for your deployment:

FQDN	IP Addresses and Port	App-ID Coverage
Egress
	FedRAMP Moderate 34.122.220.113:443 35.223.83.172:443 FedRAMP High 34.136.155.252:443 34.133.46.50:443
Outbound IPs for Engines
	FedRAMP Moderate 34.123.127.174:443 34.71.135.18:443 FedRAMP High 34.123.153.175:443 35.223.253.2:443
`distributions-prod-fed.traps.paloaltonetworks.com` Used for the first request in registration flow where the agent passes the distribution ID and obtains the `ch-<tenant-name>.traps.paloaltonetworks.com` of its tenant	IP address: 104.198.132.24 Port: 443	`traps-management-service`
`wss://lrc-fed.paloaltonetworks.com` Used in live terminal flow.	IP address: 35.188.188.91 Port: 443	`cortex-xdr`
`panw-xdr-installers-prod-fr.storage.googleapis.com` Used to download installers for upgrade actions from the server.	IP ranges in GCP Port: 443	`cortex-xdr`
`panw-xdr-payloads-prod-fr.storage.googleapis.com` Used to download the executable for the live terminal for Cortex XDR agents earlier than version 7.1.0.	IP ranges in GCP Port: 443	`cortex-xdr`
`global-content-profiles-policy-prod-fr.storage.googleapis.com` Used to download content updates.	IP ranges in GCP Port: 443	`cortex-xdr`
`panw-xdr-evr-prod-fr.storage.googleapis.com` Used to download extended verdict request results in scanning.	IP ranges in GCP Port: 443	`cortex-xdr`
`app-proxy.federal.paloaltonetworks.com`	IP address: 35.186.217.42 Port: 443	—
`dc-<tenant-name>.traps.paloaltonetworks.com` Used for EDR data upload.	IP address: 130.211.195.231 Port: 443	`traps-management-service`
`ch-<tenant-name>.traps.paloaltonetworks.com` Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.	IP address: 130.211.195.231 Port: 443	`traps-management-service`
`api-<tenant-name>.xdr.federal.paloaltonetworks.com` Used for API requests and responses.	IP address: 130.211.195.231 Port: 443	—
`cc-<tenant-name>.traps.paloaltonetworks.com` Used for get-verdict requests.	IP address: 35.222.50.74 Port: 443	`traps-management-service`
Broker VM resources Required for deployments that use Broker VM features
`br-<tenant-name>.xdr.federal.paloaltonetworks.com:443`	IP address: 34.71.185.11 Port: 443	—
`xdr-gateway (Broker VM 3.0 only)`	Port: 443	—
`distributions-prod-fed.traps.paloaltonetworks.com`	IP address: 104.198.132.24 Port: 443	`traps-management-service`
	UDP port: 123	—
App login and authentication
identity.paloaltonetworks.com (SSO)	IP address: 34.107.215.35 Port: 443	—
login.paloaltonetworks.com (SSO)	IP address: 34.107.190.184 Port: 443	—
Collect third-party data from your SaaS and Cloud resources
—	IP addresses 34.68.217.16 34.69.175.202	`cortex-xdr`
Log Forwarding to a Syslog Receiver
See Integrate a syslog receiver.