Resources Required to Enable Access to XDR Collectors - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

Depending on your network environment settings, you should enable network access to the Cortex XDR Collectors resources.

To enable access to XDR Collectors components, you must allow access to various Palo Alto Networks resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to explicitly allow access to the resource. A dash (—) indicates there is no App-ID coverage for a resource.

Note

Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. All customer data is stored in your deployment region, regardless of the IP address registration and restricts data transmission through any infrastructure to that region. For considerations, see Plan Your Deployment.

Note

Throughout this topic, <xdr-tenant> refers to the chosen subdomain of your Cortex XDR tenant and <region> is the region in which your Strata Logging Service is deployed.

Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your deployment.

For IP address ranges in GCP, refer to the following tables for IP address coverage for your deployment.

Table 3. Required Resources by Region

FQDN

IP Addresses and Port

App-ID Coverage

<xdr-tenant>.xdr.<region>.paloaltonetworks.com

Used to connect to the Cortex XDR management console.

IP address by region:

  • US—35.244.250.18

  • EU— 35.227.237.180

  • CA—34.120.31.199

  • UK— 34.120.87.77

  • JP—35.241.28.254

  • SG— 34.117.211.129

  • AU—34.120.229.65

  • DE—34.98.68.183

  • IN—35.186.207.80

  • CH—34.111.6.153

  • PL—34.117.240.208

  • TW—34.160.28.41

  • QT—35.190.0.180

  • FA—34.111.134.57

  • IL—34.111.129.144

Port—443

cortex-xdr

distributions.traps.paloaltonetworks.com

Used for the first request in registration flow where the agent passes the distribution id and obtains the ch-<xdr-tenant> .traps.paloaltonetworks.com of its tenant

  • IP address—35.223.6.69

  • Port—443

traps-management-service

panw-xdr-installers-prod-us.storage.googleapis.com

Used to download installers for upgrade actions from the server.

This storage bucket is used for all regions.

  • IP ranges in GCP

  • Port—443

cortex-xdr

global-content-profiles-policy.storage.googleapis.com

Used to download content updates.

  • IP ranges in GCP

  • Port—443

cortex-xdr

ch-<xdr-tenant> .traps.paloaltonetworks.com

Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.

IP address by region:

  • US—34.98.77.231

  • EU—34.102.140.103

  • CA— 34.96.120.25

  • UK—35.244.133.254

  • JP—34.95.66.187

  • SG—34.120.142.18

  • AU—34.102.237.151

  • DE—34.107.161.143

  • IN—34.120.213.188

  • CH—34.149.180.250

  • PL—35.190.13.237

  • TW—34.149.248.76

  • QT—34.107.129.254

  • FA—34.36.155.211

  • IL—34.128.157.130

Port—443

traps-management-service

api-<xdr-tenant>.xdr.<region>.paloaltonetworks.com

Used for API requests and responses.

IP address by region:

  • US—35.222.81.194

  • EU— 34.90.67.58

  • CA—35.203.82.121

  • UK— 34.89.56.78

  • JP—34.84.125.129

  • SG—34.87.83.144

  • AU—35.189.18.208

  • DE—34.107.57.23

  • IN—35.200.158.164

  • CH—34.65.248.119

  • PL—34.116.216.55

  • TW—35.234.8.249

  • QT—34.18.46.240

  • FA—34.155.222.152

  • IL—34.165.156.139

Port—443

Log Forwarding to a Syslog Receiver

See Integrate a Syslog Receiver.


Table 4. Required Resources for Federal (United States - Government)

FQDN

IP Addresses and Port

App-ID Coverage

Required for Cortex XDR Collectors

distributions-prod-fed.traps.paloaltonetworks.com

Used for the first request in registration flow where the agent passes the distribution ID and obtains the ch-<xdr-tenant> .traps.paloaltonetworks.com of its tenant

  • IP address—104.198.132.24

  • Port—443

traps-management-service

check-mark.png

panw-xdr-installers-prod-fr.storage.googleapis.com

Used to download installers for upgrade actions from the server.

  • IP ranges in GCP

  • Port—443

cortex-xdr

check-mark.png

global-content-profiles-policy-prod-fr.storage.googleapis.com

Used to download content updates.

  • IP ranges in GCP

  • Port—443

cortex-xdr

check-mark.png

ch-<xdr-tenant> .traps.paloaltonetworks.com

Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.

  • IP address—130.211.195.231

  • Port—443

traps-management-service

check-mark.png

api-<xdr-tenant>.xdr.federal.paloaltonetworks.com

Used for API requests and responses.

  • IP address—130.211.195.231

  • Port—443

check-mark.png

Log Forwarding to a Syslog Receiver

See Integrate a Syslog Receiver.