FedRamp and the US Federal Government required resources - Administrator Guide - Cortex XSIAM - Cortex

FedRamp and the US Federal Government required resources - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Category

Administrator Guide

The following table lists the required resources for the federal government of the United States, including FQDNs, IP addresses, ports, and App-ID coverage for your deployment:

All ports are 443 unless otherwise specified.

Source	Compliance level	IP Addresses
Egress	FedRAMP Moderate	34.122.220.113, 35.223.83.172
Egress	FedRAMP High	34.136.155.252, 34.133.46.50
Outbound IPs for Engines	FedRAMP Moderate	34.123.127.174:443, 34.71.135.18:443
Outbound IPs for Engines	FedRAMP High	34.123.153.175:443, 35.223.253.2:443

These resources handle agent registration, heartbeats, data uploads, and API connections. All ports are 443 unless specified otherwise.

Resource/Function	FQDN	IP Address & Port	App-ID
Initial registration Used for the first request in registration flow where the agent passes the distribution ID and obtains the `ch-<tenant-name>.traps.paloaltonetworks.com` of its tenant	`distributions-prod-fed.traps.paloaltonetworks.com`	104.198.132.24	`traps-management-service`
Agent heartbeat and data upload Used for all other requests between the agent and its tenant server, including heartbeat, uploads, action results, and scan reports.	`ch-<tenant-name>.traps.paloaltonetworks.com`	130.211.195.231	`traps-management-service`
EDR data upload Used for EDR data upload.	`dc-<tenant-name>.traps.paloaltonetworks.com`	130.211.195.231	`traps-management-service`
API gateway Used for API requests and responses.	`api-<tenant-name>.xdr.federal.paloaltonetworks.com`	130.211.195.231	N/a
Verdict requests Used for get-verdict requests.	`cc-<tenant-name>.traps.paloaltonetworks.com`	35.222.50.74	`traps-management-service`
Live terminal Used in live terminal flow.	`wss://lrc-fed.paloaltonetworks.com`	35.188.188.91	`cortex-xdr`
App proxy	`app-proxy.federal.paloaltonetworks.com`	35.186.217.42	N/a

These resources are hosted on Google Cloud Platform. All ports are 443 unless otherwise specified.

Resource/function	FQDN	IP Addresses	App-ID
Installers Used to download installers for upgrade actions from the server.	`panw-xdr-installers-prod-fr.storage.googleapis.com`	IP ranges in GCP	`cortex-xdr`
Legacy payloads Used to download the executable for the live terminal for Cortex XDR agents earlier than version 7.1.0.	`panw-xdr-payloads-prod-fr.storage.googleapis.com`	IP ranges in GCP	`cortex-xdr`
Content updates Used to download content updates.	`global-content-profiles-policy-prod-fr.storage.googleapis.com`	IP ranges in GCP	`cortex-xdr`
Scanning verdicts Used to download extended verdict request results in scanning.	`panw-xdr-evr-prod-fr.storage.googleapis.com`	IP ranges in GCP	`cortex-xdr`

Required only for deployments utilizing Broker VM features. All ports are 443, unless otherwise stated.

Resource/Function	FQDN	IP Addresses	App-ID
Broker connection	`br-<tenant-name>.xdr.federal.paloaltonetworks.com`	34.71.185.11	N/a
Registration Used for the first request in the registration flow, for Broker VMs to obtain their specific connection URLs.	`distributions-prod-fed.traps.paloaltonetworks.com`	104.198.132.24	`traps-management-service`
XSIAM gateway Broker VM 3.0 and above	`xsiam-gateway`	N/a	N/a
Time sync (NTP) Used by the Broker VM to ensure accurate timestamping for forwarded logs.	N/a	UDP port 123	N/a

Required for administrator login and Single Sign-On. All ports are 443 unless specified

Resource	FQDN	IP Addresses and Port	App-ID
Identity service	`identity.paloaltonetworks.com`	34.107.215.35	N/a
Login service	`login.paloaltonetworks.com`	34.107.190.184	N/a