Resources Required to Enable Access - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-12
Category
Administrator Guide
Abstract

Learn more about enabling network access to the Cortex XSIAM resources.

To enable access to Cortex XSIAM components, you must allow access to various Palo Alto Networks resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to explicitly allow access to the resource. A dash (—) indicates there is no App-ID coverage for a resource. Access must be allowed from the agent to the console, but does not need to be bidirectional.

 

Note

Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. All customer data is stored in your deployment region, regardless of the IP address registration, and restricts data transmission through any infrastructure to that region. For considerations, see Plan Your Cortex Deployment.

Note

Throughout this topic, <xsiam-tenant> refers to the chosen subdomain of your Cortex XSIAM tenant, and <region> is the region in which your tenant is deployed (see Plan Your Cortex Deployment for supported regions).

Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your deployment.

For IP address ranges in GCP, refer to the following tables for IP address coverage for your deployment:

FQDN

IP Addresses and Port

App-ID Coverage

<xsiam-tenant>.xdr.<region>.paloaltonetworks.com 

Used to connect to the Cortex XSIAM management console.

IP address by region.

  • US (United States)—35.244.250.18

  • EU (Europe)— 35.227.237.180

  • CA (Canada)—34.120.31.199

  • UK (United Kingdom)— 34.120.87.77

  • JP (Japan)—35.241.28.254

  • SG (Singapore)— 34.117.211.129

  • AU (Australia)—34.120.229.65

  • DE (Germany)—34.98.68.183

  • IN (India)—35.186.207.80

  • CH (Switzerland)—34.111.6.153

  • PL (Poland)—34.117.240.208

  • TW (Taiwan)—34.160.28.41

  • QT (Qatar)—35.190.0.180

  • FA (France)—34.111.134.57

  • IL (Israel)—34.111.129.144

  • SA (Saudi Arabia)—35.244.157.127

  • ID (Indonesia)—34.111.58.152

  • ES (Spain)—34.111.188.248

Port—443

cortex-xdr 

distributions.traps.paloaltonetworks.com 

Used for the first request in registration flow where the agent passes the distribution id and obtains the ch-<xsiam-tenant>.traps.paloaltonetworks.com of its tenant

  • IP address—35.223.6.69

  • Port—443

traps-management-service 

wss://lrc-<region>.paloaltonetworks.com 

Used in live terminal flow.

IP address by region.

  • US (United States)—35.190.88.43

  • EU (Europe)—35.244.251.25

  • CA (Canada)—35.203.99.74

  • UK (United Kingdom)—35.242.159.176

  • JP (Japan)—34.84.201.32

  • SG (Singapore)—34.87.61.186

  • AU (Australia)—35.244.66.177

  • DE (Germany)—34.107.61.141

  • IN (India)—35.200.146.253

  • CH (Switzerland)—34.65.213.226

  • PL (Poland)—34.118.62.80

  • TW (Taiwan)—34.80.34.30

  • QT (Qatar)—34.18.34.73

  • FA (France)—34.163.57.57

  • IL (Israel)—34.165.43.106

  • SA (Saudi Arabia)—34.166.54.6

  • ID (Indonesia)—34.101.214.157

  • ES (Spain)—34.175.18.78

Port—443

cortex-xdr 

panw-xdr-installers-prod-us.storage.googleapis.com 

Used to download installers for upgrade actions from the server.

This storage bucket is used for all regions. 

  • IP ranges in GCP

  • Port—443

cortex-xdr 

panw-xdr-payloads-prod-us.storage.googleapis.com 

Used to download the executable for live terminal for XDR agents earlier than version 7.1.0.

This storage bucket is used for all regions. 

  • IP ranges in GCP

  • Port—443

cortex-xdr 

global-content-profiles-policy.storage.googleapis.com 

Used to download content updates.

  • IP ranges in GCP

  • Port—443

cortex-xdr 

panw-xdr-evr-prod-<region>.storage.googleapis.com 

Used to download extended verdict request results in scanning.

  • IP ranges in GCP

  • Port—443

cortex-xdr 

https://<region>-docker.pkg.dev 

Used to download the Kubernetes image from the registry for Kubernetes agents installation.

  • IP ranges in GCP

  • Port—443

dc-<xsiam-tenant>.traps.paloaltonetworks.com 

Used for EDR data upload.

IP address by region.

  • US (United States)—34.98.77.231

  • EU (Europe)—34.102.140.103

  • CA (Canada)—34.96.120.25

  • UK (United Kingdom)—35.244.133.254

  • JP (Japan)—34.95.66.187

  • SG (Singapore)—34.120.142.18

  • AU (Australia)—34.102.237.151

  • DE (Germany)—34.107.161.143

  • IN (India)—34.120.213.187

  • CH (Switzerland)—34.149.180.250

  • PL (Poland)—35.190.13.237

  • TW (Taiwan)—34.149.248.76

  • QT (Qatar)—34.107.129.254

  • FA (France)—34.36.155.211

  • IL (Israel)—34.128.157.130

  • SA (Saudi Arabia)—34.107.213.85

  • ID (Indonesia)—34.128.156.84

  • ES (Spain)—34.120.102.147

Port—443

traps-management-service 

ch-<xsiam-tenant>.traps.paloaltonetworks.com 

Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.

IP address by region.

  • US (United States)—34.98.77.231

  • EU (Europe)—34.102.140.103

  • CA (Canada)— 34.96.120.25

  • UK (United Kingdom)—35.244.133.254

  • JP (Japan)—34.95.66.187

  • SG (Singapore)—34.120.142.18

  • AU (Australia)—34.102.237.151

  • DE (Germany)—34.107.161.143

  • IN (India)—34.120.213.188

  • CH (Switzerland)—34.149.180.250

  • PL (Poland)—35.190.13.237

  • TW (Taiwan)—34.149.248.76

  • QT (Qatar)—34.107.129.254

  • FA (France)—34.36.155.211

  • IL (Israel)—34.128.157.130

  • SA (Saudi Arabia)—34.107.213.85

  • ID (Indonesia)—34.128.156.84

  • ES (Spain)—34.120.102.147

Port—443

traps-management-service 

api-<xsiam-tenant>.xdr.<region>.paloaltonetworks.com 

Used for API requests and responses.

IP address by region.

  • US (United States)—35.222.81.194

  • EU (Europe)— 34.90.67.58

  • CA (Canada)—35.203.82.121

  • UK (United Kingdom)— 34.89.56.78

  • JP (Japan)—34.84.125.129

  • SG (Singapore)—34.87.83.144

  • AU (Australia)—35.189.18.208

  • DE (Germany)—34.107.57.23

  • IN (India)—35.200.158.164

  • CH (Switzerland)—34.65.248.119

  • PL (Poland)—34.116.216.55

  • TW (Taiwan)—35.234.8.249

  • QT (Qatar)—34.18.46.240

  • FA (France)—34.155.222.152

  • IL (Israel)—34.165.156.139

  • SA (Saudi Arabia)—34.166.58.79

  • ID (Indonesia)—34.128.115.238

  • ES (Spain)—34.175.30.176

Port—443

cc-<xsiam-tenant>.traps.paloaltonetworks.com 

Used for get-verdict requests.

IP address by region.

  • US (United States)—35.224.140.142

  • EU (Europe)—34.90.71.103

  • CA (Canada)—35.203.35.23

  • UK (United Kingdom)—34.89.42.214

  • JP (Japan)—34.84.225.105

  • SG (Singapore)—35.247.161.94

  • AU (Australia)—35.201.23.188

  • DE (Germany)—35.242.201.199

  • IN (India)—35.244.57.196

  • CH (Switzerland)—34.65.137.215

  • PL (Poland)—34.116.213.71

  • TW (Taiwan)—35.229.186.216

  • QT (Qatar)—34.18.53.229

  • FA (France)—34.155.110.169

  • IL (Israel)—34.165.2.110

  • SA (Saudi Arabia)—34.166.53.160

  • ID (Indonesia)—34.101.155.198

  • ES (Spain)—34.175.30.176

Port—443

traps-management-service 

https://cortex-gateway.paloaltonetworks.com/ 

Cortex Gateway UI for activating tenants and managing user permissions

Broker VM Resources 

Required for deployments that use Broker VM features

xdr-ova-installers-prod-us.storage.googleapis.com

Used to download Broker VM images from the server.

This storage bucket is used for all regions. 

  • IP ranges in GCP

  • Port—443

cortex-xdr 

br-<xsiam-tenant>.xdr.<region>.paloaltonetworks.com 

IP address by region.

  • US (United States)—104.155.131.72

  • EU (Europe)— 34.91.128.226

  • CA (Canada)— 34.95.8.232

  • UK (United Kingdom)—35.197.219.110

  • JP (Japan)— 34.85.74.43

  • SG (Singapore)—34.87.167.125

  • AU (Australia)—35.244.93.0

  • DE (Germany)—35.198.112.13

  • IN (India)—35.200.234.99

  • CH (Switzerland)—34.65.51.103

  • PL (Poland)—34.116.176.97

  • TW (Taiwan)—34.80.230.166

  • QT (Qatar)—34.18.37.73

  • FA (France)—34.155.90.61

  • IL (Israel)—34.165.24.222

  • SA (Saudi Arabia)—34.166.55.153

  • ID (Indonesia)—34.101.101.170

  • ES (Spain)—34.175.182.55

Port—443

distributions.traps.paloaltonetworks.com 

  • IP address—35.223.6.69

  • Port—443

traps-management-service 

  •  time.google.com 

  • pool.ntp.org 

UDP port—123

App Login and Authentication 

identity.paloaltonetworks.com

(SSO)

  • IP address—34.107.215.35

  • Port—443

login.paloaltonetworks.com

(SSO)

  • IP address—34.107.190.184

  • Port—443

In-App Help Center and Notifications 

data.pendo.io

Port—443

pendo-static-5664029141630976.storage.googleapis.com

Port—443

Email Notifications 

IP address for all regions—159.183.150.248

 

Egress 

Used for communication between Cortex XSIAM and customer resources.

 

  • US (United States)

    • 35.225.156.101

    • 34.69.88.119

  • EU (Europe)

    • 34.147.67.188

    • 34.90.16.31

  • CA (Canada)

    • 35.203.57.162

    • 35.203.90.79

  • UK (United Kingdom)

    • 34.142.3.42

    • 34.142.44.136

  • JP (Japan)

    • 34.146.60.215

    • 34.84.93.160

  • SG (Singapore)

    • 35.240.144.192

    • 35.240.255.15

  • AU (Australia)

    • 35.244.73.76

    • 35.201.22.63

  • DE (Germany)

    • 34.107.83.197

    • 34.159.53.97

  • IN (India)

    • 34.93.118.113

    • 35.244.5.205

  • CH (Switzerland)

    • 34.65.233.60

    • 34.65.222.25

  • PL (Poland)

    • 34.116.223.119

    • 34.118.92.214

  • TW (Taiwan)

    • 104.199.223.229

    • 34.81.38.132

  • QT (Qatar)

    • 34.18.39.0

    • 34.18.32.96

  • FA (France)

    • 34.155.197.131

    • 34.155.5.100

  • IL (Israel)

    • 34.165.33.165

    • 34.165.27.131

  • SA (Saudi Arabia)

    • 34.166.58.213

    • 34.166.61.81

  • ID (Indonesia)

    • 34.101.125.66

    • 34.101.218.184

  • ES (Spain)

    • 34.175.255.99

    • 34.175.230.35

To Collect 3rd Party Data from Customer's SaaS and Cloud resources 

IP address by region.

  • US (United States)

    • 34.66.69.154

    • 35.202.21.123

  • AU (Australia)

    • 35.197.181.108

    • 35.197.175.44

  • CA (Canada)

    • 34.95.33.72

    • 34.95.62.136

  • SG (Singapore)

    • 35.247.148.38

    • 35.247.173.40

  • JP (Japan)

    • 34.85.68.167

    • 34.84.99.239

  • IN (India)

    • 34.93.3.196

    • 34.93.175.218

  • DE (Germany)

    • 34.89.197.46

    • 34.107.3.224

  • UK (United Kingdom)

    • 34.105.227.146

    • 34.105.137.22

  • EU (Europe)

    • 34.90.70.107

    • 35.204.129.196

  • CH (Switzerland)

    • 34.65.225.124

    • 34.65.89.6

  • PL (Poland)

    • 34.118.71.237

    • 34.118.124.130

  • TW (Taiwan)

    • 35.201.142.86

    • 35.189.176.163

  • QT (Qatar)

    • 34.18.44.71

    • 34.18.30.132

  • FA (France)

    • 34.163.125.167

    • 34.163.155.105

  • IL (Israel)

    • 34.165.131.171

    • 34.165.120.206

  • SA (Saudi Arabia)

    • 34.166.59.20

    • 34.166.53.242

  • ID (Indonesia)

    • 34.101.158.32

    • 34.101.79.159

  • ES (Spain)

    • 34.175.27.251

    • 34.175.198.50

cortex-xdr 

Log Forwarding to a Syslog Receiver 

See Integrate a Syslog Receiver.

Table 1. Required Resources for Federal (United States - Government)

FQDN

IP Addresses and Port

App-ID Coverage

distributions-prod-fed.traps.paloaltonetworks.com 

Used for the first request in registration flow where the agent passes the distribution ID and obtains the ch-<xsiam-tenant>.traps.paloaltonetworks.com of its tenant

  • IP address—104.198.132.24

  • Port—443

traps-management-service 

wss://lrc-fed.paloaltonetworks.com 

Used in live terminal flow.

  • IP address—35.188.188.91

  • Port—443

cortex-xdr 

panw-xdr-installers-prod-fr.storage.googleapis.com 

Used to download installers for upgrade actions from the server.

  • IP ranges in GCP

  • Port—443

cortex-xdr 

panw-xdr-payloads-prod-fr.storage.googleapis.com 

Used to download the executable for live terminal for Cortex XDR agents earlier than version 7.1.0.

  • IP ranges in GCP

  • Port—443

cortex-xdr 

global-content-profiles-policy-prod-fr.storage.googleapis.com 

Used to download content updates.

  • IP ranges in GCP

  • Port—443

cortex-xdr 

panw-xdr-evr-prod-fr.storage.googleapis.com 

Used to download extended verdict request results in scanning.

  • IP ranges in GCP

  • Port—443

cortex-xdr 

app-proxy.federal.paloaltonetworks.com 

  • IP address—35.186.217.42

  • Port—443

dc-<xsiam-tenant>.traps.paloaltonetworks.com 

Used for EDR data upload.

  • IP address—130.211.195.231

  • Port—443

traps-management-service 

ch-<xsiam-tenant>.traps.paloaltonetworks.com 

Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.

  • IP address—130.211.195.231

  • Port—443

traps-management-service 

api-<xsiam-tenant>.xdr.federal.paloaltonetworks.com 

Used for API requests and responses.

  • IP address—130.211.195.231

  • Port—443

cc-<xsiam-tenant>.traps.paloaltonetworks.com 

Used for get-verdict requests.

  • IP address—35.222.50.74

  • Port—443

traps-management-service 

Broker VM Resources 

Required for deployments that use Broker VM features

br-<xsiam-tenant>.xdr.federal.paloaltonetworks.com:443 

  • IP address—34.71.185.11

  • Port—443

 xsiam-gateway (Broker VM 3.0 only) 

  • Port—443

distributions-prod-fed.traps.paloaltonetworks.com 

  • IP address—104.198.132.24

  • Port—443

traps-management-service 

UDP port—123

App Login and Authentication 

identity.paloaltonetworks.com

(SSO)

  • IP address—34.107.215.35

  • Port—443

login.paloaltonetworks.com

(SSO)

  • IP address—34.107.190.184

  • Port—443

To Collect 3rd Party Data from Customer's SaaS and Cloud resources 

IP addresses

  • 34.68.217.16

  • 34.69.175.202

cortex-xdr 

Log Forwarding to a Syslog Receiver 

See Integrate a Syslog Receiver.