Learn more about enabling network access to the Cortex XSIAM resources.
To enable access to Cortex XSIAM components, you must allow access to various Palo Alto Networks resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to explicitly allow access to the resource. A dash (—) indicates there is no App-ID coverage for a resource. Access must be allowed from the agent to the console, but does not need to be bidirectional.
Note
Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. All customer data is stored in your deployment region, regardless of the IP address registration, and restricts data transmission through any infrastructure to that region. For considerations, see Plan Your Cortex Deployment.
Note
Throughout this topic,
refers to the chosen subdomain of your Cortex XSIAM tenant, and <xsiam-tenant>
is the region in which your tenant is deployed (see Plan Your Cortex Deployment for supported regions).<region>
Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your deployment.
For IP address ranges in GCP, refer to the following tables for IP address coverage for your deployment:
https://www.gstatic.com/ipranges/goog.json—Refer to this list to look up and allow access to the IP address ranges subnets.
https://www.gstatic.com/ipranges/cloud.json—Refer to this list to look up and allow access to the IP address ranges associated with your region.
FQDN | IP Addresses and Port | App-ID Coverage |
---|---|---|
Used to connect to the Cortex XSIAM management console. | IP address by region.
Port—443 |
|
Used for the first request in registration flow where the agent passes the distribution id and obtains the |
|
|
Used in live terminal flow. | IP address by region.
Port—443 |
|
Used to download installers for upgrade actions from the server. This storage bucket is used for all regions. |
|
|
Used to download the executable for live terminal for XDR agents earlier than version 7.1.0. This storage bucket is used for all regions. |
|
|
Used to download content updates. |
|
|
Used to download extended verdict request results in scanning. |
|
|
Used to download the Kubernetes image from the registry for Kubernetes agents installation. |
| |
Used for EDR data upload. | IP address by region.
Port—443 |
|
Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports. | IP address by region.
Port—443 |
|
Used for API requests and responses. | IP address by region.
Port—443 | — |
Used for get-verdict requests. | IP address by region.
Port—443 |
|
Cortex Gateway UI for activating tenants and managing user permissions | ||
Broker VM Resources Required for deployments that use Broker VM features | ||
xdr-ova-installers-prod-us.storage.googleapis.com Used to download Broker VM images from the server. This storage bucket is used for all regions. |
|
|
| IP address by region.
Port—443 | — |
|
|
|
| UDP port—123 | — |
App Login and Authentication | ||
identity.paloaltonetworks.com (SSO) |
| — |
login.paloaltonetworks.com (SSO) |
| — |
In-App Help Center and Notifications | ||
data.pendo.io | Port—443 | — |
pendo-static-5664029141630976.storage.googleapis.com | Port—443 | — |
Email Notifications | ||
— | IP address for all regions—159.183.150.248 | — |
Egress Used for communication between Cortex XSIAM and customer resources. | ||
— |
| — |
To Collect 3rd Party Data from Customer's SaaS and Cloud resources | ||
— | IP address by region.
|
|
Log Forwarding to a Syslog Receiver | ||
— | — |
FQDN | IP Addresses and Port | App-ID Coverage |
---|---|---|
Used for the first request in registration flow where the agent passes the distribution ID and obtains the |
|
|
Used in live terminal flow. |
|
|
Used to download installers for upgrade actions from the server. |
|
|
Used to download the executable for live terminal for Cortex XDR agents earlier than version 7.1.0. |
|
|
Used to download content updates. |
|
|
Used to download extended verdict request results in scanning. |
|
|
|
| — |
Used for EDR data upload. |
|
|
Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports. |
|
|
Used for API requests and responses. |
| — |
Used for get-verdict requests. |
|
|
Broker VM Resources Required for deployments that use Broker VM features | ||
|
| — |
|
| — |
|
|
|
UDP port—123 | — | |
App Login and Authentication | ||
identity.paloaltonetworks.com (SSO) |
| — |
login.paloaltonetworks.com (SSO) |
| — |
To Collect 3rd Party Data from Customer's SaaS and Cloud resources | ||
— | IP addresses
|
|
Log Forwarding to a Syslog Receiver | ||