Depending on your network environment settings, you should enable network access to the Cortex XDR Collectors resources.
To enable access to XDR Collectors components, you must allow access to various Palo Alto Networks resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to explicitly allow access to the resource. A dash (-) indicates there is no App-ID coverage for a resource.
Note
Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. All customer data is stored in your deployment region, regardless of the IP address registration and restricts data transmission through any infrastructure to that region. For considerations, see Plan and prepare.
Note
Throughout this topic, <xsiam-tenant>
refers to the chosen subdomain of your Cortex XSIAM tenant and <region>
is the region in which your Strata Logging Service is deployed.
Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your deployment.
For IP address ranges in GCP, refer to the following tables for IP address coverage for your deployment.
https://www.gstatic.com/ipranges/goog.json: Refer to this list to look up and allow access to the IP address ranges subnets.
https://www.gstatic.com/ipranges/cloud.json: Refer to this list to look up and allow access to the IP address ranges associated with your region.
The following table shows the required resources by region.
FQDN | IP addresses and port | App-ID coverage |
---|---|---|
Used to connect to the Cortex XSIAM management console. | IP address by region:
Port: 443 |
|
Used for the first request in registration flow where the agent passes the distribution id and obtains the |
|
|
Used to download installers for upgrade actions from the server. This storage bucket is used for all regions. |
|
|
Used to download content updates. |
|
|
Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports. | IP address by region:
Port: 443 |
|
Used for API requests and responses. | IP address by region:
Port: 443 | - |
Log forwarding to a syslog receiver | ||
See Integrate a syslog receiver for information about log forwarding IP addresses per region for syslog receivers. |
The following table lists the required resources for Federal (United States - Government).
FQDN | IP addresses and port | App-ID coverage | Required for XDR Collectors |
---|---|---|---|
Used for the first request in registration flow where the agent passes the distribution ID and obtains the |
|
| |
Used to download installers for upgrade actions from the server. |
|
| |
Used to download content updates. |
|
| |
Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports. |
|
| |
Used for API requests and responses. |
| - | |
Log forwarding to a syslog receiver | |||
See Integrate a syslog receiver for information about log forwarding IP addresses per region for syslog receivers. |