Resources required to enable access to XDR Collectors - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Depending on your network environment settings, you should enable network access to the Cortex XDR Collectors resources.

To enable access to XDR Collectors components, you must allow access to various Palo Alto Networks resources. If you use the specific Palo Alto Networks App-IDs indicated in the table, you do not need to explicitly allow access to the resource. A dash (-) indicates there is no App-ID coverage for a resource.

Note

Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. All customer data is stored in your deployment region, regardless of the IP address registration and restricts data transmission through any infrastructure to that region. For considerations, see Plan and prepare.

Note

Throughout this topic, <xsiam-tenant> refers to the chosen subdomain of your Cortex XSIAM tenant and <region> is the region in which your Strata Logging Service is deployed.

Refer to the following tables for the FQDNs, IP addresses, ports, and App-ID coverage for your deployment.

For IP address ranges in GCP, refer to the following tables for IP address coverage for your deployment.

The following table shows the required resources by region.

FQDN

IP addresses and port

App-ID coverage

<xsiam-tenant>.xdr.<region>.paloaltonetworks.com

Used to connect to the Cortex XSIAM management console.

IP address by region:

  • US (United States): 35.244.250.18

  • EU (Europe): 35.227.237.180

  • CA (Canada): 34.120.31.199

  • UK (United Kingdom): 34.120.87.77

  • JP (Japan): 35.241.28.254

  • SG (Singapore): 34.117.211.129

  • AU (Australia): 34.120.229.65

  • DE (Germany): 34.98.68.183

  • IN (India): 35.186.207.80

  • CH (Switzerland): 34.111.6.153

  • PL (Poland): 34.117.240.208

  • TW (Taiwan): 34.160.28.41

  • QT (Qatar): 35.190.0.180

  • FA (France): 34.111.134.57

  • IL (Israel): 34.111.129.144

  • SA (Saudi Arabia): 35.244.157.127

  • ID (Indonesia): 34.111.58.152

  • ES (Spain): 34.111.188.248

Port: 443

cortex-xdr

distributions.traps.paloaltonetworks.com

Used for the first request in registration flow where the agent passes the distribution id and obtains the ch-<xsiam-tenant>.traps.paloaltonetworks.com of its tenant.

  • IP address: 35.223.6.69

  • Port: 443

traps-management-service

panw-xdr-installers-prod-us.storage.googleapis.com

Used to download installers for upgrade actions from the server.

This storage bucket is used for all regions.

  • IP ranges in GCP

  • Port: 443

cortex-xdr

global-content-profiles-policy.storage.googleapis.com

Used to download content updates.

  • IP ranges in GCP

  • Port: 443

cortex-xdr

ch-<xsiam-tenant>.traps.paloaltonetworks.com

Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.

IP address by region:

  • US (United States): 34.98.77.231

  • EU (Europe): 34.102.140.103

  • CA (Canada): 34.96.120.25

  • UK (United Kingdom): 35.244.133.254

  • JP (Japan): 34.95.66.187

  • SG (Singapore): 34.120.142.18

  • AU (Australia): 34.102.237.151

  • DE (Germany): 34.107.161.143

  • IN (India): 34.120.213.188

  • CH (Switzerland): 34.149.180.250

  • PL (Poland): 35.190.13.237

  • TW (Taiwan): 34.149.248.76

  • QT (Qatar): 34.107.129.254

  • FA (France): 34.36.155.211

  • IL (Israel): 34.128.157.130

  • SA (Saudi Arabia): 34.107.213.85

  • ID (Indonesia): 34.128.156.84

  • ES (Spain): 34.120.102.147

Port: 443

traps-management-service

api-<xsiam-tenant>.xdr.<region>.paloaltonetworks.com

Used for API requests and responses.

IP address by region:

  • US (United States): 35.222.81.194

  • EU (Europe): 34.90.67.58

  • CA (Canada): 35.203.82.121

  • UK (United Kingdom): 34.89.56.78

  • JP (Japan): 34.84.125.129

  • SG (Singapore): 34.87.83.144

  • AU (Australia): 35.189.18.208

  • DE (Germany): 34.107.57.23

  • IN (India): 35.200.158.164

  • CH (Switzerland): 34.65.248.119

  • PL (Poland): 34.116.216.55

  • TW (Taiwan): 35.234.8.249

  • QT (Qatar): 34.18.46.240

  • FA (France): 34.155.222.152

  • IL (Israel): 34.165.156.139

  • SA (Saudi Arabia): 34.166.58.79

  • ID (Indonesia): 34.128.115.238

  • ES (Spain): 34.175.30.176

Port: 443

-

Log forwarding to a syslog receiver

See Integrate a syslog receiver for information about log forwarding IP addresses per region for syslog receivers.

The following table lists the required resources for Federal (United States - Government).

FQDN

IP addresses and port

App-ID coverage

Required for XDR Collectors

distributions-prod-fed.traps.paloaltonetworks.com

Used for the first request in registration flow where the agent passes the distribution ID and obtains the ch-<xsiam-tenant>.traps.paloaltonetworks.com of its tenant.

  • IP address: 104.198.132.24

  • Port: 443

traps-management-service

check-mark.png

panw-xdr-installers-prod-fr.storage.googleapis.com

Used to download installers for upgrade actions from the server.

  • IP ranges in GCP

  • Port: 443

cortex-xdr

check-mark.png

global-content-profiles-policy-prod-fr.storage.googleapis.com

Used to download content updates.

  • IP ranges in GCP

  • Port: 443

cortex-xdr

check-mark.png

ch-<xsiam-tenant>.traps.paloaltonetworks.com

Used for all other requests between the agent and its tenant server including heartbeat, uploads, action results, and scan reports.

  • IP address: 130.211.195.231

  • Port: 443

traps-management-service

check-mark.png

api-<xsiam-tenant>.xdr.federal.paloaltonetworks.com

Used for API requests and responses.

  • IP address: 130.211.195.231

  • Port: 443

-

check-mark.png

Log forwarding to a syslog receiver

See Integrate a syslog receiver for information about log forwarding IP addresses per region for syslog receivers.