Port used to send logs to a syslog server if you Configure Syslog Monitoring, and the ports that the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages. Panorama uses port 444 to connect to Cortex Data Lake for other log query and validity checks. ZTP service traffic for Palo Alto Networks devices. Also used for outbound communications from Panorama such as for content updates. Used for communication from a client system to the Panorama web interface. Should only allow to trusted LDAP services. Used when LDAP authentication is configured on Panorama. Port used to Forward SNMP traps to an SNMP Manager. Port the Panorama listens on for polling requests (GET messages) from the SNMP manager. Should only allow to trusted Kerberos services. Used when Kerberos authentication is configured on Panorama. Used for all common traffic shared by various services from Palo Alto Network Should only allow to trusted TACACS+ services. Used when TACACS+ authentication is configured on Panorama. Used for communication between Log Collectors in a Collector Group for log distribution. Communication can be initiated by either peer. Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Should only allow to trusted mail services. Used when email log alerts are configured from Panorama. Used for communication from a client system to the Panorama CLI interface and for SCP outbound. Please review your server profile configurations to determine if non-standard ports are used in your environment. The default ports for these services are listed in the table below. Please note, ports for user-defined services like external authentication and syslog servers are user-controlled. Below is a table of all inbound and outbound communication to and from Panorama or Log Collectors. If certain ports or protocols are not leveraged, then it is not necessary to allow such traffic. It is generally suggested to allow Panorama or Log Collector communication ports and applications to or from specific IP Address(es) if known and deny all else. This post outlines what are expected protocols and ports for Panorama and Log Collectors.Įxpected Communications from Panorama and Log Collectors It is important to understand what traffic and protocols are expected to and from Panorama and Log Collectors to ensure proper firewalls rules can be applied in order to provide protection bi-directionally and block unexpected traffic.
Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.Īs a general recommendation, management interfaces for Panorama and Log Collectors should not have direct Internet access without a security device such as a Palo Alto Networks firewall inline.
0 kommentar(er)
