Access to External Web Services Required by Dynamic Updates and WildFire

The Palo Alto Networks network security platform requires access to a few specific services in order to perform Dynamic Updates and WildFire functions.  When deployed behind existing firewalls or proxy servers, these external resources and services must be accessible from the management interface of the Palo Alto Networks platform.  If traffic flows are traversing a Palo Alto Networks platform, the following applications may need to be included in the security rulebase:  paloalto-updates, pan-db-cloud, paloalto-wildfire-cloud, and brightcloud.

Application, Threat and Anti-Virus database updates

• updates.paloaltonetworks.com:443
• proditpdownloads.paloaltonetworks.com:443
• staticupdates.paloaltonetworks.com:443 (for troubleshooting only)

PAN-DB URL filtering seed updates and cloud lookups

• *.urlcloud.paloaltonetworks.com:443

Brightcloud URL filtering database updates

• database.brightcloud.com:80,443
• service.brightcloud.com:80

WildFire

• wildfire.paloaltonetworks.com:443
• *.wildfire.paloaltonetworks.com:443
• jp.wildfire.paloaltonetworks.com:443 (Japan)
• *.jp.wildfire.paloaltonetworks.com:443 (Japan)
• sg.wildfire.paloaltonetworks.com:443 (Singapore)
• *.sg.wildfire.paloaltonetworks.com:443 (Singapore)
• eu.wildfire.paloaltonetworks.com:443 (Europe)
• *.eu.wildfire.paloaltonetworks.com:443 (Europe)

 GlobalProtect database updates

• c733.r33.cf1.rackcdn.com:80

Note: The updates.paloaltonetworks.com FQDN resolve to CDN-based IP addresses. If static IP addresses are required, staticupdates.paloaltonetworks.com may be used instead.