Here's something that was brought up by one of our teams. According to this kb article cloud messaging also needs these ports.
I was able to find logs related to this where the application was identified as google-base or unknown-tcp and denied. An app-id signature update may be in order.
Good idea to run a tech support file and create a TAC ticket.
PANW typically updates modfiied signatures on a weekly basis. Depending on the timeliness of our entry, we can all enjoy getting an updated signature sooner. Please let us know what TAC states and keep us in the loop for when a modified signature will be released.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!