As part of infrastructure changes made to the Traps management service, we have begun migrating URLs used by Traps agents to communicate with Traps management service in the cloud. Some customers may need to adjust firewall policies to allow outbound traffic to the correct regional Traps instances.
For administrators using the SSL Decryption or App-ID features on Palo Alto Networks firewalls, no changes are required. Firewall policy should continue to allow the applications "ssl" and "traps-management-service" for Traps to function.
If you are using SSL Decryption, and are only allowing specific URLs as part of your policy, traffic to the following URLs should be allowed depending on your regional location.
By May 7th, administrators using SSL Decryption and allowing access to specific URLs must add the following URLs to your policy to avoid disrupting agent communication with the Traps management service.
Following the update, customers should allow both the old and new URLs for at least two weeks to allow the changes to propagate to all agents.
Palo Alto Networks will release an update for the ‘traps-management-service’ App-ID prior to the change date.Firewall administrators enabling access to Traps management service via App-ID policy can remove ‘SSL’ from applicable rules once that content version has been applied. No further action required.
Q: Why is Palo Alto Networks making these changes?
A: The previous URL construct linked to an Amazon S3 service in the AWS datacenter. Following the recommended best practices, we are reconstructing the URLs to connect directly to specific Traps S3 buckets, adding an additional layer of security.
Q: Can I expect additional updates to Traps management service traffic?
A: No further changes are planned. Additionally, with the changes above, any new URLs needed can be easily added to the service and the App-ID without interaction needed from the firewall administrator.
For more information and detailed configuration instructions, please visit the article below: