This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Enable access to required PANW resources Cortex

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enable access to required PANW resources Cortex

KVishwan
L0 Member

‎03-23-2026 11:03 AM

I would like to deploy an XDR

For IP address ranges in Google Cloud Platform (GCP), refer to these lists for IP address coverage for your deployment:

Should I use all the IP address range in the region for example if I choose to use US Central region. 

Should I include all  the IP ranges data centers in US Central region for example :  us-central1, us-central2, us-central3  all that belongs to us-central

or just us-central1 should be fine ?

 

Regards,

Vishwanath

 

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎03-23-2026 11:25 AM

Hello @KVishwan ,

 

Greetings for the day.

 

When deploying Cortex XDR, the preferred firewall configuration method is to allow traffic using FQDNs or Palo Alto Networks App-IDs rather than static IP addresses. This is because cloud IPs (especially in GCP) are dynamic and frequently change, making IP-based rules harder to maintain.

 

(If IP-Based Whitelisting Is Required)

If your environment strictly requires IP allowlisting, follow these best practices:

Use GCP IP Range Files

  • goog.json
    Contains global IP ranges for all Google services.
    Use this to ensure full coverage of shared/global infrastructure.
  • cloud.json
    Contains region-specific IP ranges.
    Useful if you want a more restrictive, region-focused policy.

 

Regional Coverage (e.g., US Central):

If your Cortex XDR tenant is hosted in a region like US Central, you should:

Allow All Regional Ranges

  • Include all relevant sub-regions such as:
    • us-central1
    • us-central2
    • us-central3 (and any future expansions)

Why This Matters:

  • High Availability:
    Traffic may shift between sub-regions due to load balancing or backend changes
  • Redundancy:
    Limiting access to only one sub-region (e.g., us-central1) can cause disruptions
  • Platform Updates:
    Services like agent updates or content delivery may originate from different ranges

 

Operational Risk of Restriction

Restricting firewall rules too tightly (e.g., to a single IP range or sub-region) can lead to:

  • Failed agent communication
  • Content update issues
  • Installation or upgrade failures

Best practice is to allow all documented GCP ranges relevant to Cortex XDR.

 

Key Requirements Summary:

  • Protocol/Port:
    Allow outbound TCP 443 (HTTPS)
  • Global Services (Examples):
    • panw-xdr-installers-prod-us.storage.googleapis.com → agent installation/updates
    • global-content-profiles-policy.storage.googleapis.com → content updates
  • Data Locality:
    Even if IPs appear geolocated elsewhere, your customer data remains within your deployment region.

Enable access to required PANW resources:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Enable-access-to-...

 

If this resolves your query, please consider marking the response as a solution and clicking "Like."

 

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 445 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks