As a general recommendation, management interfaces for Panorama and Log Collectors should not have direct Internet access without a security device such as a Palo Alto Networks firewall inline. It is important to understand what traffic and protocols are expected to and from Panorama and Log Collectors to ensure proper firewalls rules can be applied in order to provide protection bi-directionally and block unexpected traffic. This post outlines what are expected protocols and ports for Panorama and Log Collectors.
It is generally suggested to allow Panorama or Log Collector communication ports and applications to or from specific IP Address(es) if known and deny all else. If certain ports or protocols are not leveraged, then it is not necessary to allow such traffic. Below is a table of all inbound and outbound communication to and from Panorama or Log Collectors.
Please note, ports for user-defined services like external authentication and syslog servers are user-controlled. The default ports for these services are listed in the table below. Please review your server profile configurations to determine if non-standard ports are used in your environment.
|
Destination |
Protocol |
Inbound/ |
Palo Alto Networks |
Description |
|---|---|---|---|---|
|
22 |
TCP |
Inbound and Outbound |
ssh |
Used for communication from a client system to the Panorama CLI interface and for SCP outbound. |
|
25, 587 |
TCP |
Outbound |
smtp-base |
Used when email log alerts are configured from Panorama. Should only allow to trusted mail services. |
|
28 |
TCP |
Inbound and Outbound |
ssh * |
Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Communication can be initiated by either peer. Used for communication between Log Collectors in a Collector Group for log distribution. |
|
49 |
TCP |
Outbound |
tacacs-plus |
Used when TACACS+ authentication is configured on Panorama. Should only allow to trusted TACACS+ services. |
|
53 |
UDP |
Outbound |
dns |
Port used for DNS lookups. |
|
80, 443, 444 |
TCP |
Outbound |
paloalto-shared-services |
Used for all common traffic shared by various services from Palo Alto Network |
|
88 |
TCP |
Outbound |
kerberos |
Used when Kerberos authentication is configured on Panorama. Should only allow to trusted Kerberos services. |
|
123 |
UDP |
Outbound |
ntp |
Port used for NTP updates. |
|
161 |
UDP |
Inbound |
snmp-base |
Port the Panorama listens on for polling requests (GET messages) from the SNMP manager. |
|
162 |
UDP |
Outbound |
snmp-trap |
Port used to Forward SNMP traps to an SNMP Manager. |
|
389,636 |
TCP |
Outbound |
ldap |
Used when LDAP authentication is configured on Panorama. Should only allow to trusted LDAP services. |
|
443 |
TCP |
Inbound and Outbound |
ssl + most ‘paloalto- ‘ applications |
Used for communication from a client system to the Panorama web interface. Also used for outbound communications from Panorama such as for content updates. |
|
443 |
TCP |
Outbound |
paloalto-zero-touch-provision |
ZTP service traffic for Palo Alto Networks devices. |
|
444 |
TCP |
Outbound |
paloalto-logging-service |
Panorama uses port 444 to connect to Cortex Data Lake for other log query and validity checks. |
|
514 6514 |
TCP |
Outbound |
syslog |
Port used to send logs to a syslog server if you Configure Syslog Monitoring, and the ports that the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages. |
|
1812 |
UDP |
Outbound |
radius |
Used when RADIUS authentication is configured on Panorama. Should only allow to trusted RADIUS services. |
|
2049 |
TCP |
Outbound |
nfs |
Used by the Panorama virtual appliance to write logs to the NFS datastore. |
|
3978 |
TCP |
Inbound and Outbound |
panorama |
Used for communication between Panorama and managed firewalls or managed collectors, as well as for communication among managed collectors in a Collector Group:
|
|
10443 |
SSL |
Outbound |
paloalto-autofocus |
Port that Panorama uses to provide contextual information about a threat or to seamlessly shift your threat investigation to the Threat Vault and AutoFocus. |
|
23000 to 23999 |
TCP, UDP, SSL |
Inbound |
syslog |
Used for Syslog communication between Panorama and the Traps ESM components. |
|
28270 |
TCP |
Inbound and Outbound |
panorama |
Used for communication among Log Collectors in a Collector Group for log distribution. |
|
28443 |
TCP |
Inbound |
paloalto-updates panorama |
Used for managed devices (firewalls and Log Collectors) to retrieve software and content updates from Panorama. |
|
28769 |
TCP |
Inbound and Outbound |
panorama |
Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer. |
|
44443 |
TCP |
Inbound and Outbound |
panorama-interconnect |
Port used for websocket communication between Panorama Controller and Nodes |
References:
Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security Policy rules that allow traffic so that you can detect threats—both known and unknown—in your network traffic. The following are the recommended best practice settings for each of the Security Profiles that you should attach to every Security Policy rule on your internet gateway policy rulebase.
By tuning the rule base and increasing the visibility by following the best practices for Security Profiles you reduce the ability for attackers to easily traverse the environment and compromise additional hosts.
Refer to the Best Practice Security Profiles for the Internet Gateway for more information
For available security advisories for Palo Alto Networks products, reference https://security.paloaltonetworks.com/.
