Protecting Panorama and Log Collector Inbound and Outbound Communications

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Retired Member
Not applicable
100% helpful (4/4)

Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.

 

As a general recommendation, management interfaces for Panorama and Log Collectors should not have direct Internet access without a security device such as a Palo Alto Networks firewall inline. It is important to understand what traffic and protocols are expected to and from Panorama and Log Collectors to ensure proper firewalls rules can be applied in order to provide protection bi-directionally and block unexpected traffic. This post outlines what are expected protocols and ports for Panorama and Log Collectors.

Expected Communications from Panorama and Log Collectors

 

It is generally suggested to allow Panorama or Log Collector communication ports and applications to or from specific IP Address(es) if known and deny all else. If certain ports or protocols are not leveraged, then it is not necessary to allow such traffic. Below is a table of all inbound and outbound communication to and from Panorama or Log Collectors.


Please note, ports for user-defined services like external authentication and syslog servers are user-controlled. The default ports for these services are listed in the table below. Please review your server profile configurations to determine if non-standard ports are used in your environment.

 

Destination
Port(s)

Protocol

Inbound/
Outbound

Palo Alto Networks
App-id

Description

22

TCP

Inbound and Outbound

ssh

Used for communication from a client system to the Panorama CLI interface and for SCP outbound.

25, 587

TCP

Outbound

smtp-base

Used when email log alerts are configured from Panorama. Should only allow to trusted mail services.

28

TCP

Inbound and Outbound

ssh *

Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Communication can be initiated by either peer.


Used for communication between Log Collectors in a Collector Group for log distribution.

49

TCP

Outbound

tacacs-plus

Used when TACACS+ authentication is configured on Panorama. Should only allow to trusted TACACS+ services.

53

UDP

Outbound

dns

Port used for DNS lookups.

80, 443, 444

TCP

Outbound

paloalto-shared-services

Used for all common traffic shared by various services from Palo Alto Network

88

TCP

Outbound

kerberos

Used when Kerberos authentication is configured on Panorama. Should only allow to trusted Kerberos services.

123

UDP

Outbound

ntp

Port used for NTP updates.

161

UDP

Inbound

snmp-base

Port the Panorama listens on for polling requests (GET messages) from the SNMP manager.

162

UDP

Outbound

snmp-trap

Port used to Forward SNMP traps to an SNMP Manager.

389,636

TCP

Outbound

ldap

Used when LDAP authentication is configured on Panorama. Should only allow to trusted LDAP services.

443

TCP

Inbound and Outbound

ssl
paloalto-updates

+ most ‘paloalto- ‘ applications

Used for communication from a client system to the Panorama web interface. Also used for outbound communications from Panorama such as for content updates.

443

TCP

Outbound

paloalto-zero-touch-provision

ZTP service traffic for Palo Alto Networks devices.

444

TCP

Outbound

paloalto-logging-service

Panorama uses port 444 to connect to Cortex Data Lake for other log query and validity checks.

514
514

6514

TCP
UDP
SSL

Outbound

syslog

Port used to send logs to a syslog server if you Configure Syslog Monitoring, and the ports that the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages.

1812

UDP

Outbound

radius

Used when RADIUS authentication is configured on Panorama. Should only allow to trusted RADIUS services.

2049

TCP

Outbound

nfs

Used by the Panorama virtual appliance to write logs to the NFS datastore.

3978

TCP

Inbound and Outbound

panorama

Used for communication between Panorama and managed firewalls or managed collectors, as well as for communication among managed collectors in a Collector Group:

  • For communication between Panorama and firewalls. This connection is initiated from the managed firewall to Panorama and facilitates a bi-directional data exchange on which the firewalls forward logs to Panorama and Panorama pushes configuration changes to the firewalls. Context switching commands are sent over the same connection.
  • Log Collectors use this destination port to forward logs to Panorama.
  • For communication with the default Log Collector on an M-Series appliance in Panorama mode and with Dedicated Log Collectors.

10443

SSL

Outbound

paloalto-autofocus

Port that Panorama uses to provide contextual information about a threat or to seamlessly shift your threat investigation to the Threat Vault and AutoFocus.

23000 to 23999

TCP, UDP, SSL

Inbound

syslog

Used for Syslog communication between Panorama and the Traps ESM components.

28270

TCP

Inbound and Outbound

panorama

Used for communication among Log Collectors in a Collector Group for log distribution.

28443

TCP

Inbound

paloalto-updates

panorama

Used for managed devices (firewalls and Log Collectors) to retrieve software and content updates from Panorama.

28769

TCP

Inbound and Outbound

panorama

Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer.

44443

TCP

Inbound and Outbound

panorama-interconnect

Port used for websocket communication between Panorama Controller and Nodes

* If this traffic is passing through Palo Alto Networks Firewall, 'ssh’ App-ID needs to be allowed using Custom Service object in the Security Policy Rule

 

 

Example Security Rules Configuration:

 

  1. Create an application group with Panorama applications.
    rkim_3-1639778408138.png
  2. Create rules to allow Panorama/Log Collector applications and a deny rule for all other unexpected applications for Panorama/Log Collector. Note that some communications may not be using application-default ports.

    The example below is an aggregation of App-IDs for all communication expected from the Panorama/Log Collector system. The next step of best practice would be to define discreet rules wherever possible from the Panorama/Log Collector system to external or untrusted/managed systems.
    rkim_4-1639778912644.png

     

References: 

 

What’s Next? 

Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security Policy rules that allow traffic so that you can detect threats—both known and unknown—in your network traffic. The following are the recommended best practice settings for each of the Security Profiles that you should attach to every Security Policy rule on your internet gateway policy rulebase.

By tuning the rule base and increasing the visibility by following the best practices for Security Profiles you reduce the ability for attackers to easily traverse the environment and compromise additional hosts.

Refer to the Best Practice Security Profiles for the Internet Gateway for more information

 

Security Advisories

For available security advisories for Palo Alto Networks products, reference https://security.paloaltonetworks.com/.

 

Rate this article:
(1)
  • 6107 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎07-11-2022 11:50 PM
Updated by: