02-20-2026 03:20 AM
Group Company A is implementing surveillance cameras and requires communication to send data from the cameras to an external cloud server. The cloud server (destination) cannot be restricted by IP address or FQDN (only ports can be restricted), so IP addresses and FQDNs must be opened with ANY. ※ Restricted ports are TCP 443 (HTTPS), UDP 123 (NTP), TCP 31000 (TLS) The policy states that since it is necessary to restrict the destination by IP address or FQDN, communication like the above cannot be permitted. Systems using cloud services like AWS are increasing, and situations where IP addresses and FQDNs fluctuate and cannot be restricted, as described above, are likely to become more common in the future. How should policies be configured on Palo Alto to ensure security
02-20-2026 05:55 AM
Company has policy not to permit traffic to any destination but at the same time permits group of people in the company go and procure cameras without consulting security team who could provide pre-requisites (like requiring camera to use FQDN as destination)?
In this case you either push back and don't allow the traffic or place those cameras into it's own subnet and permit traffic from camera subnet to any IP on ports you mentioned.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
