Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.
As a general recommendation, management interfaces for Panorama and Log Collectors should not have direct Internet access without a security device such as a Palo Alto Networks firewall inline. It is important to understand what traffic and protocols are expected to and from Panorama and Log Collectors to ensure proper firewalls rules can be applied in order to provide protection bi-directionally and block unexpected traffic. This post outlines what are expected protocols and ports for Panorama and Log Collectors.
Expected Communications from Panorama and Log Collectors
It is generally suggested to allow Panorama or Log Collector communication ports and applications to or from specific IP Address(es) if known and deny all else. If certain ports or protocols are not leveraged, then it is not necessary to allow such traffic. Below is a table of all inbound and outbound communication to and from Panorama or Log Collectors.
Please note, ports for user-defined services like external authentication and syslog servers are user-controlled. The default ports for these services are listed in the table below. Please review your server profile configurations to determine if non-standard ports are used in your environment.
Destination Port(s)
Protocol
Inbound/ Outbound
Palo Alto Networks App-id
Description
22
TCP
Inbound and Outbound
ssh
Used for communication from a client system to the Panorama CLI interface and for SCP outbound.
25, 587
TCP
Outbound
smtp-base
Used when email log alerts are configured from Panorama. Should only allow to trusted mail services.
28
TCP
Inbound and Outbound
ssh *
Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Communication can be initiated by either peer.
Used for communication between Log Collectors in a Collector Group for log distribution.
49
TCP
Outbound
tacacs-plus
Used when TACACS+ authentication is configured on Panorama. Should only allow to trusted TACACS+ services.
53
UDP
Outbound
dns
Port used for DNS lookups.
80, 443, 444
TCP
Outbound
paloalto-shared-services
Used for all common traffic shared by various services from Palo Alto Network
88
TCP
Outbound
kerberos
Used when Kerberos authentication is configured on Panorama. Should only allow to trusted Kerberos services.
123
UDP
Outbound
ntp
Port used for NTP updates.
161
UDP
Inbound
snmp-base
Port the Panorama listens on for polling requests (GET messages) from the SNMP manager.
162
UDP
Outbound
snmp-trap
Port used to Forward SNMP traps to an SNMP Manager .
389,636
TCP
Outbound
ldap
Used when LDAP authentication is configured on Panorama. Should only allow to trusted LDAP services.
443
TCP
Inbound and Outbound
ssl paloalto-updates
+ most ‘paloalto- ‘ applications
Used for communication from a client system to the Panorama web interface. Also used for outbound communications from Panorama such as for content updates.
443
TCP
Outbound
paloalto-zero-touch-provision
ZTP service traffic for Palo Alto Networks devices.
444
TCP
Outbound
paloalto-logging-service
Panorama uses port 444 to connect to Cortex Data Lake for other log query and validity checks.
514 514
6514
TCP UDP SSL
Outbound
syslog
Port used to send logs to a syslog server if you Configure Syslog Monitoring , and the ports that the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages.
1812
UDP
Outbound
radius
Used when RADIUS authentication is configured on Panorama. Should only allow to trusted RADIUS services.
2049
TCP
Outbound
nfs
Used by the Panorama virtual appliance to write logs to the NFS datastore.
3978
TCP
Inbound and Outbound
panorama
Used for communication between Panorama and managed firewalls or managed collectors, as well as for communication among managed collectors in a Collector Group:
For communication between Panorama and firewalls. This connection is initiated from the managed firewall to Panorama and facilitates a bi-directional data exchange on which the firewalls forward logs to Panorama and Panorama pushes configuration changes to the firewalls. Context switching commands are sent over the same connection.
Log Collectors use this destination port to forward logs to Panorama.
For communication with the default Log Collector on an M-Series appliance in Panorama mode and with Dedicated Log Collectors.
10443
SSL
Outbound
paloalto-autofocus
Port that Panorama uses to provide contextual information about a threat or to seamlessly shift your threat investigation to the Threat Vault and AutoFocus.
23000 to 23999
TCP, UDP, SSL
Inbound
syslog
Used for Syslog communication between Panorama and the Traps ESM components.
28270
TCP
Inbound and Outbound
panorama
Used for communication among Log Collectors in a Collector Group for log distribution.
28443
TCP
Inbound
paloalto-updates
panorama
Used for managed devices (firewalls and Log Collectors) to retrieve software and content updates from Panorama.
28769
TCP
Inbound and Outbound
panorama
Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer.
44443
TCP
Inbound and Outbound
panorama-interconnect
Port used for websocket communication between Panorama Controller and Nodes
* If this traffic is passing through Palo Alto Networks Firewall, 'ssh’ App-ID needs to be allowed using Custom Service object in the Security Policy Rule
Example Security Rules Configuration:
Create an application group with Panorama applications.
Create rules to allow Panorama/Log Collector applications and a deny rule for all other unexpected applications for Panorama/Log Collector. Note that some communications may not be using application-default ports. The example below is an aggregation of App-IDs for all communication expected from the Panorama/Log Collector system. The next step of best practice would be to define discreet rules wherever possible from the Panorama/Log Collector system to external or untrusted/managed systems.
References:
Ports Used for Management Functions
Ports Used for Panorama
What’s Next?
Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security Policy rules that allow traffic so that you can detect threats—both known and unknown—in your network traffic. The following are the recommended best practice settings for each of the Security Profiles that you should attach to every Security Policy rule on your internet gateway policy rulebase. By tuning the rule base and increasing the visibility by following the best practices for Security Profiles you reduce the ability for attackers to easily traverse the environment and compromise additional hosts. Refer to the Best Practice Security Profiles for the Internet Gateway for more information
Security Advisories
For available security advisories for Palo Alto Networks products, reference https://security.paloaltonetworks.com/ .
... View more