>
    Strata Copilot
    Prerequisite Ports and FQDNs for Enterprise DLP
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Activation & Onboarding
    4. Setup Prerequisites for Enterprise DLP
    5. Prerequisite Ports and FQDNs for Enterprise DLP
    Download PDF
    Enterprise DLP

    Prerequisite Ports and FQDNs for Enterprise DLP

    Table of Contents

    Prerequisite Ports and FQDNs for Enterprise DLP

    Allow access to the following IP addresses and open ports required to successfully forward traffic to Enterprise Data Loss Prevention (E-DLP).
    • Strata Cloud Manager Ports and FQDNs
      Enterprise DLP stores DLP incident data in regional storage buckets based on DLP incident traffic origin source. You must allow access to all of the listed FQDNs and ports on your network regardless regardless of the region and DLP incident source.
      The hawkeye.services-edge.paloaltonetworks.com FQDN automatically resolves to the closest Enterprise DLP server to scan forwarded traffic, and to store the traffic contents, evidence, time of scan, and snippets.
      (Switzerland and Brazil) Enterprise DLP scans forwarded traffic, stores traffic contents evidence, time of scan, and snippets in the respective regions. However, Enterprise DLP stores incident metadata in the region where you deployed your Strata Cloud Manager tenant.
      Regions
      		FQDNsPorts
      Australia
      APAC
      Brazil
      Canada
      Europe
      France
      India
      Japan
      Switzerland
      United Kingdom
      United States of America
      • http://ocsp.paloaltonetworks.com
      • http://crl.paloaltonetworks.com
      • http://ocsp.godaddy.com
      • http://crl.godaddy.com
      		TCP 80
      • https://api.paloaltonetworks.com
      • https://apitrusted.paloaltonetworks.com
      • certificatetrusted.paloaltonetworks.com
      • certificate.paloaltonetworks.com
      • hawkeye.services-edge.paloaltonetworks.com
      • dlp.hawkeye.services-edge.paloaltonetworks.com
      • ace.hawkeye.services-edge.paloaltonetworks.com
      • urlcat.hawkeye.services-edge.paloaltonetworks.com
      • enforcer-hawkeye.services-edge.paloaltonetworks.com
      		TCP 443
    • Panorama Country Ports and FQDNs
      You must allow access to all of the Enterprise DLP ports and FQDNs Required for All Regions on your network regardless of the region and DLP incident traffic source.
      Enterprise DLP stores DLP incident data in regional storage buckets based on DLP incident traffic source. You can allow the Default Cloud Content Server FQDN to automatically resolve to the closest Enterprise DLP server to scan forwarded traffic, and to store the file contents, evidence, time of scan, and snippets. Alternatively, you can configure a Regional Cloud Content Server FQDN to forward traffic to a specific Enterprise DLP server and storage bucket.
      The Cloud Content Server FQDN you allow on your network must be the same as the one you configure in the Cloud Content Settings to successfully forward traffic to Enterprise DLP.
      (Switzerland and Brazil) You must use the Default Regional Cloud Content Server FQDN. Enterprise DLP stores scans forwarded traffic, stores traffic contents evidence, time of scan, and snippets in the respective regions. However, Enterprise DLP stores incident metadata in the region where you deployed your Strata Cloud Manager tenant.
      Regions
      		FQDNsDLP Service Ports
      Required for All Regions
      • http://ocsp.paloaltonetworks.com
      • http://crl.paloaltonetworks.com
      • http://ocsp.godaddy.com
      • http://crl.godaddy.com
      TCP 80
      • https://api.paloaltonetworks.com
      • https://apitrusted.paloaltonetworks.com
      • certificatetrusted.paloaltonetworks.com
      • certificate.paloaltonetworks.com
      • dlp.hawkeye.services-edge.paloaltonetworks.com
      • ace.hawkeye.services-edge.paloaltonetworks.com
      • urlcat.hawkeye.services-edge.paloaltonetworks.com
      • enforcer-hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Regions
      		Regional Cloud Content Server FQDNPort
      Default
      Brazil
      Switzerland
      hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      APAC
      apac.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Australia
      au.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Canada
      ca.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Europe
      eu.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      France
      fr.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      India
      in.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      Japan
      jp.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      United Kingdom
      uk.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
      United States of America
      us.hawkeye.services-edge.paloaltonetworks.com
      TCP 443
    • Panorama FedRAMP Ports and FQDNs
      Enterprise DLP supports FedRAMP Mod and High environments.
      FQDNsPorts
      FedRAMP Impact Level
      • http://ocsp.paloaltonetworks.com
      • http://crl.paloaltonetworks.com
      • http://ocsp.godaddy.com
      • http://crl.godaddy.com
      		TCP 80
      Moderate
      High
      • https://api.paloaltonetworks.com
      • https://apitrusted.paloaltonetworks.com
      • certificatetrusted.paloaltonetworks.com
      • certificate.paloaltonetworks.com
      • hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
      • dlp.hawkeye.services-edge.paloaltonetworks.com
      • ace.hawkeye.services-edge.paloaltonetworks.com
      • urlcat.hawkeye.services-edge.paloaltonetworks.com
      • enforcer-hawkeye.services-edge.paloaltonetworks.com
      		TCP 443

    © 2025 Palo Alto Networks, Inc. All rights reserved.