Prisma SASE FedRAMP Moderate FQDNs
Learn which fully qualified domains (FQDNs) are supported for use in Prisma SASE FedRAMP Moderate environments.
Because Palo Alto Networks enforces strict incoming Security policy rules for Prisma SASE FedRAMP tenants, you must provide Palo Alto Networks customer services with a list of fully qualified domains (FQDNs) for the administrative users who will be accessing your environment. After you submit a support ticket with these FQDNs, customer services will create an allow list for them, which will let users log in from these FQDNs and access the environment.
The following are FedRAMP Moderate FQDNs.
| Product | Domain |
|---|
| ADEM |
- agents.dem.prismaaccess.com
- api-fed-mod-prod-1-us-central1.dem.prismaaccess.com
- agents-fed-mod-prod-1-us-central1.dem.prismaaccess.com
- probes-fed-mod-prod-1-us-central1.dem.prismaaccess.com
- controller-fed-mod-prod-1-us-central1.dem.prismaaccess.com
- updates-fed-mod-prod-1-us-central1.dem.prismaaccess.com
- features-fed-mod-prod-1-us-central1.dem.prismaaccess.com
|
| ADNS | dns-fedm.service.paloaltonetworks.com
In PAN-OS 12.2 (and later) ADNS includes APIs that are hosted by filemgr. Both sets of APIs (those hosted independently and managed by filemgr) work in tandem; you need to set the FQDN for both to target your respective environment. The FQDN for filemgr is hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com.
|
| API Gateway | https://api.fed.prismaaccess.com/getPrismaAccessIP/v2 |
| App Services (Hub & CIE) |
- Hub
apps.paloaltonetworks.com - Logging Service Portal
logging-service.apps.paloaltonetworks.com - SASE Portal
stratacloudmanager.paloaltonetworks.com - Auth Service
auth.apps.paloaltonetworks.com - App Registry
app-registry-service.apps.paloaltonetworks.com - Directory Sync Portal
directory-sync.gov.apps.paloaltonetworks.com - Directory Sync API
app-directory-sync.gov.apps.paloaltonetworks.com - Directory Sync Agent
agent-directory-sync.gov.apps.paloaltonetworks.com - Cloud Auth
cloud-auth.gov.apps.paloaltonetworks.com - Cloud Auth Service
cloud-auth-service.gov.apps.paloaltonetworks.com - SCIM Sync Service
scim-sync.gov.apps.paloaltonetworks.com
|
| CASB (SaaS API / SSPM) |
- https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com
- https://api.saas.pubsec-cloud.paloaltonetworks.com
- https://app.saas.pubsec-cloud.paloaltonetworks.com
- https://orchestrator-api.saas.pubsec-cloud.paloaltonetworks.com
- https://authz.saas.pubsec-cloud.paloaltonetworks.com
- https://filecache.saas.pubsec-cloud.paloaltonetworks.com
|
| CASB (SaaS Inline) |
- https://sase-saas-api.saas.pubsec-cloud.paloaltonetworks.com
- https://api-prod-us.saas-inline.pubsec-cloud.paloaltonetworks.com
|
|
Cloud Management
|
- https://admin.mod.gov.panorama.paloaltonetworks.com
- https://paas-2.mod.gov.panorama.paloaltonetworks.com
- 34.122.198.113
- 34.60.19.192
|
| Strata Logging Service |
Source IP Addresses for Log Forwarding 34.67.50.64/28 Firewall Log Ingestion firewall-gov.gov.cdl.paloaltonetworks.com Port 3978 *.in2-lc-prod-gov-us.gpcloudservice.com Port 3978 Enhanced Application Log Ingestion fei-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 443 *.fei-lc-prod-gov-us.gpcloudservice.com Port 444 Telemetry and GlobalProtect Troubleshooting Log Ingestion br-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 443 storage.googleapis.com Port 443 Log Access from Panorama pcl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 444 cdl-gov1.us1.cent1.gov.cdl.paloaltonetworks.com Port 443 *.api2-lc-prod-gov-us.gpcloudservice.com Port 444
|
| DLP | https://gov.dlp.pubsec-cloud.paloaltonetworks.com |
| Insights |
- HTTPS: pa-usgov01.api.prismaaccess.com
- MTLS: pa-service-api-usgov01.api.prismaaccess.com
|
| IoT |
- https://fedramp-banff-api-elb.iot-gov.paloaltonetworks.com
- 34.208.130.221
- 52.11.205.69
- 44.236.140.29
|
| Lumos V&R |
- api.mod.prod.reporting.paloaltonetworks.com
- 34.29.53.115
|
| Prisma SASE Multitenant Portal |
- https://pa-us01.api.prismasasegov.com/api/cloud/2.0/agg
- https://api.paloaltonetworks.com/mt/monitor/v1/agg with x-panw-region header as gov
|
| Prisma SD-WAN | *.prismasasegov.com |
| Panorama |
- Strata Logging Service-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
- *.api2-lc-prod-gov.gpcloudservice.com
- *.fei-lc-prod-gov.gpcloudservice.com
- Br-gov1.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
- lic.lc.prod.us.cs.paloaltonetworks.com
- api.us1.cent1.gov.Strata Logging Service.paloaltonetworks.com
- sdwanapps-pa-panorama-autofedramptf.hood.cloudgenix.com
- sdwanapps-pa-panorama.rogers.prismasasegov.com
- sdwanapps-pa-panorama.campbel.prismasasegov.com
|
|
PanOS Cloud Component
|
- hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
- enforcer.hawkeye.services-edge.pubsec-cloud.paloaltonetworks.com
- iot.services-edge.pubsec-cloud.paloaltonetworks.com
- enforcer.iot.services-edge.pubsec-cloud.paloaltonetworks.com
|
| Wildfire |
- pubsec-cloud.wildfire.paloaltonetworks.com
- 35.230.63.175
|
| ZTNA Connector |
- locator.cgnx.net
- controller-autofedramptf.rogers.cgnx.net
|
