Focus

Prisma SD-WAN Administrator’s Guide

Allow IP Addresses in Firewall Configuration

Table of Contents

Allow IP Addresses in Firewall Configuration

Lets learn about the allowed IP addresses in Firewall configurations in Prisma SD-WAN.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Active Prisma SD-WAN license

The purpose of this document is to maintain all services that run on the ION device that require you to open ports on external firewalls.

The public IP addresses for customer firewall configurations use a domain-based ACL / Firewall Rule. These public IPs are subject to change.

To ensure smooth functioning of the Prisma SD-WAN services, allow the following IP URLs and/or IP addresses.

Although we have provided Static IP addresses for each URL, we recommend that you use DNS for resolution.

Service Name	Protocol	Port	Direction	Source Interface IP	Destination and IP Addresses
IPSec for Prisma SD-WAN and Standard VPNs	UDP	4500	Outbound at both Data Center and Branch. Inbound at least at one side of the connection.	Internet Port IP on both ION devices. Private WAN port IP on Branch for VPNoMPLS. Peering Port on the Data Center side for VPNoMPLS.	Internet Port IP on both ION devices. Private WAN port IP on Branch for VPNoMPLS. Peering Port on the Data Center side for VPNoMPLS.
ESP for Prisma SD-WAN and Standard VPNs	IP proto 50	NA	Outbound and Inbound	Internet Port IP on both ION devices. Private WAN port IP on Branch for VPNoMPLS. Peering Port on the Data Center side for VPNoMPLS.	Internet Port IP on both ION devices. Private WAN port IP on Branch for VPNoMPLS. Peering Port on the Data Center side for VPNoMPLS.
Prisma SD-WAN access to web interface	TCP	443	Outbound	Client PC	https://login.cloudgenix.com https://portal.cloudgenix.com https://api.cloudgenix.com https://login.elcapitan.cloudgenix.com https://portal.elcapitan.cloudgenix.com https://portal.hood.cloudgenix.com/ https://login.hood.cloudgenix.com/ https://sase.paloaltonetworks.com/
Prisma SD-WAN access to API Endpoints	TCP	443	Outbound	Client PC	https://api.sase.paloaltonetworks.com https://api.elcapitan.cloudgenix.com https://api.sugarloaf.cloudgenix.com https://api.hood.cloudgenix.com https://api.us.hood.cloudgenix.com https://api.us.elcapitan.cloudgenix.com https://api.jp.hood.cloudgenix.com https://api.jp.elcapitan.cloudgenix.com https://api.sg.hood.cloudgenix.com https://api.sg.elcapitan.cloudgenix.com https://api.ca.hood.cloudgenix.com https://api.ca.elcapitan.cloudgenix.com https://api.in.hood.cloudgenix.com https://api.in.elcapitan.cloudgenix.com https://api.au.hood.cloudgenix.com https://api.au.elcapitan.cloudgenix.com https://api.eu.sugarloaf.cloudgenix.com https://api.de.sugarloaf.cloudgenix.com https://api.uk.sugarloaf.cloudgenix.com https://api.uk.bowfell.cloudgenix.com https://api.sg.faber.cloudgenix.com https://api.au.townsend.cloudgenix.com
ION Device to Prisma SD-WAN Cloud Controller	TCP	443	Outbound	ION Controller Port IP Address (primary) ION Internet Port IP Address (backup)	https://controller.cgnx.net Address: 52.8.93.87 Address: 52.8.25.40 https://locator.cgnx.net Address: 18.223.78.55 Address: 52.15.45.235 hood: 52.40.98.31 34.218.98.185 sugarloaf: 18.200.102.82 18.200.135.33 faber: 18.139.242.53 54.255.61.109 https://vmfg.cgnx.net Address: 52.53.122.104 Address: 52.53.102.7 https://controller.elcapitan.cgnx.net Address: 3.23.240.174 Address: 3.136.181.240 https://vmfg.elcapitan.cgnx.net Address: 52.53.122.104 Address: 52.53.102.7 https://controller.hood.cgnx.net Address: 52.32.167.5 Address: 54.70.168.33 https://vmfg.hood.cgnx.net Address: 50.112.136.184 Address: 34.210.34.87 https://controller.sugarloaf.cgnx.net Address: 108.128.176.192 Address: 18.200.144.58 https://vmfg.sugarloaf.cgnx.net Address: 99.81.179.99 Address: 99.80.52.255 https://sdwan-stats-hood-us.cgnx.net https://sdwan-stats-elcapitan-us.cgnx.net https://sdwan-stats-hood-jp.cgnx.net https://sdwan-stats-elcapitan-jp.cgnx.net https://sdwan-stats-hood-sg.cgnx.net https://sdwan-stats-elcapitan-sg.cgnx.net https://sdwan-stats-hood-au.cgnx.net https://sdwan-stats-elcapitan-au.cgnx.net https://sdwan-stats-hood-in.cgnx.net https://sdwan-stats-elcapitan-in.cgnx.net https://sdwan-stats-hood-ca.cgnx.net https://sdwan-stats-elcapitan-ca.cgnx.net https://sdwan-stats-sugarloaf-eu.cgnx.net https://sdwan-stats-sugarloaf-de.cgnx.net https://sdwan-stats-sugarloaf-uk.cgnx.net https://controller.bowfell.cgnx.net Address: 13.41.243.90 Address: 18.171.17.23 https://vmfg.bowfell.cgnx.net Address: 52.56.35.36 Address: 52.56.224.242 https://controller.faber.cgnx.net Address: 52.74.47.220 Address: 13.251.109.27 https://vmfg.faber.cgnx.net Address: 18.142.153.59 Address: 52.74.58.219 https://controller.townsend.cgnx.net Address: 13.55.31.41 Address: 3.106.168.215 https://vmfg.townsend.cgnx.net Address: 52.64.177.240 Address: 13.55.164.51 https://sdwan-stats-faber-sg.cgnx.net https://sdwan-stats-bowfell-uk.cgnx.net https://sdwan-stats-townsend-au.cgnx.net
Bandwidth Monitoring	TCP and UDP	443	Outbound	ION Controller Port IP Address ION Internet Port IP Address	Peer DC ION 7K Peering Interface IP Addresses Cloud service at pcm.cgnx.net 52.25.78.62 34.212.76.47 54.172.15.178 52.207.248.9
Link Quality	TCP and UDP	443	Outbound	ION Controller Port IP Address VPN Tunnel Internal IP Address	Peer DC ION Peering Interface IP Addresses
Prisma SD-WAN Web Interface	TCP	443	Outbound	Client PC (or NAT IP on ION)	portal.cloudgenix.com login.cloudgenx.com api.cloudgenix.com portal.elcapitan.cloudgenix.com login.elcapitan.cloudgenx.com api.elcapitan.cloudgenix.com 52.8.33.74 52.8.122.116
NTP	UDP	123	Outbound	ION Controller Port IP Address ION Internet Port IP Address	time.nist.gov
DNS	UDP and TCP	53	Outbound	ION Controller Port IP Address ION Internet Port IP Address	Customer or Provider DNS servers
WAN Layer 3 Reachability	ICMP		Outbound	ION Internet Port IP Address	8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
WAN Layer 3 Reachability	TCP	80	Outbound	ION Internet Port IP Address	captive.apple.com clients3.google.com

Switch a Site to Control Mode

Configure Layer 2 Switch Ports