Device Management Reference: Port Numbers Used by Palo Alto Networks Devices

Reference: Port Numbers Used by Palo Alto Networks

Devices
The following tables list the ports that Palo Alto Networks devices use to communicate with each other, or with
other services on the network.
Ports Used for Management Functions
Ports Used for HA
Ports Used for Panorama
Ports Used for User-ID

Ports Used for Management Functions

Destination Protocol Description

Port

22 TCP Used for communication from a client system to the firewall CLI interface.
80 TCP The port the firewall listens on for Open Certificate Status Protocol (OCSP)
updates when acting as an OCSP responder.
123 UDP Port the firewall uses for NTP updates.
443 TCP Used for communication from a client system to the firewall web interface. This is
also the port the firewall and User-ID agent listens on for VM Information source
updates.
For monitoring an AWS environment, this is the only port that is used.
For monitoring a VMware vCenter/ESXi environment, the listening port defaults
to 443, but it is configurable.
162 UDP Port the firewall, Panorama, or a Log Collector uses to Forward Traps to an SNMP
Manager.
This port doesnt need to be open on the Palo Alto Networks device. You
must configure the Simple Network Management Protocol (SNMP)
manager to listen on this port. For details, refer to the documentation of
your SNMP management software.
161 UDP Port the firewall listens on for polling requests (GET messages) from the SNMP
manager.
514 TCP Port that the firewall, Panorama, or a Log Collector uses to send logs to a syslog
server if you Configure Syslog Monitoring, and the ports that the PAN-OS
514 UDP
integrated User-ID agent or Windows-based User-ID agent listens on for
6514 SSL authentication syslog messages if you Configure User-ID to Receive User Mappings
from a Syslog Sender.
2055 UDP Default port the firewall uses to send NetFlow records to a NetFlow collector if you
Configure NetFlow Exports, but this is configurable.

Palo Alto Networks PAN-OS 7.0 Administrators Guide 123

Reference: Port Numbers Used by Palo Alto Networks Devices Device Management

Destination Protocol Description

Port

5008 TCP Port the GlobalProtect Mobile Security Manager listens on for HIP requests from
the GlobalProtect gateways.
If you are using a third-party MDM system, you can configure the gateway to use a
different port as required by the MDM vendor.
6080 TCP Ports used for Captive Portal: 6080 for NT LAN Manager (NTLM) authentication,
6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect
6081 TCP
mode.
6082 TCP

Ports Used for HA

Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain
state information (HA1 control link) and synchronize data (HA2 data link). In Active/Active HA deployments
the peer firewalls must also forward packets to the HA peer that owns the session. The HA3 link is a Layer 2
(MAC-in-MAC) link and it does not support Layer 3 addressing or encryption.

Destination Protocol Description

Port

28769 TCP Used for the HA1 control link for clear text communication between the HA peer
firewalls. The HA1 link is a Layer 3 link and requires an IP address.
28260 TCP

28 TCP Used for the HA1 control link for encrypted communication (SSH over TCP)
between the HA peer firewalls.
28770 TCP Listening port for HA1 backup links.
28771 TCP Used for heartbeat backups. Palo Alto Networks recommends enabling heartbeat
backup on the MGT interface if you use an in-band port for the HA1 or the HA1
backup links.
99 IP Used for the HA2 link to synchronize sessions, forwarding tables, IPSec security
associations and ARP tables between firewalls in an HA pair. Data flow on the HA2
29281 UDP
link is always unidirectional (except for the HA2 keep-alive); it flows from the active
device (Active/Passive) or active-primary (Active/Active) to the passive device
(Active/Passive) or active-secondary (Active/Active). The HA2 link is a Layer 2
link, and it uses ether type 0x7261 by default.
The HA data link can also be configured to use either IP (protocol number 99) or
UDP (port 29281) as the transport, and thereby allow the HA data link to span
subnets.

124 PAN-OS 7.0 Administrators Guide Palo Alto Networks

Device Management Reference: Port Numbers Used by Palo Alto Networks Devices

Ports Used for Panorama

Destination Port Protocol Description

22 TCP Used for communication from a client system to the Panorama CLI interface.
443 TCP Used for communication from a client system to the Panorama web interface.
3978 TCP Used for communication between Panorama and managed devices (firewalls and
Log Collectors) as well as for communication among Log Collectors in a Collector
Group:
For communication between Panorama and firewalls, this is a bi-directional
connection on which the firewalls forward logs to Panorama and Panorama
pushes configuration changes to the firewalls. Context switching commands are
sent over the same connection.
Log Collectors use this destination port to forward logs to Panorama.
For communication with the default Log Collector on an M-Series appliance in
Panorama mode and with Dedicated Log Collectors (M-Series appliances in Log
Collector mode).
28769 (5.1 and later) TCP Used for the HA connectivity and synchronization between Panorama HA peers
using clear text communication. Communication can be initiated by either peer.
28260 (5.0 and later) TCP

49160 (5.0 and earlier) TCP

28 TCP Used for the HA connectivity and synchronization between Panorama HA peers
using encrypted communication (SSH over TCP). Communication can be initiated
by either peer.
28270 (6.0 and later) TCP Used for communication among Log Collectors in a Collector Group for log
distribution.
49190 (5.1 and earlier)

2049 TCP Used by the Panorama virtual appliance to write logs to the NFS datastore.

Palo Alto Networks PAN-OS 7.0 Administrators Guide 125

Reference: Port Numbers Used by Palo Alto Networks Devices Device Management

Ports Used for User-ID

User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling
user- or group-based policy and visibility into user activity on your network (for example, to be able to quickly
track down a user who may be the victim of a threat). To perform this mapping, the firewall, the User-ID agent
(either installed on a Windows-based system or the PAN-OS integrated agent running on the firewall), and/or
the Terminal Services agent must be able to connect to directory services on your network to perform Group
Mapping and User Mapping. Additionally, if the agents are running on systems external to the firewall, they must
be able to connect to the firewall to communicate the IP address to username mappings to the firewall. The
following table lists the communication requirements for User-ID along with the port numbers required to
establish connections.

Destination Protocol Description

Port

389 TCP Port the firewall uses to connect to an LDAP server (plaintext or Start Transport
Layer Security (Start TLS) to Map Users to Groups.
3268 TCP Port the firewall uses to connect to an Active Directory global catalog server
(plaintext or Start TLS) to Map Users to Groups.
636 TCP Port the firewall uses for LDAP over SSL connections with an LDAP server to Map
Users to Groups.
3269 TCP Port the firewall uses for LDAP over SSL connections with an Active Directory
global catalog server to Map Users to Groups.
514 TCP Port the PAN-OS integrated User-ID agent or Windows-based User-ID agent
listens on for authentication syslog messages if you Configure User-ID to Receive
514 UDP
User Mappings from a Syslog Sender.
6514 SSL

5007 TCP Port the firewall listens on for user mapping information from the User-ID or
Terminal Server agent. The agent sends the IP address and username mapping
along with a timestamp whenever it learns of a new or updated mapping. In
addition, it connects to the firewall at regular intervals to refresh known mappings.
5006 TCP Port the User-ID agent listens on for User-ID XML API requests. The source for
this communication is typically the system running a script that invokes the API.
88 UDP/TCP Port the User-ID agent uses to authenticate to a Kerberos server. The device tries
UDP first and falls back to TCP.
1812 UDP Port the User-ID agent uses to authenticate to a RADIUS server.
49 TCP Port the User-ID agent uses to authenticate to a TACACS+ server.

126 PAN-OS 7.0 Administrators Guide Palo Alto Networks

Device Management Reference: Port Numbers Used by Palo Alto Networks Devices

Destination Protocol Description

Port

135 TCP Port the User-ID agent uses to establish TCP-based WMI connections with the
Microsoft Remote Procedure Call (RPC) Endpoint Mapper. The Endpoint Mapper
then assigns the agent a randomly assigned port in the 49152-65535 port range. The
agent uses this connection to make RPC queries for Exchange Server or AD server
security logs, session tables. This is also the port used to access Terminal Services.
The User-ID agent also uses this port to connect to client systems to perform
Windows Management Instrumentation (WMI) probing.
139 TCP Port the User-ID agent uses to establish TCP-based NetBIOS connections to the
AD server so that it can send RPC queries for security logs and session information.
The User-ID agent also uses this port to connect to client systems for NetBIOS
probing (supported on the Windows-based User-ID agent only).
445 TCP Port the User-ID agent uses to connect to the Active Directory (AD) using
TCP-based SMB connections to the AD server for access to user logon
information (print spooler and Net Logon).

Palo Alto Networks PAN-OS 7.0 Administrators Guide 127

This document was created with the Win2PDF print to PDF printer available at
http://www.win2pdf.com
This version of Win2PDF 10 is for evaluation and non-commercial use only.
This page will not be added after purchasing Win2PDF.
http://www.win2pdf.com/purchase/