Reference: Port Numbers Used by Palo Alto Networks Devices
The following tables list the ports that Palo Alto Networks devices use to communicate with each other, or with other services on the network.
Ports Used for Management Functions
Destination Port Protocol Description
22 TCP Used for communication from a client system to the firewall CLI interface.
80 TCP The port the firewall listens on for Online Certificate Status Protocol (OCSP) updates when acting as an OCSP responder.
123 UDP Port the firewall uses for NTP updates.
443 TCP Used for communication from a client system to the firewall web interface. This is also the port the firewall and/or the User-ID agent listens on for VM Information source updates. For monitoring an AWS environment, this is the only port that is used. For monitoring a VMware vCenter/ESXi environment, the listening port defaults to 443, but it is configurable.
162 UDP Port the firewall, Panorama, or the log collector use to send SNMP traps to a SNMP trap receiver. This port does not need to be open on the Palo Alto Networks device. The SNMP trap receiver must be configured to listen on this port.
161 UDP Port the firewall listens on for SNMP polling requests from the NMS.
514 514 6514 TCP UDP SSL Port the firewall, Panorama, or the log collector use to send logs to a Syslog server and the ports the User-ID agent (on the firewall or on a Windows server) listens on for authentication Syslog messages for use with User-ID.
2055 UDP Default port the firewall uses to send NetFlow records, but this is configurable.
5008 TCP Port the GlobalProtect Mobile Security Manager listens on for HIP requests from the GlobalProtect gateways. If you are using a third-party MDM system, you can configure the gateway to use a different port as required by the MDM vendor.
6081 6082 TCP TCP Ports used for Captive Portal.
Ports Used for HA
Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control link) and synchronize data (HA2 data link). In Active/Active HA deployments the peer firewalls must also forward packets to the HA peer that owns the session. The HA3 link is a Layer 2 (MAC-in-MAC) link and it does not support Layer 3 addressing or encryption.
Destination Port Protocol Description
28769 28260 TCP TCP Used for the HA1 control link for clear text communication between the HA peer firewalls. The HA1 link is a Layer 3 link and requires an IP address.
28 TCP Used for the HA1 control link for encrypted communication (SSH over TCP) between the HA peer firewalls.
28770 TCP Listening port for HA1 backup links.
28771 TCP Used for heartbeat backups. Palo Alto Networks recommends enabling heartbeat backup on the MGT interface if you use an in-band port for the HA1 or the HA1 backup links.
99 29281 IP UDP Used for the HA2 link to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active device (Active/Passive) or active-primary (Active/Active) to the passive device (Active/Passive) or active-secondary (Active/Active). The HA2 link is a Layer 2 link, and it uses ether type 0x7261 by default. The HA data link can also be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport, and thereby allow the HA data link to span subnets.
Ports Used for Panorama
Destination Port Protocol Description
22 TCP Used for communication from a client system to the Panorama CLI interface.
443 TCP Used for communication from a client system to the Panorama web interface.
3978 TCP Used for communication between Panorama and managed devices and/or managed log collectors as well as for communication between log collectors in a collector group as follows: For communication between Panorama and managed devices, this is a bi-directional connection on which the managed firewalls forward logs to Panorama and for Panorama to push configuration changes to the managed devices. Context switching commands are sent over the same connection. Log collectors use this destination port to forward logs to Panorama. For communication between the default log collector on a Panorama in Panorama mode, and for communicating with log collectors in a DLC architecture mode.
28769 (5.1 and later) 28260 (5.0 and later) 49160 (5.0 and earlier) TCP TCP TCP Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer.
28 TCP Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Communication can be initiated by either peer.
28270 (6.0 and later) 49190 (5.1 and earlier) TCP Used for communication between log collectors in a collector group for log distribution.
2049 TCP Used by the Panorama virtual appliance to write logs to the NFS datastore.
Ports Used for User-ID
User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy and visibility into user activity on your network (for example, to be able to quickly track down a user who may be the victim of a threat). To perform this mapping, the firewall, the User-ID agent (either installed on a Windows-based system or the PAN-OS integrated agent running on the firewall), and/or the Terminal Services agent must be able to connect to directory services on your network to perform Group Mapping and User Mapping. Additionally, if the agents are running on systems external to the firewall, they must be able to connect to the firewall to communicate the IP address to username mappings to the firewall. The following table lists the communication requirements for User-ID along with the port numbers required to establish connections.
Destination Port Protocol Description
389 TCP Port the firewall uses to connect to the LDAP server (plaintext or StartTLS) in order to Map Users to Groups.
636 TCP Port the firewall uses to connect to the LDAP server (LDAP over SSL) in order to Map Users to Groups. Used for LDAP over SSL connections.
514 514 6514 TCP UDP SSL Ports the User-ID agent (on the firewall or on a Windows server) listens on for authentication Syslog messages for use with User-ID.
5007 TCP Port the firewall listens on for user mapping information from the User-ID or Terminal Server agent. The agent sends the IP address and username mapping along with a timestamp whenever it learns of a new or updated mapping. In addition, it connects to the firewall at regular intervals to refresh known mappings.
5006 TCP Port the User-ID agent listens on for User-ID XML API requests. The source for this communication is typically the system running a script that invokes the API.
88 UDP Port the User-ID agent uses to authenticate to a Kerberos server.
1812 UDP Port the User-ID agent uses to authenticate to a RADIUS server.
135 TCP Port the User-ID agent uses to establish TCP-based WMI connections with the Microsoft Remote Procedure Call (RPC) Endpoint Mapper. The Endpoint Mapper then assigns the agent a randomly assigned port in the 49152-65535 port range. The agent uses this connection to make RPC queries for Exchange Server or AD server security logs, session tables. This is also the port used to access Terminal Services. The User-ID agent also uses this port to connect to client systems to perform WMI probes.
139 TCP Port the User-ID agent uses to establish TCP-based NetBIOS connections to the AD server so that it can send RPC queries for security logs and session information. The User-ID agent also uses this port to connect to client systems for NetBIOS probing (supported on the Windows-based User-ID agent only).
445 TCP Port the User-ID agent uses to connect to the Active Directory (AD) using TCP-based SMB connections to the AD server for access to user logon information (print spooler and Net Logon).

Related Documentation