Reference: Port Number Usage
The following tables list the ports that firewalls and Panorama use to communicate with each other, or with other services on the network.
Ports Used for Management Functions
The firewall and Panorama use the following ports for management functions.
Destination Port Protocol Description
22 TCP Used for communication from a client system to the firewall CLI interface.
80 TCP The port the firewall listens on for Online Certificate Status Protocol (OCSP) updates when acting as an OCSP responder.
123 UDP Port the firewall uses for NTP updates.
443 TCP Used for communication from a client system to the firewall web interface. This is also the port the firewall and User-ID agent listens on for VM Information source updates. For monitoring an AWS environment, this is the only port that is used. For monitoring a VMware vCenter/ESXi environment, the listening port defaults to 443, but it is configurable.
162 UDP Port the firewall, Panorama, or a Log Collector uses to Forward Traps to an SNMP Manager. This port doesn’t need to be open on the Palo Alto Networks firewall. You must configure the Simple Network Management Protocol (SNMP) manager to listen on this port. For details, refer to the documentation of your SNMP management software.
161 UDP Port the firewall listens on for polling requests (GET messages) from the SNMP manager.
514 514 6514 TCP UDP SSL Port that the firewall, Panorama, or a Log Collector uses to send logs to a syslog server if you Configure Syslog Monitoring, and the ports that the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages if you Configure User-ID to Receive User Mappings from a Syslog Sender.
2055 UDP Default port the firewall uses to send NetFlow records to a NetFlow collector if you Configure NetFlow Exports, but this is configurable.
5008 TCP Port the GlobalProtect Mobile Security Manager listens on for HIP requests from the GlobalProtect gateways. If you are using a third-party MDM system, you can configure the gateway to use a different port as required by the MDM vendor.
6080 6081 6082 TCP TCP TCP Ports used for Captive Portal: 6080 for NT LAN Manager (NTLM) authentication, 6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect mode.
Ports Used for HA
Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control link) and synchronize data (HA2 data link). In Active/Active HA deployments the peer firewalls must also forward packets to the HA peer that owns the session. The HA3 link is a Layer 2 (MAC-in-MAC) link and it does not support Layer 3 addressing or encryption.
Destination Port Protocol Description
28769 28260 TCP TCP Used for the HA1 control link for clear text communication between the HA peer firewalls. The HA1 link is a Layer 3 link and requires an IP address.
28 TCP Used for the HA1 control link for encrypted communication (SSH over TCP) between the HA peer firewalls.
28770 TCP Listening port for HA1 backup links.
28771 TCP Used for heartbeat backups. Palo Alto Networks recommends enabling heartbeat backup on the MGT interface if you use an in-band port for the HA1 or the HA1 backup links.
99 29281 IP UDP Used for the HA2 link to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active firewall (Active/Passive) or active-primary (Active/Active) to the passive firewall (Active/Passive) or active-secondary (Active/Active). The HA2 link is a Layer 2 link, and it uses ether type 0x7261 by default. The HA data link can also be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport, and thereby allow the HA data link to span subnets.
Ports Used for Panorama
Panorama uses the following ports.
Destination Port Protocol Description
22 TCP Used for communication from a client system to the Panorama CLI interface.
443 TCP Used for communication from a client system to the Panorama web interface.
3978 TCP Used for communication between Panorama and managed firewalls or managed collectors, as well as for communication among managed collectors in a Collector Group: For communication between Panorama and firewalls, this is a bi-directional connection on which the firewalls forward logs to Panorama and Panorama pushes configuration changes to the firewalls. Context switching commands are sent over the same connection. Log Collectors use this destination port to forward logs to Panorama. For communication with the default Log Collector on an M-Series appliance in Panorama mode and with Dedicated Log Collectors (M-Series appliances in Log Collector mode).
28769 (5.1 and later) 28260 (5.0 and later) 49160 (5.0 and earlier) TCP TCP TCP Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer.
28 TCP Used for the HA connectivity and synchronization between Panorama HA peers using encrypted communication (SSH over TCP). Communication can be initiated by either peer.
28270 (6.0 and later) 49190 (5.1 and earlier) TCP Used for communication among Log Collectors in a Collector Group for log distribution.
2049 TCP Used by the Panorama virtual appliance to write logs to the NFS datastore.
Ports Used for GlobalProtect
GlobalProtect uses the following ports.
Destination Port Protocol Description
443 TCP Used for communication between GlobalProtect agents and portals, or GlobalProtect agents and gateways and for SSL tunnel connections. GlobalProtect gateways also use this port to collect host information from GlobalProtect agents and perform host information profile (HIP) checks.
4501 UDP Used for IPSec tunnel connections between GlobalProtect agents and gateways.
For tips on how to use a loopback interface to provide access to GlobalProtect on different ports and addresses, refer to Can GlobalProtect Portal Page be Configured to be Accessed on any Port?.
Ports Used for User-ID
User-ID is a feature that enables mapping of user IP addresses to usernames and group memberships, enabling user- or group-based policy and visibility into user activity on your network (for example, to be able to quickly track down a user who may be the victim of a threat). To perform this mapping, the firewall, the User-ID agent (either installed on a Windows-based system or the PAN-OS integrated agent running on the firewall), and/or the Terminal Services agent must be able to connect to directory services on your network to perform Group Mapping and User Mapping. Additionally, if the agents are running on systems external to the firewall, they must be able to connect to the firewall to communicate the IP address to username mappings to the firewall. The following table lists the communication requirements for User-ID along with the port numbers required to establish connections.
Destination Port Protocol Description
389 TCP Port the firewall uses to connect to an LDAP server (plaintext or Start Transport Layer Security ( Start TLS) to Map Users to Groups.
3268 TCP Port the firewall uses to connect to an Active Directory global catalog server (plaintext or Start TLS) to Map Users to Groups.
636 TCP Port the firewall uses for LDAP over SSL connections with an LDAP server to Map Users to Groups.
3269 TCP Port the firewall uses for LDAP over SSL connections with an Active Directory global catalog server to Map Users to Groups.
514 514 6514 TCP UDP SSL Port the PAN-OS integrated User-ID agent or Windows-based User-ID agent listens on for authentication syslog messages if you Configure User-ID to Receive User Mappings from a Syslog Sender.
5007 TCP Port the firewall listens on for user mapping information from the User-ID or Terminal Services agent. The agent sends the IP address and username mapping along with a timestamp whenever it learns of a new or updated mapping. In addition, it connects to the firewall at regular intervals to refresh known mappings.
5006 TCP Port the User-ID agent listens on for XML API requests. The source for this communication is typically the system running a script that invokes the API.
88 UDP/TCP Port the User-ID agent uses to authenticate to a Kerberos server. The firewall tries UDP first and falls back to TCP.
1812 UDP Port the User-ID agent uses to authenticate to a RADIUS server.
49 TCP Port the User-ID agent uses to authenticate to a TACACS+ server.
135 TCP Port the User-ID agent uses to establish TCP-based WMI connections with the Microsoft Remote Procedure Call (RPC) Endpoint Mapper. The Endpoint Mapper then assigns the agent a randomly assigned port in the 49152-65535 port range. The agent uses this connection to make RPC queries for Exchange Server or AD server security logs, session tables. This is also the port used to access Terminal Services. The User-ID agent also uses this port to connect to client systems to perform Windows Management Instrumentation (WMI) probing.
139 TCP Port the User-ID agent uses to establish TCP-based NetBIOS connections to the AD server so that it can send RPC queries for security logs and session information. The User-ID agent also uses this port to connect to client systems for NetBIOS probing (supported on the Windows-based User-ID agent only).
445 TCP Port the User-ID agent uses to connect to the Active Directory (AD) using TCP-based SMB connections to the AD server for access to user logon information (print spooler and Net Logon).

Related Documentation