ITM / Endpoint DLP Safelist for Firewall

This topic provides a list of URLs that must be safelisted to ensure full functionality of the Data Security & Posture products.

If no region is specified, the URL applies across regions.

• Outbound URLs

  • Events Sent from the ITM/Endpoint-DLP Win/Mac Agent to the Backend
  • Access for Agent/Updater to Download New Versions
  • Access for Win/Mac Agent to Store Screenshots Remotely in Screenshot Storage
  • Access for CASB Related Components
  • Access for Pendo Analytics to Get Notifications
  • Access for Win/Mac Agent to Upload Logs On-Demand (Log Upload)

• Inbound URLs

  • Network Address Translation (NAT) IPs / Webhook Sources

Outbound URLs

Access to the Web Console

https://<tenant alias>.explore.proofpoint.com

https://app.ap-northeast-1.op1.op.analyze.proofpoint.com

https://app.ap-southeast-2.op1.op.analyze.proofpoint.com

https://app.ca-central-1.op1.op.analyze.proofpoint.com

https://app.eu-central-1.op1.op.analyze.proofpoint.com

https://app.us-east-1-op1.op.analyze.proofpoint.com

https://fonts.googleapis.com

https://fonts.gstatic.com

Events Sent from the ITM/Endpoint-DLP Win/Mac Agent to the Backend

US1: https://api.ingest.oitroot.us-east-1-op1.op.observeit.net

EU1: https://api.ingest.eu-central-1.op1.op.analyze.proofpoint.com

JP1: https://api.ingest.ap-northeast-1.op1.op.analyze.proofpoint.com

AU1: https://api.ingest.ap-southeast-2.op1.op.analyze.proofpoint.com

CA1: https://api.ingest.ca-central-1.op1.op.analyze.proofpoint.com

Access for Agent/Updater to Download New Versions

All regions: https://app.us-east-1-op1.op.analyze.proofpoint.com

Access for Win/Mac Agent to Store Screenshots Remotely in Screenshot Storage

US1: https://oitroot-op1-us-east-1-screenshots.s3.amazonaws.com

EU1: https://oitroot-op1-eu-central-1-screenshots.s3.amazonaws.com

JP1: https://oitroot-op1-ap-northeast-1-screenshots.s3.amazonaws.com

AU1: https://oitroot-op1-ap-southeast-2-screenshots.s3.amazonaws.com

CA1: https://oitroot-op1-ca-central-1-screenshots.s3.amazonaws.com

Access for Various Components to Configuration Defined in Data Classification Application

https://mfe.protect.proofpoint.com

EDM Safelisted URLs

https://auth.proofpoint.com:443

https://flapi-on-k8s.us1.infoprtct.com:443

https://infoprtct-edm-us1.s3.amazonaws.com:443

Access for CASB Related Components

US1: https://flapi-us1.protect.proofpoint.com

EU1: https://flapi-eu2.protect.proofpoint.com

Access for Pendo Analytics to Get Notifications

https://cdn.pendo.io

https://data.pendo.io

https://pendo-static-6281352035696640.storage.googleapis.com

Access for Win/Mac Agent to Upload Logs On-Demand (Log Upload)

US1: https://oitroot-op1-us-east-1-blobstore-01.s3.amazonaws.com

US1: https://oitroot-op1-us-east-1-blobstore-01.s3.us-east-1.amazonaws.com

EU1: https://oitroot-op1-eu-central-1-blobstore-01.s3.amazonaws.com

EU1: https://oitroot-op1-eu-central-1-blobstore-01.s3.eu-central-1.amazonaws.com

JP1: https://oitroot-op1-ap-northeast-1-blobstore-01.s3.amazonaws.com

JP1: https://oitroot-op1-ap-northeast-1-blobstore-01.s3.ap-northeast-1.amazonaws.com

AU1: https://oitroot-op1-ap-southeast-2-blobstore-01.s3.amazonaws.com

AU1: https://oitroot-op1-ap-southeast-2-blobstore-01.s3.ap-southeast-2.amazonaws.com

CA1: https://oitroot-op1-ca-central-1-blobstore-01.s3.amazonaws.com

CA1: https://oitroot-op1-ca-central-1-blobstore-01.s3.ca-central-1.amazonaws.com

Inbound URLs

Network Address Translation (NAT) IPs / Webhook Sources

US1: 3.218.95.86/32

EU1: 3.65.164.110/32

JP1: 175.41.255.139/32

AU1: 54.79.70.208/32

CA1: 52.60.149.202/32

ME1: 40.172.84.247/32

IN1: 13.233.57.141/32

10/08 2025