License and Install the Cloud Services Plugin

The following procedure walks you through the steps to license, download, and install the Cloud Services plugin on Panorama. In order to configure the firewalls to send logs to the Cortex Data Lake, you require the following components:
  • Panorama virtual appliance or hardware-based Panorama appliance running Panorama 8.0.6 or later. Panorama must have an active premium support license, and a device management license for managing firewalls.
    Panorama is required to provision the certificate that the firewalls need to securely connect to the Cortex Data Lake. Therefore, only firewalls that are managed by Panorama can forward logs to the Cortex Data Lake.
    Panorama or a next-generation firewall cannot connect to the Cortex Data Lake behind a proxy. Cortex Data Lake requires mutual authentication and thus cannot be behind a proxy.
  • Cloud services plugin. You must install the Cloud Services plugin on Panorama to enable the Cortex Data Lake infrastucture.
  • Next-generation firewalls with a valid support license that are managed by Panorama and are running PAN-OS 8.0.6 or later. Version 8.1.3 or later is recommended if you want to collect enhanced application logs for Magnifier.
  • Cortex Data Lake license, in addition to the device management and premium support license for Panorama. When you license the Cortex Data Lake, all firewalls registered to your support account receive a Cortex Data Lake license. You can then use Panorama templates and device groups to configure the firewalls to forward logs to the Cortex Data Lake.
    In this release, the Cortex Data Lake license provisions the service in one theatre/region only (for example, Europe or Americas). If you want the firewalls that belong to one template to send logs to one theatre and the firewalls that belong to another template to send logs to a different theatre, you will need two Panorama appliances and two Cortex Data Lake licenses.
  1. To set up Panorama, install the Panorama virtual appliance and perform initial configuration, or set up the M-Series appliance.
    You must configure DNS server(s) and an NTP server rather than setting the date and time manually so that Panorama can stay in sync with the Cortex Data Lake.
    • To configure NTP, select PanoramaSetupServicesNTP. Set a value for the NTP server, for example pool.ntp.org
    • To configure DNS servers, select PanoramaSetupServices and enter a value for the primary and optionally for the secondary DNS servers.
  2. Register Panorama and activate the support license.
    1. Log in to the Customer Support Portal (CSP) and select AssetsDevicesRegister New Device.
    2. Select Register device using Serial Number or Authorization Code, and click Submit.
    3. Enter the Panorama Serial Number provided in the email you received with your order fulfillment along with the required Location Information (as indicated by the asterisks) and then Agree and Submit the EULA.
      After you see the registration complete message, close the Device Registration dialog.
    4. Find the Panorama instance you just registered and click the corresponding edit button in the Actions column.
    5. To activate the Support license, select Activate Auth-Code and then enter the Support Authorization Code you received in the email and Agree and Submit.
  3. Activate the Cortex Data Lake.
    1. Log in to the Customer Support Portal (CSP) and select AssetsCloud ServicesActivate Cloud Services Auth-Code.
    2. To license the Cortex Data Lake, enter the Authorization code you received in the email, select the Panorama Serial Number for the Panorama you plan to use, and select the Logging Region. Then Agree and Submit the EULA.
      csp-tie-panorama-logging-services.png
      After you see the registration complete message, close the Device Registration dialog.
  4. Verify the Quantity and Part Description of the Cortex Data Lake (named Logging Service below) license you just activated.
    csp-verify-purchase.png
  5. Retrieve the Cortex Data Lake and support license on Panorama.
    1. Select PanoramaLicenses and click Retrieve license keys from license server.
    2. Verify that you see the Cortex Data Lake license and the support license.
      logging-service-license-appliedd.png
  6. Download and install the Cloud Services plugin:
    The way you download and install the plugin depends on whether you are using Panorama 8.0.6 or later or Panorama 8.1.0 or later.
    On Panorama 8.0.x:
    1. Log in to the Customer Support Portal and select UpdatesSoftware Updates.
    2. Find the Cloud Services plugin version 1.2.0-h2 or later in the Panorama Integration Plug In section and download it to your local system. Plugin versions 1.0.x are no longer supported on any version of Panorama.
      csp-plugin-download.png
      Do not rename the plugin file or you will not be able to install it on Panorama.
    3. To install the plugin, log in to the Panorama Web Interface of the Panorama you selected when you licensed the GlobalProtect cloud service, select PanoramaPluginsUpload and Browse for the plugin File that you downloaded from the CSP.
    4. Install the plugin.
    On Panorama 8.1.0 and later:
    On Panorama 8.1.0 or later, you can either download the plugin from the CSP and then upload it to Panorama, or you can check for plugin updates directly from Panorama as follows:
    1. Select PanoramaPlugins and click Check Now to display the latest cloud_services plugin updates.
      plugin-updates.png
    2. Download plugin version 1.2.0-h2.
      Plugin versions 1.0.x are no longer supported on any version of Panorama.
    3. After downloading the plugin, Install it.
    Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If you are installing the plugin for the first time, after you successfully install, Panorama refreshes and the Cloud Services menu displays on the Panorama tab.
    plugin-installed.png
  7. Verify your account. You must be a super user on the CSP to generate the one-time password required to verify your account.
    When you try to use the Cloud Services plugin for the first time after installing it, you will be prompted to verify your account. This step ensures that the Panorama serial number is registered to use the Cortex Data Lake, and enables a secure communication path between the Cortex Data Lake and Panorama.
    1. Log in to the Palo Alto Networks Customer Support Portal (CSP) as a super user and select AssetsCloud Services.
    2. Click Generate OTP.
      csp-otp.PNG
    3. Select the serial number for the Panorama where you installed the Cloud Services plugin and click Generate OTP.
    4. Click Copy to Clipboard.
      You have ten minutes to enter the OTP before it expires.
    5. Go back to Panorama and click PanoramaCloud ServicesStatus to display the Verify Account dialog.
    6. Paste the OTP you just generated and click Verify.
      If Verify is disabled, check that you have configured both a DNS server and an NTP server on PanoramaSetupServices.
  8. Verify the connection status between Panorama and the Cortex Data Lake.
    You can use the Panorama CLI or the Panorama web interface with cloud service plugin 1.2 or later to verify that the connection was successful.
    • Use the following CLI command:
      admin@Panorama>
      
      
      
      show plugins cloud_services status logging-service
      pass{"@status": "success", .....
    • Select PanoramaCloud ServicesStatusStatus, and click the details link to verify that Panorama was able to successfully retrieve the Cortex Data Lake certificate, fetch the Customer Identification number and the region in which your Cortex Data Lake instance is deployed, and confirm that the Panorama appliance is connected to the Cortex Data Lake (Logging Service below). If any of these checks fail, the Status is reported as an Error.
      logging-service-detailed-status.png
  9. On the Cloud Service Portal View Cortex Data Lake Status to verify that the Cortex Data Lake is provisioned successfully.
  10. Configure Log Storage Quota on the Cortex Data Lake. Make sure to allocate log quota for each log type because, there isn’t a default log quota allocation.
  11. Continue to Configure the Firewalls to Forward Logs to the Cortex Data Lake.
    If you want to forward logs stored on the Cortex Data Lake to an external destination, see Log Forwarding app.

Related Documentation