: New Features in Cortex Data Lake
Focus
Focus

New Features in Cortex Data Lake

Table of Contents

New Features in
Cortex Data Lake

Here are the new features in
Cortex Data Lake
.
Welcome to
Cortex Data Lake
!
Cortex Data Lake
allows you to centralize the collection and storage of logs generated by apps on the cloud services portal and your on-premise, public, and private cloud firewalls, and the GlobalProtect cloud service. The cloud-based logging infrastructure is available in multiple regions.
Cortex Data Lake
seamlessly integrates with your existing Panorama. Once configured, you can view all firewall logs from Panorama.
These are all the new features introduced in
Cortex Data Lake
.

New Region Support: Saudi Arabia

March, 2024
You can now host
Cortex Data Lake
in Saudi Arabia region. Refer to the region support information before you set a host region when you activate
Cortex Data Lake
.
You can host
Cortex Data Lake
in multiple regions. To comply with data privacy regulations that require you to keep data within a specific region, you can select it as a host region when you activate
Cortex Data Lake
. You must also allow specific FQDNs or IP address range and TCP ports for each region to send logs to and forward logs from
Cortex Data Lake
. In addition, depending on the platform you are using, you must allow traffic from different sources to connect to
Cortex Data Lake
successfully.
Cortex Data Lake
ensures data redundancy by storing your data in two different zones in the region you choose. Therefore, in case of an outage,
Cortex Data Lake
will failover to the secondary zone in an attempt to prevent interruption of service.
If you want to use a third-party app to ingest your
Cortex Data Lake
log data, ensure that the third-party app is supported in the same region as your
Cortex Data Lake
instance. Otherwise, the third-party app will be unable to access your data. Third-party apps are currently supported in only the following regions:
  • United States - Americas
  • United Kingdom
  • Netherlands - Europe
  • Japan

New Log Field Names

January, 2024
To simplify your logging experience, some log field names have changed. These changes will affect how field names appear and how they are forwarded. To ensure a smooth transition for your log forwarding profiles, we will continue to support the old names for the near future. Fields will be forwarded with both the new names and old names, so you can choose whether to leverage the new names or continue with your current configurations.
Therefore, no action is required to maintain log forwarding functionality.
References to logs that were forwarded before these changes must use the old names.

Query Usability and Performance Enhancements in Explore

January, 2024
The enhancements in Explore include:
  • Option to cancel a query you no longer want to run, using the Cancel option
  • Improved query response time
  • View logs from
    Cortex Data Lake
    hosted in China region
You can view and interact with logs stored in
Cortex Data Lake
with Explore in
Cortex Data Lake
app and Log Viewer in Strata Cloud Manager. A query field and time range preferences help you narrow down the specific logs that are of interest to you. You can view the log details and also export all log types to a compressed CSV file in GZ format. Log Viewer provides an audit trail for system, configuration, and network events. Jump from a dashboard in Strata Cloud Manager to your logs to get details in Log Viewer and investigate findings.

Forward Past Logs With Log Replay

January, 2024
You can now forward past-dated logs (up to the past 3 days from the current date) from Cortex Data Lake to your preferred syslog, HTTPS, or email servers with log replay profiles. You can use this option to retrieve old logs in case of connection failures or outages at the destination server. To create the log replay profile, you clone the parameters from your preferred existing log forwarding profile and provide the date range for which you want to forward the logs.

New Region Support: Korea, Israel, Indonesia, and United States Government (High)

November, 2023
You can now host
Cortex Data Lake
in Korea, Israel, Indonesia, and United States Government (FedRAMP high) regions. Refer to the region support information before you set a host region when you activate
Cortex Data Lake
.
You can host
Cortex Data Lake
in multiple regions. To comply with data privacy regulations that require you to keep data within a specific region, you can select it as a host region when you activate
Cortex Data Lake
. You must also allow specific FQDNs or IP address range and TCP ports for each region to send logs to and forward logs from
Cortex Data Lake
. In addition, depending on the platform you are using, you must allow traffic from different sources to connect to
Cortex Data Lake
successfully.
Cortex Data Lake
ensures data redundancy by storing your data in two different zones in the region you choose. Therefore, in case of an outage,
Cortex Data Lake
will failover to the secondary zone in an attempt to prevent interruption of service.
If you want to use a third-party app to ingest your
Cortex Data Lake
log data, ensure that the third-party app is supported in the same region as your
Cortex Data Lake
instance. Otherwise, the third-party app will be unable to access your data. Third-party apps are currently supported in only the following regions:
  • United States - Americas
  • United Kingdom
  • Netherlands - Europe
  • Japan

Remote Browser Isolation Logging

November, 2023
You can view Remote Browser Isolation logs in Explore and Log Viewer. See the Schema Reference for more information about the log fields.
Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.
While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.
Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.
RBI is a service that isolates and transfers all browsing activity away from the user's managed devices and corporate networks to an outside entity such as Prisma Access, which secures and isolates potentially malicious code and content within their platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS) such as Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering, DNS Security, and SaaS Security.

Query Usability Enhancements

September 15, 2023
You can now use enhanced filtering and viewing capabilities to search and view relevant logs easily. The enhancements include:
  • Search in the query builder shows autosuggestions most relevant to the search string.
    • Search in the query builder shows autosuggestions most relevant to the search string.
    • The query builder suggests all the supported values for the field to build the query.
    • Search field names using substrings (for example, search with the string ‘user’ returns suggestions such as source_user, destination_user).
    • Search for a field based on the display name in the log table and not just the actual field name in the log record. You can create a query using both field names.
    • Press Shift + Enter to start a new line in the query builder, and press Enter to submit a query.

All Previous New Features

Feature
Description
Dynamic Sizing for Cloud NGFW for AWS
August 2023
To simplify storage allocation for your Cloud NGFW for AWS resources,
Cortex Data Lake
now automatically scales your total allocated storage according to your Cloud NGFW usage. As traffic throughput increases on the Cloud NGFW resources, so does your available storage so that you don’t need to worry about making manual adjustments for
Cortex Data Lake
to save your log data.
HTTPS Log Forwarding to Exabeam
August 2023
Cortex Data Lake
now supports forwarding logs to Exabeam using HTTPS, so if you use Exabeam as your SIEM, you can now seamlessly ingest firewall data from
Cortex Data Lake
for a more complete picture of your network activity.
Log Forwarding Java 11 Upgrade
August 2023
For more up-to-date and secure authentication, Log Forwarding now uses Java 11. Please review the updated list of trusted certificates to ensure your log receiver has the correct certificates installed.
Poland Regional Support
July 2023
To comply with data privacy regulations that require you to keep data within Poland, you can now select it as a host region when you activate
Cortex Data Lake
.
Cloud NGFW for
Cortex Data Lake
Inventory Page Update
July 2023
Cortex Data Lake
now
displays key metrics for your Cloud NGFWs
to help you better monitor ingestion rate, storage usage, and connection status for your deployment.
New Log Field for Cloud NGFW Resources
July 2023
Cortex Data Lake
has a new log field (log_source_group_id) that identifies the Cloud NGFW resource to which your Cloud NGFWs belong. With this field, you can perform Explore/Log Viewer queries to zero in on logs generated by a specific Cloud NGFW resource.
Audit Logs for Cisco Meraki Integration with Prisma Access
May 2023
To monitor the operation of your
Prisma Access integration with Meraki SD-WAN
, you can now view and query
Audit
logs stored in
Cortex Data Lake
using
Explore
in the
Cortex Data Lake
app or
Log Viewer
in other apps. These logs provide context for every Meraki configuration change executed through the Prisma Access integration, including such information as date and time of the change, the admin who performed it, and any errors or warnings encountered.
China Regional Support
April 2023
To comply with data privacy regulations that require you to keep data within China, you can now select it as a host region when you activate
Cortex Data Lake
.
France Regional Support
February 2023
To comply with data privacy regulations that require you to keep data within France, you can now select it as a host region when you activate
Cortex Data Lake
.
Cortex Data Lake
Alerts in
AIOps for NGFW
December 2022
You can now view alerts about your
Cortex Data Lake
instance within
AIOps for NGFW
. These alerts enable you to stay aware of the latest service availability, log storage, and connection issues affecting your
Cortex Data Lake
instance, providing you with the context and recommendations necessary to take the appropriate actions against them.
Spain Regional Support
November 2022
To comply with data privacy regulations that require you to keep data within Spain, you can now select it as a host region when you activate Cortex Data Lake.
Italy Regional Support
November 2022
To comply with data privacy regulations that require you to keep data within Italy, you can now select it as a host region when you activate Cortex Data Lake.
Multiple Panorama Support
November 2022
You can now add up to 20 Panorama appliances to a single
Cortex Data Lake
instance. This simplifies licensing and monitoring by consolidating all of your data in one
Cortex Data Lake
instance. That way, Palo Alto Networks security applications that analyze
Cortex Data Lake
data, such as Cortex XDR, IoT Security, and SaaS Security Inline, can provide you with more centralized results.
Switzerland Regional Support
November 2022
To comply with data privacy regulations that require you to keep data within Switzerland regional boundaries, you can now select Switzerland as a host region when you activate Cortex Data Lake.
Log Forwarding API Access for MSSPs
September 2022
To help you manage log forwarding profiles at scale, Log Forwarding APIs are now available for managed security service providers.
HTTPS Log Forwarding to Google Chronicle
August 2022
Cortex Data Lake
now supports forwarding logs to Google Chronicle using HTTPS, so if you use Chronicle as your SIEM, you can now seamlessly ingest firewall data from
Cortex Data Lake
for a more complete picture of your network activity.
Field Name Updates for GlobalProtect CEF Logs
August 2022
For an output that is more consistent with other log types, we’ve updated the following field names for GlobalProtect logs sent from (CEF):
  • log_source
  • log_source_id
  • log_source_name
  • vsys_name
  • subtype.value
  • eventid.value
  • status.value
  • source_user
  • endpoint_device_name
  • public_ip.value
  • public_ipv6.value
  • hostid
DNS Security Logging
June 2022
You can now send DNS Security logs to
Cortex Data Lake
to facilitate triage, prioritization, and response to security incidents involving DNS. This enables you to view DNS Security logs in Explore to assess the details of a particular log and perform queries for further investigation.
To send DNS Security logs to
Cortex Data Lake
, you must have a DNS Security subscription on your firewalls, and you must configure log retention for DNS Security logs.
The
Cortex Data Lake
Estimator does not yet support DNS Security logs, so you must calculate log storage manually. The average size of a DNS Security log is approximately 833 bytes.
Subnet Search in Explore
May 2022
In Explore, You can now use the
=
or
!=
operators to match IPv4 and IPv6 addresses and subnets that use CIDR notation. This allows you to speed up your investigations by quickly narrowing them down to logs from a section of your network.
For example, this search identifies all logs with the specified IPv4 address range in the source address field:
src_ip.value = "192.168.30.51/24"
Similarly, this search identifies all logs that do not have the specified IPv4 address range in the destination address field:
dst_ip.value != “172.10.10.10/24”
HTTPS Forwarding to Microsoft Sentinel
March 2022
Cortex Data Lake
now supports forwarding logs through HTTPS to Microsoft Sentinel.
Forwarding for GlobalProtect Troubleshooting Logs
March 2022
To provide a more complete picture of your GlobalProtect application behavior to external logging solutions, you can now forward GlobalProtect Troubleshooting logs from Cortex Data Lake.
License Information Widget
February 2022
On the Dashboard, you can now
  • View your license expiry date with a countdown from the current date to help you know when it’s time to renew.
  • View instance details such as name, tenant ID, and serial number to quickly help Customer Support identify your instance if an issue arises.
Additional Hardware Models for Cortex Data Lake Estimator
January 2022
To help you more accurately estimate the amount of storage you will need, the
Cortex Data Lake
now supports the following hardware models:
  • PA 400 series - PA-410, PA-440, PA-450 and PA-460
  • PA 5400 series - PA-5450
Deployment Monitoring
December 2021
The
Cortex Data Lake
app now features a dashboard that enables you to view whether your devices are still sending logs to
Cortex Data Lake
as well as view finer details about log transmission, such as storage, latency, ingestion, and log forwarding status.
Client Authentication Using Certificates
December 2021
You can now use certificates to authenticate the log forwarding endpoint that is sending logs to your Syslog and HTTPS servers. This enables you to comply with any company or regulatory policy that may require client authentication.
Independent Log Forwarding Profiles
November 2021
Log forwarding profiles that send logs to different destinations now work independently from each other, so if one destination disconnects and stops ingesting logs, the other destinations will remain connected and will continue sending logs to these destinations.
If you are a managed security service provider overseeing the syslog streams for multiple customers, this feature will ensure that a problem with one stream will not affect the others.
Also, if you manage multiple syslog sinks for different purposes, such as SOC investigation, network troubleshooting, and audit and compliance this feature helps you maintain consistent service in the event that one sink goes down.
Easy Activation
September 2021
Cortex Data Lake
now features a simplified activation flow to help you get up and running with the product quickly and easily. After you purchase a
Cortex Data Lake
license, you now receive an email with a link that takes you to a step-by-step process for activating your product.
India Regional Support
August 2021
To comply with data privacy regulations that require you to keep data within India regional boundaries, you can now select India as a host region when you activate Cortex Data Lake.
Saved and Shared Filters
August 2021
You can now save log queries and share them with other users. Save log queries to avoid re-entering long, complex, or frequently used queries each time you want to see a particular set of logs. Share queries to quickly present the logs to a team member, support technician, or anyone whom you want to see them.
Saved Log Viewer Profiles
August 2021
In the log viewer, you can now create profiles that save preferences so that you can quickly change to a set of preferences for a particular use case or user.
These preferences include the Cloud Identity Engine (CIE) tenant, the time zone in which logs appear, and the columns you’ve chosen to display as well as their order.
Query Builder Enhancements
July 2021
The character limit for queries has increased to 4096, and queries now wrap to the next line when the field is filled. This enables you to form longer queries and view their contents at a glance.
Time Zone Selection
July 2021
You can now choose to view logs in different time zones. This helps you correlate logs generated by different products that may use a different time zone from the timezone of your browser.
Millisecond-Level Queries
July 2021
You can now create queries with the
time_generated_high_res
field
equal_to
a time in milliseconds. This enables you to correlate logs with events from other systems at a millisecond level.
Default User Preferences
July 2021
You can now restore preferences, such as column order and time zone, to the preferences set when you first started the app. This enables you to quickly undo any changes you’ve made if you are no longer satisfied with your preferences.
Log Viewer Admin Role
July 2021
Cortex Data Lake
now has a new role that only grants permission to view the
Explore
tab and export log data. If one of your users only needs to view logs, this enables you to maintain a good security posture by only granting them the permissions they need.
Germany Regional Support
July 2021
To comply with data privacy regulations that require you to keep data within German regional boundaries, you can now select Germany as a host region when you activate Cortex Data Lake.
Filter Query Parentheses Support
June 2021
The log viewer filter now supports parentheses to determine the order in which it evaluates terms in queries so you can more precisely identify the logs you’re looking for.
Firewall Data Retention Toggle
June 2021
For better control over your log data, you can now disable log retention for each of your firewalls from the
Inventory
tab in the
Cortex Data Lake
app. To do this, set
Store Log Data
to
Off
for the firewalls whose data you do not want to retain.
Device Certificate for Cortex Data Lake
June 2021
(
PAN-OS 10.1 or later
) To reduce the number of certificates you need to install and manage to connect to Palo Alto Networks cloud services, you can now authenticate to Cortex Data Lake using a device certificate. This enables you to authenticate to
Cortex Data Lake
using the same certificate that you would use to connect to Cortex XDR, IoT Security, and Enterprise Data Loss Prevention.
Devices using a device certificate follow a new process to onboard to
Cortex Data Lake
. Make sure to follow the onboarding process appropriate for your PAN-OS version and deployment style.
Self-Signed Certificate Support
April 2021
You can now get started forwarding logs from
Cortex Data Lake
more quickly, easily, and cost-effectively by using a self-signed certificate to authenticate your syslog or HTTPS receiver. After installing the certificate on your receiver, you can upload the private CA or self-signed certificate as part of your syslog or HTTPS forwarding profiles.
Log Forwarding Certificate Validation Enhancement
March 2021
To ensure your log data arrives safely to its intended destination,
Cortex Data Lake
now more rigorously inspects the validity of server certificates.
Log Forwarding Connection Check
March 2021
To help you verify that you can connect to the syslog server to which you want to forward logs,
Cortex Data Lake
Log Forwarding now features a
Test Connection
button in Syslog and HTTPS profile configuration. When you click this button, you will see that the connection either succeeded or failed and why.
HTTPS Log Forwarding
March 2021
For compatibility with services that receive events through HTTPS, such as Splunk HTTP Event Collector (HEC), Cortex Data Lake now supports forwarding logs through HTTPS.
Common Event Format (CEF) Support
March 2021
Enabling you to forward logs to Microfocus ArcSight Enterprise Security Manager,
Cortex Data Lake
now supports CEF as an option when you select the log format for a syslog forwarding profile.
No Data Retention
March 2021
For better control over your log data,
Cortex Data Lake
now does not retain logs at all if you set log storage
Quota
or
Max Retention Days
to 0 in
Storage
Configuration
. If you do want to store logs, ensure that
Quota
is greater than 0 and
Max Retention Days
is not set to 0.
Related Log Events
February 2021
Certain network logs—Traffic, Threat, URL, File—now show you the other events logged during the same session.
Without leaving the context of the log you’re interested in, you can see the sequence of related events for the session. Related logs are displayed chronologically, top to bottom—the log with the earliest timestamp is listed first.
Select a related log to investigate the details for that event.
Log Format Updates
February 2021
To take advantage of these features, you must edit and resubmit your log forwarding profiles.
New Log Fields
—To support the transport of richer data about your network traffic, Cortex Data Lake now processes new log fields from PAN-OS: device group (DG) hierarchy and secure web gateway (SWG) fields. The DG hierarchy field helps you identify which firewall Device Group generated a log, and SWG fields provide more detailed user Authentication information.
New Email Log Format
—For better consistency across log outputs, the log fields in email log forwarding now more closely resemble other supported formats, such as LEEF and the format used in
Explore
. This does not affect email forwarding profiles that were migrated from an older version of
Log Forwarding
.
Log Field Modification
—For better consistency with other log fields, the
ProfileToken
field now has the first letter capitalized. If you reference this field in automation scripts, ensure that it reads
ProfileToken
.
Log Forwarding Filter Updates
February 2021
To take advantage of these features, you must edit and resubmit your log forwarding profiles.
Editable Migrated Filters
—You now have the flexibility to modify the queries in log forwarding filters that you may have retained from an earlier version of the Log Forwarding app.
Migrated filters will not tell you if a query that you entered is valid. To validate a query, create a new filter and test it there. When you determine the query works, then paste it into the migrated filter.
Filter Deletion Confirmation
—To prevent you from accidentally deleting log forwarding filters, filter deletion is now a two-step process.
In-App Device Connection Management
January 2021
For smoother device onboarding, you can now view a list of your available Panorama and firewall devices and generate onboarding keys for them within the app.
Redesigned UI
January 2021
To provide a more consistent experience across Palo Alto Networks platforms,
Cortex Data Lake
now features a new user interface that you may recognize from products such as Prisma Access.
Explore Integration
January 2021
Instead of switching to a different app, you can now search, filter, and export logs directly within the
Cortex Data Lake
app. Select
Explore
in the app’s new sidebar to get started.
Australia Regional Support
December 2020
To comply with data privacy regulations that require you to keep data within Australian regional boundaries, you can now select Australia as a host region when you activate Cortex Data Lake.
Log Forwarding Integration
November 2020
You can now forward logs from within the
Cortex Data Lake
app, enabling you to conveniently manage onboarding, storage, and log transmission in a single application. In moving to the
Cortex Data Lake
app, the log forwarding interface now has a new, simplified design that makes it easier to begin configuring Syslog and email profiles to forward your
Cortex Data Lake
log data.
Log Filter Query Support
November 2020
When creating your log forwarding profiles in
Cortex Data Lake
, you can now use the same query language from Explore to define precise log filters based on time, device serial number, IP address, and more.
LEEF Format Support for IBM QRadar
November 2020
You can now forward logs in Log Extended Event Format (LEEF) for use with IBM QRadar SIEM.
Combined Log Types
November 2020
To simplify the list of available log types for log forwarding, the
tunnel
log type now includes
GTP
logs, and
Threat
logs now include
WildFire
logs.
Because log forwarding profiles can only include one filter per log type, if you had a log forwarding profile with a log filter for both of the formerly separate log types, you will now see a new log forwarding profile. This profile contains the log filter that could not be duplicated in the original profile.
For example, a log forwarding profile with filters for both
tunnel
and
GTP
logs now appears as two profiles, each with a
tunnel
filter. One of the profiles will continue filtering
tunnel
logs and the other will filter
GTP
logs, which are now included in tunnel logs. The new profile will be called
<
original name
> - GTP
or, in the case of
Threat
and
WildFire
,
<
original name
> - WildFire
.
Non-Editable Log Forwarding Filters
November 2020
Some log filters created in the previous Log Forwarding app can no longer be edited. If you would like to change such filters, you must delete them and create new ones.
Because some fields in the migrated filters are no longer available, you may not be able to recreate an identical filter if you delete it.
Scheduled Reports for
Cortex Data Lake
November 2020
(
PAN-OS 10.0.2 or later and Cloud Services plugin 1.8.0 or later
) From Panorama, you can now generate scheduled reports on
Cortex Data Lake
data.
Japan Regional Support
September 2020
To comply with data privacy regulations that require you to keep data within Japanese regional boundaries, you can now select Japan as a host region when you activate Cortex Data Lake.
Canada Regional Support
July 2020
To comply with data privacy regulations that require you to keep data within Canadian regional boundaries, you can now select Canada as a host region when you activate Cortex Data Lake.
To choose Canada as your host region, select
Canada
at activation. The
Americas
region represents the United States only.
Proxy Support
July 2020
(
PAN-OS 10.0 or later
) You can now configure the firewall to forward logs to
Cortex Data Lake
through a proxy server. This enables you to send log data to
Cortex Data Lake
from a network without a default gateway.
UK and Singapore Regional Support
July 2020
For compliance with regulations that require you to keep data within regional boundaries, you can now select the UK or Singapore as a host region when you activate Cortex Data Lake.
Quota Manager Enhancements
June 2020
The quota manager now features a detailed breakdown of firewall log types and a simpler method of allocating remaining storage to help you more easily manage your .
Instead of a single Detailed log type, the quota manager now displays the firewall log types individually. The Infrastructure & Audit log type now appears as System and Config logs.
To allocate all remaining storage to one or more log types, you can now leave the quota percentage of log types blank and the quota manager will automatically assign them the unallocated space.
New Quota Manager UI
April 2020
To help you more easily allocate log storage and visualize the data you're storing in
Cortex Data Lake
, the
Cortex Data Lake
app now features a completely redesigned quota manager.
The quota manager now visually displays your total storage capacity as a bar, with color-coded segments representing different log sources so you can instantly identify how much storage a service uses and adjust if necessary.
New Minimum PAN-OS Version for Cortex Data Lake Without Panorama
March 2020
To authenticate using the new G2 certificate chain, firewalls that you want to onboard to must now run PAN-OS 9.0.6 or later.
Cortex Data Lake
Without Panorama
July 2019
Until PAN-OS 9.0.3, Panorama was required to onboard firewalls to
Cortex Data Lake
, and to view logs stored in
Cortex Data Lake
. Now, firewalls running PAN-OS 9.0.3 and later can securely connect and log to
Cortex Data Lake
, without Panorama. The new app, Explore, allows you to see and interact with the log data stored in Cortex Data Lake.
New App-ID for Palo Alto Networks Shared Services
May 2019
For better application visibility and control, you now have a new App-ID for paloalto-shared-services, in addition to the App-ID for the palo-alto-logging-service. The paloalto-shared-services App-ID identifies traffic for any shared services that are used by Palo Alto Networks including Directory Sync Service, Logging Service, and Magnifier; any paloalto-shared-services traffic that was earlier identified as ssl, web-browsing will now be identified as paloalto-shared-services.
If you have a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to the
Cortex Data Lake
that the Panorama appliance uses to query logs, and enable communication to the shared services and the
Cortex Data Lake
for performing certificate status and revocation checks.
Connection Status Reporting Improvements
September 2018
To help with visibility on the status and connectivity to the
Cortex Data Lake
, the Cloud Services plugin 1.2 provides details on the connection status between Panorama and the Cortex Data Lake. On
Panorama
Cloud Services
Status
Status
, you can now verify that Panorama appliance was able to successfully retrieve the Logging Service certificate, view the Customer Identification number and the region in which your
Cortex Data Lake
instance is deployed, and confirm that the Panorama appliance is connected to the Logging Service. If any of these checks fail, the Status is reported as an error.
New App-ID for Palo Alto Networks Shared Services
September 2018
For better application visbility and control, you now have a new App-ID for paloalto-shared-services, in addition to the App-ID for the palo-alto-logging-service. The paloalto-shared-services App-ID identifies traffic for any shared services that are used by Palo Alto Networks including Directory Sync Service, Logging Service, and Magnifier; any paloalto-shared-services traffic that was earlier identified as ssl, web-browsing will now be identified as paloalto-shared-services.
If you have a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to the
Cortex Data Lake
that the Panorama appliance uses to query logs, and enable communication to the shared services and the
Cortex Data Lake
for performing certificate status and revocation checks.
Expand Log Storage Capacity for Traps Logs
April 2018
You can now activate the Cortex Data Lake Auth code from the cloud services portal to upgrade the Traps Included Storage of 100GB to a Cortex Data Lake license with larger storage capacity.
Log Quota Management on the hub
March 2018
Starting March 19, 2018, you must use the cloud services portal to manage the log quota for logs stored on the Cortex Data Lake.
Log in to the cloud services portal using your Customer Support Portal credentials, and then refer to the Logging Service Getting Started Guide for instructions on activating licenses and deploying this service.

Recommended For You