Create an Agent Installation Package - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

Learn how to create a Cortex XDR agent installation package to deploy to your endpoints.

To install the Cortex XDR agent on the endpoint for the first time, you must first create an agent installation package. Review the Where can I install the Cortex XDR agent for supported versions and operating systems.

After you create and download an installation package, you can then install it directly on an endpoint or you can use a software deployment tool of your choice to distribute the software to multiple endpoints.

To install the Cortex XDR agent software, you must use a valid installation package that exists in your Cortex XDR management console. If you delete an installation package, new agents installed from this package are not able to register to Cortex XDR, however, existing agents may re-register using the Agent ID generated by the installation package.

To create a new installation package:

  1. From Cortex XDR, select EndpointsAgent Installations.

  2. Create a new installation package.

  3. Enter a unique Name and an optional Description to identify the installation package.

    The package Name must be no more than 100 characters and can contain letters, numbers, hyphens, underscores, commas, and spaces.

  4. Select the Package Type.

    • Standalone Installers—Use for fresh installations and to Upgrade Cortex XDR Agents on a registered endpoint that is connected to Cortex XDR.

    • Upgrade from ESM—Use this package to upgrade Traps agents which connect to the on-premises Traps Endpoint Security Manager to Cortex XDR. For more information, see Migrate from Traps Endpoint Security Manager.

    • (Linux only) Kubernetes Installer—Use for fresh installations and upgrades of Cortex XDR agents running on Kubernetes clusters.

    • Helm Installer—Use this package for fresh installations and upgrades of Cortex XDR agents running on Kubernetes clusters.

  5. Specify the installation package settings.

    • (Windows, macOS, and Linux) Select the Platform for which you want to create the installation package and the Agent Version for the package.

    • (Kubernetes only) Configure the settings for your YAML deployment. These settings cannot be changed after you create the installation package:

      • Select the Agent Version for the package. Critical Environment versions are displayed as CE versions. Enable Always deploy with latest agent version to ensure that each new node will launch the latest Cortex XDR agent release for which a YAML installation package was created. You must assign an Agent Settings Profile where Agent Auto Upgrade is enabled for this deployment method.

      • Set the Cortex XDR agent DaemonSet namespace. For simplified management, it is recommended to use the default cortex-xdr namespace.

      • For a more granular deployment, enter any labels or selectors in the Node Selector. The Cortex XDR agent will be deployed only on these nodes.

      • Configure the Cortex XDR agent to communicate through an intermediary such as a proxy or the Palo Alto Networks Broker Service. To enable the agent to communicate directly with the intermediary, use this installation option to assign the IP address and port number you want the Cortex XDR agent to use. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces. Use commas to separate multiple addresses.

        Note

        The Cortex XDR agent does not support proxy communication in environments where proxy authentication is required.

      • You can configure the Cortex XDR agent to Run on master node, or Run on all nodes.

  6. Create the installation package.

    Cortex XDR prepares your installation package and makes it available on the Agent Installations page.

  7. Download your installation package.

    When the status of the package shows Completed, right-click the agent version, and click Download.

    • For Windows endpoints, select between the architecture type. You can download the installer msi file only, or for Cortex XDR agents 7.4 and later, a distribution package that includes both the installer msi file and the latest content zip. The distribution package is recommended to reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent. To understand the benefits, workflow, and requirements to support this type of deployment, refer to the Cortex XDR Agent Administrator Guide.

    • For macOS endpoints, download the ZIP installation folder and upload it to the endpoint. To deploy the Cortex XDR agent using JAMF, upload the ZIP folder to JAMF. Alternatively, to install the agent manually on the endpoint, unzip the ZIP folder and double-click the pkg file.

    • For Linux endpoints, you can download .rpm or .deb installers (according to the endpoint Linux distribution), and deploy the installers on the endpoints using the Linux package manager. Alternatively, you can download a Shell installer and deploy it manually on the endpoint.

      Note

      When you upgrade a Cortex XDR agent version without the package manager, Cortex XDR upgrades the installation process to the package manager by default, according to the endpoint Linux distribution.

    • For Kubernetes clusters on Linux endpoints, download the YAML file. Palo Alto Networks strongly recommends that you do not edit this file.

    • For Android endpoints, Cortex XDR creates a tenant-specific download link that you can distribute to Android endpoints. When a newer agent version is available, Cortex XDR identifies older package versions as [Outdated].

  8. Next steps:

    As needed, you can return to the Agent Installations page to manage your agent installation packages. To manage a specific package, right-click the agent version, and select the desired action:

    • Edit the package name or description.

    • Delete the installation package. Deleting an installation package does not uninstall the Cortex XDR agent software from any endpoints.

      Note

      Since Cortex XDR relies on the installation package ID to approve agent registration during the installation, we recommend that you don't delete the installation package of active endpoints. If you install the Cortex XDR agent from a package after you delete it, Cortex XDR denies the registration request leaving the agent in an unprotected state. Hiding the installation package removes it from the default list of available installation packages, and can be useful for preventing confusion within the management console main view. The hidden installation can be viewed by removing the default filter.

    • Copy text to clipboard to copy the text from a specific field in the row of an installation package.

    • Hide installation packages. Using the Hide option provides a quick method to filter out results based on a specific value in the table. You can also use the filters at the top of the page to build a filter from scratch. To create a persistent filter, save (save-icon.png) it.