Onboard Firewalls without Panorama (10.0 or Earlier)
Table of Contents
Expand all | Collapse all
-
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
-
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
Onboard Firewalls without Panorama (10.0 or Earlier)
Before you start sending logs to
Cortex
Data Lake
, you must generate the key
that enables firewalls to securely connect to Cortex
Data Lake
.
Onboarding keys are valid for 24 hours and you can use a single key for as many
firewalls as you’d like to onboard during that 24-hour period.After you use the
Cortex
Data Lake
app to generate the key, copy the key and
save it for future reference. You cannot reference it again after you close out of
the Cortex
Data Lake
app and you will need to add the key to each
firewall that you want to connect to Cortex
Data Lake
. Generating
a new key invalidates any other keys that were generated in the previous 24
hours.If you have already connected the firewall
to a
Cortex
Data Lake
instance and want to connect it to a new instance,
first issue the following command from the firewall CLI:admin@PA-220> request logging-service-forwarding certificate delete
This will sever the connection between the firewall and the current
Cortex
Data Lake
instance. Then, simply follow the below procedure to
connect to the new Cortex
Data Lake
instance.Before you begin, ensure
that your firewalls are running a PAN-OS version that
supports direct onboarding to
Cortex
Data Lake
.- On your firewalls, allow access to the ports and FQDNs required to connect toCortex Data Lake. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toCortex Data Lake.
- (Optional) To configure firewall to connect toCortex Data Lakethrough a proxy server, select.DeviceSetupServicesUse proxy to send logs to Cortex Data Lake
- By default, the management interface is used to forward logs toCortex Data Lake. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toCortex Data Lakefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withCortex Data Lake. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set theDeviceSetupServicesNTP Server Address. For example:pool.ntp.org.
- Onboard the firewalls to aCortex Data Lakeinstance.Ignore this step if you don't have aCortex Data Lakelicense and want to send logs to Cortex XDR only.
- Log in to the hub and open theCortex Data Lakeapp.
- Selectto generate the onboarding key. Copy or save the key so that you can use it in later steps.InventoryFirewallsGenerate PSK
- Log in to the firewall that you want to connect toCortex Data Lake.
- Selectand confirm that theDeviceLicensesCortex Data Lakelicense is active. Ensure that you have subscribed to a valid support license ofCortex Data Lake(90 days software warranty is not counted as a valid support license).When you purchased yourCortex Data Lakelicense, all firewalls registered to your support account received aCortex Data Lakelicense. If you don’t see theCortex Data Lakelicense,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection toCortex Data Lakeand check connection status:
- Selectand find theDeviceSetupManagementLogging Servicesettings.
- (Important) Before you populate any other settings, find theOnboard to Cloudoption. ClickConnectand enter thePSK(onboarding key) in theCortex Data Lakeapp. Then clickConnectagain.After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate toCortex Data Lake. You can also check theTask Managerto confirm that the firewall successfully authenticated toCortex Data Lake.
- Enable Logging Serviceto connect the firewall toCortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Cortex Data Lakelogging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and thenstart sending logs to.Cortex Data LakeDo notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Select the geographicRegionof theCortex Data Lakeinstance to which you want to forward logs. This is the region you chose when you activatedCortex Data Lake.
- Commit and push the config to firewalls.
- Show Statusto checkLogging Service Status. The status for License, Certificate, and Customer Info should be green. You can also use this command to check the certificate status along with other details related toCortex Data Lake:request logging-service-forwarding status.There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected toCortex Data Lake.
- The firewall is now connected toCortex Data Lakebut is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall andCortex Data Lake.