Onboard Firewalls without Panorama (10.0 or Earlier)
Before you start sending logs to Cortex™ Data
Lake, you must generate the key that enables firewalls to securely
connect to Cortex Data Lake. Onboarding keys are valid for 24 hours
and you can use a single key for as many firewalls as you’d like
to onboard during that 24-hour period.
After you use the Cortex
Data Lake app to generate the key, copy the key and save it for
future reference. You cannot reference it again after you close
out of the Cortex Data Lake app and you will need to add the key
to each firewall that you want to connect to Cortex Data Lake. Generating
a new key invalidates any other keys that were generated in the
previous 24 hours.
If you have already connected the firewall
to a Cortex Data Lake instance and want to connect it to a new instance,
first issue the following command from the firewall CLI:
admin@PA-220> request logging-service-forwarding certificate delete
This
will sever the connection between the firewall and the current Cortex
Data Lake instance. Then, simply follow the below procedure to connect
to the new Cortex Data Lake instance.
Before you begin, ensure
that your firewalls are running a PAN-OS version that
supports direct onboarding to Cortex Data Lake.
- Log in to the hub and open the Cortex Data Lake app.
- Select to generate the onboarding key. Copy or save the key so that you can use it in later steps.
- Log in to the firewall that you want to connect to Cortex Data Lake.
- Select and confirm that the Logging Service license (now called Cortex Data Lake) is active.When you purchased your Cortex Data Lake license, all firewalls registered to your support account received a Cortex Data Lake license. If you don’t see the Cortex Data Lake license,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set thePalo Alto Networks Servicesservice route to use either the management interface or a data interface.
- Follow these steps to use the management interface for activation. Otherwise, configure a data interface.
- Select on a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, clickPalo Alto Networks Services.
- ForSource Interface, selectMGT.
- ClickOKto exit the Service Route Source dialog andOKagain to exit Service Route Configuration.
After activation, you can configure a different interface to forward logs to Cortex Data Lake. For details, see how to start sending logs to Cortex Data Lake.- If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
- api.paloaltonetworks.com
- apitrusted.paloaltonetworks.com
- lic.lc.prod.us.cs.paloaltonetworks.com
- Select .Globalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- Set Selected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface.
- ClickOK.
- SelectDestination.
- Adda destination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation.
- ClickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKto exit Service Route Configuration.
- Set up the connection to Cortex Data Lake and check connection status:
- Select and find theLogging Servicesettings (Cortex Data Lake used to be called Logging Service).
- (Important) Before you populate any other settings, find theOnboard to Cloudoption. ClickConnectand enter thePSK(onboarding key) in the Cortex Data Lake app. Then clickConnectagain.After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate to Cortex Data Lake. You can also check theTask Managerto confirm that the firewall successfully authenticated to Cortex Data Lake.
- Enable Logging Serviceto connect the firewall to Cortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Cortex Data Lake logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Cortex Data Lake.Do notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Select the geographicRegionof the Cortex Data Lake instance to which you want to forward logs. This is the region you chose when you activated Cortex Data Lake.
- Show Statusto checkLogging Service Status(Cortex Data Lake). The status for License, Certificate, and Customer Info should be green.There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Cortex Data Lake.
- (Optional, PAN-OS 10.0 or later) Configure the firewall to connect to Cortex Data Lake through a proxy server.If your network uses a proxy server instead of a default gateway, follow these steps to enable communication between the firewall and Cortex Data Lake.
- Select.DeviceSetupServicesSettings (
) - Use proxy to send logs to Cortex Data Lake.
- ClickOK.
- The firewall is now connected to Cortex Data Lake but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Cortex Data Lake.
