: Onboard Firewalls without Panorama (10.0 or Earlier)
Focus
Focus

Onboard Firewalls without Panorama (10.0 or Earlier)

Table of Contents

Onboard Firewalls without Panorama (10.0 or Earlier)

Before you start sending logs to
Cortex Data Lake
, you must generate the key that enables firewalls to securely connect to
Cortex Data Lake
. Onboarding keys are valid for 24 hours and you can use a single key for as many firewalls as you’d like to onboard during that 24-hour period.
After you use the
Cortex Data Lake
app to generate the key, copy the key and save it for future reference. You cannot reference it again after you close out of the
Cortex Data Lake
app and you will need to add the key to each firewall that you want to connect to
Cortex Data Lake
. Generating a new key invalidates any other keys that were generated in the previous 24 hours.
If you have already connected the firewall to a
Cortex Data Lake
instance and want to connect it to a new instance, first issue the following command from the firewall CLI:
admin@PA-220> request logging-service-forwarding certificate delete
This will sever the connection between the firewall and the current
Cortex Data Lake
instance. Then, simply follow the below procedure to connect to the new
Cortex Data Lake
instance.
Before you begin, ensure that your firewalls are running a PAN-OS version that supports direct onboarding to
Cortex Data Lake
.
  1. On your firewalls, allow access to the ports and FQDNs required to connect to
    Cortex Data Lake
    . If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.
    Ensure that you are not decrypting traffic to
    Cortex Data Lake
    .
  2. (
    Optional
    ) To configure firewall to connect to
    Cortex Data Lake
    through a proxy server, select
    Device
    Setup
    Services
    Use proxy to send logs to Cortex Data Lake
    .
  3. By default, the management interface is used to forward logs to
    Cortex Data Lake
    . If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
    1. Select
      Device
      Setup
      Services
      Global
      .
      Global
      on a firewall without multiple virtual system (multi-vsys) capability.
    2. Under Services Features, click
      Service Route Configuration
      .
    3. Select
      Customize
      .
    4. Under Service, select the following:
      • Palo Alto Networks Services
      • CRL status
      • DNS
      • HTTP
      • NTP
    5. Set
      Selected Service Routes
      .
    6. Select the
      Source Interface
      you want to use for activation and then select a
      Source Address
      from that interface and click
      OK
      .
    7. Select
      Destination
      and
      Add
      a destination.
    8. Enter any of the FQDNs above as
      Destination
      .
    9. Select the same
      Source Interface
      and
      Source Address
      that you selected for activation and click
      OK
      .
    10. Add
      two more destinations for the same interface using the remaining FQDNs.
    11. Click
      OK
      again to exit Service Route Configuration.
    12. Update the access rules required to connect to
      Cortex Data Lake
      for the new interface IP address.
  4. Configure NTP so that the firewall stays in sync with
    Cortex Data Lake
    . Ignore this step if you have enabled proxy configuration:
    • On firewall, click
      Device
      Setup
      Services
      and set the
      NTP Server Address
      . For example:
      pool.ntp.org
      .
  5. Onboard the firewalls to a
    Cortex Data Lake
    instance.
    Ignore this step if you don't have a
    Cortex Data Lake
    license and want to send logs to Cortex XDR only.
    1. Log in to the hub and open the
      Cortex Data Lake
      app.
    2. Select
      Inventory
      Firewalls
      Generate PSK
      to generate the onboarding key. Copy or save the key so that you can use it in later steps.
  6. Log in to the firewall that you want to connect to
    Cortex Data Lake
    .
  7. Select
    Device
    Licenses
    and confirm that the
    Cortex Data Lake
    license is active. Ensure that you have subscribed to a valid support license of
    Cortex Data Lake
    (90 days software warranty is not counted as a valid support license).
    When you purchased your
    Cortex Data Lake
    license, all firewalls registered to your support account received a
    Cortex Data Lake
    license. If you don’t see the
    Cortex Data Lake
    license,
    Retrieve license keys from license server
    to manually refresh the firewall licenses.
  8. Set up the connection to
    Cortex Data Lake
    and check connection status:
    1. Select
      Device
      Setup
      Management
      and find the
      Logging Service
      settings.
    2. (
      Important
      ) Before you populate any other settings, find the
      Onboard to Cloud
      option. Click
      Connect
      and enter the
      PSK
      (onboarding key) in the
      Cortex Data Lake
      app. Then click
      Connect
      again.
      After you connect you should see a pop-up dialog that confirms that the firewall is equipped with the certificate it needs to authenticate to
      Cortex Data Lake
      . You can also check the
      Task Manager
      to confirm that the firewall successfully authenticated to
      Cortex Data Lake
      .
    3. Enable Logging Service
      to connect the firewall to
      Cortex Data Lake
      . If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also
      Enable Enhanced Application Logging
      .
      Cortex Data Lake
      logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then
      start sending logs to
      Cortex Data Lake
      .
      Do not
      Enable Duplicate Logging
      . This option applies only to Panorama-managed firewalls.
    4. Select the geographic
      Region
      of the
      Cortex Data Lake
      instance to which you want to forward logs. This is the region you chose when you activated
      Cortex Data Lake
      .
    5. Commit and push the config to firewalls.
    6. Show Status
      to check
      Logging Service Status
      . The status for License, Certificate, and Customer Info should be green. You can also use this command to check the certificate status along with other details related to
      Cortex Data Lake
      :
      request logging-service-forwarding status
      .
      There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to
      Cortex Data Lake
      .
  9. The firewall is now connected to
    Cortex Data Lake
    but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and
    Cortex Data Lake
    .

Recommended For You