Onboard Firewalls without Panorama (10.1 or Later)
Table of Contents
Expand all | Collapse all
-
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
-
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
Onboard Firewalls without Panorama (10.1 or Later)
Directly onboard your firewalls running PAN-OS 10.1 or
later to Cortex™ Data Lake.
Beginning with PAN-OS 10.1, you can install a device certificate on
your firewalls to simplify the onboarding process. Before you start sending
logs to Cortex™ Data Lake, you must install device certificates
on as many firewalls as you’d like to onboard. After you’ve installed
the certificates, use the Cortex Data Lake app to complete the onboarding
process.
Before you begin, ensure that your firewalls are
running PAN-OS 10.1 or later and that they have the device certificate
installed.
- Install a device certificate on the firewalls that you want to connect to Cortex Data Lake.
- If this is your first time installing a device certificate, you must delete theCortex Data Lakekey and re-fetch it by issuing the following commands:> delete license key <CDL_License_Key> > request license fetchThis is only required the first time that you install the device certificate.
- Onboard the firewalls to a Cortex Data Lake instance.
- Log in to the hub and open the Cortex Data Lake app to the instance to which you are onboarding.
- Select.InventoryFirewallsAdd
- SelectNewandNext.
- Select the firewalls to connect to Cortex Data Lake and choose whether Cortex Data Lake will store or only ingest their data.
- Submityour choices.
- Log in to the firewalls that you want to connect to Cortex Data Lake and set thePalo Alto Networks Servicesservice route to use either the management interface or a data interface.
- Follow these steps to use the management interface for activation. Otherwise, configure a data interface.
- Selecton a firewall without multiple virtual system (multi-vsys) capability.DeviceSetupServicesGlobal
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, clickPalo Alto Networks Services.
- ForSource Interface, selectMGT.
- ClickOKto exit the Service Route Source dialog andOKagain to exit Service Route Configuration.
After activation, you can configure a different interface to forward logs to Cortex Data Lake. For details, see how to start sending logs to Cortex Data Lake.- If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
- api.paloaltonetworks.com
- apitrusted.paloaltonetworks.com
- lic.lc.prod.us.cs.paloaltonetworks.com
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- Set Selected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface.
- ClickOK.
- SelectDestination.
- Adda destination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation.
- ClickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKto exit Service Route Configuration.
- Selectand confirm that the Logging Service license (now called Cortex Data Lake) is active.DeviceLicensesWhen you purchased your Cortex Data Lake license, all firewalls registered to your support account received a Cortex Data Lake license. If you don’t see the Cortex Data Lake license,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection to Cortex Data Lake and check connection status:
- Selectand find theDeviceSetupManagementLogging Servicesettings (Cortex Data Lake used to be called Logging Service).
- Enable Logging Serviceto connect the firewall to Cortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Cortex Data Lake logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Cortex Data Lake.Do notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Show Statusto checkLogging Service Status(Cortex Data Lake). The status for License, Certificate, and Customer Info should be green.There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Cortex Data Lake.
- (Optional) Configure the firewall to connect to Cortex Data Lake through a proxy server.If your network uses a proxy server instead of a default gateway, follow these steps to enable communication between the firewall and Cortex Data Lake.
- Select.DeviceSetupServicesSettings (
)
- Use proxy to send logs to Cortex Data Lake.
- ClickOK.
- The firewall is now connected to Cortex Data Lake but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Cortex Data Lake.