Onboard Firewalls without Panorama (10.1 or Later)

Install a device certificate on the firewalls that you want to connect to Cortex Data Lake.
If this is your first time installing a device certificate, you must delete the
Cortex Data Lake
key and re-fetch it by issuing the following commands:
> delete license key <CDL_License_Key>
> request license fetch
This is only required the first time that you install the device certificate.
Reboot the firewalls for the device certificate to take effect.
Onboard the firewalls to a Cortex Data Lake instance.
Log in to the hub and open the Cortex Data Lake app to the instance to which you are onboarding.
Select
Inventory
Firewalls
Add
.
Select
New
and
Next
.
Select the firewalls to connect to Cortex Data Lake and choose whether Cortex Data Lake will store or only ingest their data.
Submit
your choices.
Log in to the firewalls that you want to connect to Cortex Data Lake and set the
Palo Alto Networks Services
service route to use either the management interface or a data interface.
Follow these steps to use the management interface for activation. Otherwise, configure a data interface.
Select
Device
Setup
Services
Global
on a firewall without multiple virtual system (multi-vsys) capability.
Under Services Features, click
Service Route Configuration
.
Select
Customize
.
Under Service, click
Palo Alto Networks Services
.
For
Source Interface
, select
MGT
.
Click
OK
to exit the Service Route Source dialog and
OK
again to exit Service Route Configuration.
After activation, you can configure a different interface to forward logs to Cortex Data Lake. For details, see how to start sending logs to Cortex Data Lake.
If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
api.paloaltonetworks.com
apitrusted.paloaltonetworks.com
lic.lc.prod.us.cs.paloaltonetworks.com
Select
Device
Setup
Services
Global
.
Global
on a firewall without multiple virtual system (multi-vsys) capability.
Under Services Features, click
Service Route Configuration
.
Select
Customize
.
Under Service, select the following:
Palo Alto Networks Services
CRL status
DNS
HTTP
NTP
Set Selected Service Routes
.
Select the
Source Interface
you want to use for activation and then select a
Source Address
from that interface.

Click
OK
.
Select
Destination
.
Add
a destination.
Enter any of the FQDNs above as
Destination
.

Select the same
Source Interface
and
Source Address
that you selected for activation.
Click
OK
.
Add
two more destinations for the same interface using the remaining two FQDNs.

Click
OK
to exit Service Route Configuration.
Select
Device
Licenses
and confirm that the Logging Service license (now called Cortex Data Lake) is active.
When you purchased your Cortex Data Lake license, all firewalls registered to your support account received a Cortex Data Lake license. If you don’t see the Cortex Data Lake license,
Retrieve license keys from license server
to manually refresh the firewall licenses.
Set up the connection to Cortex Data Lake and check connection status:
Select
Device
Setup
Management
and find the
Logging Service
settings (Cortex Data Lake used to be called Logging Service).
Enable Logging Service
to connect the firewall to Cortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also
Enable Enhanced Application Logging
.
Cortex Data Lake logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Cortex Data Lake.
Do not
Enable Duplicate Logging
. This option applies only to Panorama-managed firewalls.
Show Status
to check
Logging Service Status
(Cortex Data Lake). The status for License, Certificate, and Customer Info should be green.
There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Cortex Data Lake.
(
Optional
) Configure the firewall to connect to Cortex Data Lake through a proxy server.
If your network uses a proxy server instead of a default gateway, follow these steps to enable communication between the firewall and Cortex Data Lake.
Select
Device
Setup
Services
Settings ( )
.
Use proxy to send logs to Cortex Data Lake
.
Click
OK
.
The firewall is now connected to Cortex Data Lake but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Cortex Data Lake.