Cortex Data Lake Getting Started
    : Onboard Firewalls without Panorama (10.1 or Later)
    Focus
    Download PDF
    Focus
    1. Home
    2. Security Operations
    3. Cortex Data Lake
    4. Cortex Data Lake Getting Started
    5. Get Started with Cortex Data Lake
    6. Onboard Firewalls to Cortex Data Lake
    7. Onboard Firewalls without Panorama (10.1 or Later)
    Download PDF

    Cortex Data Lake Getting Started

    Onboard Firewalls without Panorama (10.1 or Later)

    Table of Contents

    Onboard Firewalls without Panorama (10.1 or Later)

    Directly onboard your firewalls running PAN-OS 10.1 or later to Cortex™ Data Lake.
    Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls to simplify the onboarding process. Before you start sending logs to Cortex™ Data Lake, you must install device certificates on as many firewalls as you’d like to onboard. After you’ve installed the certificates, use the Cortex Data Lake app to complete the onboarding process.
    Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and that they have the device certificate installed.
    1. Install a device certificate on the firewalls that you want to connect to Cortex Data Lake.
      1. If this is your first time installing a device certificate, you must delete the
        Cortex Data Lake
         key and re-fetch it by issuing the following commands:
        > delete license key <CDL_License_Key>
> request license fetch
        This is only required the first time that you install the device certificate.
    2. Onboard the firewalls to a Cortex Data Lake instance.
      1. Log in to the hub and open the Cortex Data Lake app to the instance to which you are onboarding.
      2. Select
        Inventory
        Firewalls
        Add
        .
      3. Select
        New
         and
        Next
        .
      4. Select the firewalls to connect to Cortex Data Lake and choose whether Cortex Data Lake will store or only ingest their data.
      5. Submit
         your choices.
    3. Log in to the firewalls that you want to connect to Cortex Data Lake and set the
      Palo Alto Networks Services
       service route to use either the management interface or a data interface.
      • Follow these steps to use the management interface for activation. Otherwise, configure a data interface.
        1. Select
          Device
          Setup
          Services
          Global
           on a firewall without multiple virtual system (multi-vsys) capability.
        2. Under Services Features, click
          Service Route Configuration
          .
        3. Select
          Customize
          .
        4. Under Service, click
          Palo Alto Networks Services
          .
        5. For
          Source Interface
          , select
          MGT
          .
        6. Click
          OK
           to exit the Service Route Source dialog and
          OK
           again to exit Service Route Configuration.
      After activation, you can configure a different interface to forward logs to Cortex Data Lake. For details, see how to start sending logs to Cortex Data Lake.
      • If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
        • api.paloaltonetworks.com
        • apitrusted.paloaltonetworks.com
        • lic.lc.prod.us.cs.paloaltonetworks.com
        1. Select
          Device
          Setup
          Services
          Global
          .
          Global
           on a firewall without multiple virtual system (multi-vsys) capability.
        2. Under Services Features, click
          Service Route Configuration
          .
        3. Select
          Customize
          .
        4. Under Service, select the following:
          • Palo Alto Networks Services
          • CRL status
          • DNS
          • HTTP
          • NTP
        5. Set Selected Service Routes
          .
        6. Select the
          Source Interface
           you want to use for activation and then select a
          Source Address
           from that interface.
        7. Click
          OK
          .
        8. Select
          Destination
          .
        9. Add
           a destination.
        10. Enter any of the FQDNs above as
          Destination
          .
        11. Select the same
          Source Interface
           and
          Source Address
           that you selected for activation.
        12. Click
          OK
          .
        13. Add
           two more destinations for the same interface using the remaining two FQDNs.
        14. Click
          OK
           to exit Service Route Configuration.
    4. Select
      Device
      Licenses
       and confirm that the Logging Service license (now called Cortex Data Lake) is active.
      When you purchased your Cortex Data Lake license, all firewalls registered to your support account received a Cortex Data Lake license. If you don’t see the Cortex Data Lake license,
      Retrieve license keys from license server
       to manually refresh the firewall licenses.
    5. Set up the connection to Cortex Data Lake and check connection status:
      1. Select
        Device
        Setup
        Management
         and find the
        Logging Service
         settings (Cortex Data Lake used to be called Logging Service).
      2. Enable Logging Service
         to connect the firewall to Cortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also
        Enable Enhanced Application Logging
        .
        Cortex Data Lake logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Cortex Data Lake.
        Do not
        Enable Duplicate Logging
        . This option applies only to Panorama-managed firewalls.
      3. Show Status
         to check
        Logging Service Status
         (Cortex Data Lake). The status for License, Certificate, and Customer Info should be green.
        There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Cortex Data Lake.
    6. (
      Optional
      ) Configure the firewall to connect to Cortex Data Lake through a proxy server.
      If your network uses a proxy server instead of a default gateway, follow these steps to enable communication between the firewall and Cortex Data Lake.
      1. Select
        Device
        Setup
        Services
        Settings ( )
        .
      2. Use proxy to send logs to Cortex Data Lake
        .
      3. Click
        OK
        .
    7. The firewall is now connected to Cortex Data Lake but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Cortex Data Lake.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.