Onboard Firewalls without Panorama (10.1 or Later)

Directly onboard your firewalls running PAN-OS 10.1 or later to Cortex™ Data Lake.
Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls to simplify the onboarding process. Before you start sending logs to Cortex™ Data Lake, you must install device certificates on as many firewalls as you’d like to onboard. After you’ve installed the certificates, use the Cortex Data Lake app to complete the onboarding process.
Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and that they have the device certificate installed.
  1. Install a device certificate on the firewall that you want to connect to Cortex Data Lake.
  2. Reboot the firewall for the device certificate to take effect.
  3. Log in to the hub and open the Cortex Data Lake app to the instance to which you are onboarding.
  4. Select
    Inventory
    Onboard New Firewall or Panorama
    .
  5. Select
    New
    .
  6. Select
    Next-Generation Firewalls
    and
    Next
    .
  7. Select the firewalls to connect to Cortex Data Lake and choose whether Cortex Data Lake will store or only ingest their data.
  8. Submit
    your choices.
  9. Log in to the firewalls that you want to connect to Cortex Data Lake and set the
    Palo Alto Networks Services
    service route to use either the management interface or a data interface.
    • Follow these steps to use the management interface for activation. Otherwise, configure a data interface.
      1. Select
        Device
        Setup
        Services
        Global
        on a firewall without multiple virtual system (multi-vsys) capability.
      2. Under Services Features, click
        Service Route Configuration
        .
      3. Select
        Customize
        .
      4. Under Service, click
        Palo Alto Networks Services
        .
      5. For
        Source Interface
        , select
        MGT
        .
      6. Click
        OK
        to exit the Service Route Source dialog and
        OK
        again to exit Service Route Configuration.
    After activation, you can configure a different interface to forward logs to Cortex Data Lake. For details, see how to start sending logs to Cortex Data Lake.
    • If you chose not to use the management interface for activation, use a data interface by configuring destination service routes for the following FQDNs:
      • api.paloaltonetworks.com
      • apitrusted.paloaltonetworks.com
      • lic.lc.prod.us.cs.paloaltonetworks.com
      1. Select
        Device
        Setup
        Services
        Global
        .
        Global
        on a firewall without multiple virtual system (multi-vsys) capability.
      2. Under Services Features, click
        Service Route Configuration
        .
      3. Select
        Customize
        .
      4. Under Service, select the following:
        • Palo Alto Networks Services
        • CRL status
        • DNS
        • HTTP
        • NTP
      5. Set Selected Service Routes
        .
      6. Select the
        Source Interface
        you want to use for activation and then select a
        Source Address
        from that interface.
      7. Click
        OK
        .
      8. Select
        Destination
        .
      9. Add
        a destination.
      10. Enter any of the FQDNs above as
        Destination
        .
      11. Select the same
        Source Interface
        and
        Source Address
        that you selected for activation.
      12. Click
        OK
        .
      13. Add
        two more destinations for the same interface using the remaining two FQDNs.
      14. Click
        OK
        to exit Service Route Configuration.
  10. Select
    Device
    Licenses
    and confirm that the Logging Service license (now called Cortex Data Lake) is active.
    When you purchased your Cortex Data Lake license, all firewalls registered to your support account received a Cortex Data Lake license. If you don’t see the Cortex Data Lake license,
    Retrieve license keys from license server
    to manually refresh the firewall licenses.
  11. Set up the connection to Cortex Data Lake and check connection status:
    1. Select
      Device
      Setup
      Management
      and find the
      Logging Service
      settings (Cortex Data Lake used to be called Logging Service).
    2. Enable Logging Service
      to connect the firewall to Cortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also
      Enable Enhanced Application Logging
      .
      Cortex Data Lake logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then start sending logs to Cortex Data Lake.
      Do not
      Enable Duplicate Logging
      . This option applies only to Panorama-managed firewalls.
    3. Show Status
      to check
      Logging Service Status
      (Cortex Data Lake). The status for License, Certificate, and Customer Info should be green.
      There is a known issue where device connectivity does not display a green status indicator even when the firewall is successfully connected to Cortex Data Lake.
  12. (
    Optional
    ) Configure the firewall to connect to Cortex Data Lake through a proxy server.
    If your network uses a proxy server instead of a default gateway, follow these steps to enable communication between the firewall and Cortex Data Lake.
    1. Select
      Device
      Setup
      Services
      Settings ( )
      .
    2. Use proxy to send logs to Cortex Data Lake
      .
    3. Click
      OK
      .
  13. The firewall is now connected to Cortex Data Lake but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and Cortex Data Lake.

Recommended For You