Onboard Firewalls without Panorama (10.1 or Later)
Table of Contents
Expand all | Collapse all
-
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
-
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
Onboard Firewalls without Panorama (10.1 or Later)
Directly onboard your firewalls running PAN-OS 10.1 or later to
Cortex
Data Lake
.Beginning with PAN-OS 10.1, you can install a device certificate on your
firewalls to simplify the onboarding process. Before you start sending logs to
Cortex
Data Lake
, you must install device certificates on as
many firewalls as you’d like to onboard. After you’ve installed the certificates,
use the Cortex
Data Lake
app to complete the onboarding
process.Before you begin, ensure that your firewalls are
running PAN-OS 10.1 or later and that they have the device certificate
installed.
- On your firewalls, allow access to the ports and FQDNs required to connect toCortex Data Lake. If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.Ensure that you are not decrypting traffic toCortex Data Lake.
- (Optional) To configure firewall to connect toCortex Data Lakethrough a proxy server, select.DeviceSetupServicesUse proxy to send logs to Cortex Data Lake
- By default, the management interface is used to forward logs toCortex Data Lake. If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
- Select.DeviceSetupServicesGlobalGlobalon a firewall without multiple virtual system (multi-vsys) capability.
- Under Services Features, clickService Route Configuration.
- SelectCustomize.
- Under Service, select the following:
- Palo Alto Networks Services
- CRL status
- DNS
- HTTP
- NTP
- SetSelected Service Routes.
- Select theSource Interfaceyou want to use for activation and then select aSource Addressfrom that interface and clickOK.
- SelectDestinationandAdda destination.
- Enter any of the FQDNs above asDestination.
- Select the sameSource InterfaceandSource Addressthat you selected for activation and clickOK.
- Addtwo more destinations for the same interface using the remaining two FQDNs.
- ClickOKagain to exit Service Route Configuration.
- Update the access rules required to connect toCortex Data Lakefor the new interface IP address.
- Configure NTP so that the firewall stays in sync withCortex Data Lake. Ignore this step if you have enabled proxy configuration:
- On firewall, clickand set theDeviceSetupServicesNTP Server Address. For example:pool.ntp.org.
- Install a device certificate on the firewalls that you want to connect toCortex Data Lake.
- If this is your first time installing a device certificate, you must delete theCortex Data Lakekey and re-fetch it by issuing the following commands:> delete license key <CDL_License_Key> > request license fetchThis is only required the first time that you install the device certificate.
- Onboard the firewalls to aCortex Data Lakeinstance.Ignore this step if you don't have aCortex Data Lakelicense and want to send logs to Cortex XDR only.
- Log in to the hub and open theCortex Data Lakeapp to the instance to which you are onboarding.
- Select.InventoryFirewallsAdd
- SelectNewandNext.
- Select the firewalls to connect toCortex Data Lakeand choose whetherCortex Data Lakewill store or only ingest their data.
- Submityour choices.
- Selectand confirm that theDeviceLicensesCortex Data Lakelicense is active. Ensure that you have subscribed to a valid support license ofCortex Data Lake(90 days software warranty is not counted as a valid support license).When you purchased yourCortex Data Lakelicense, all firewalls registered to your support account received aCortex Data Lakelicense. If you don’t see theCortex Data Lakelicense,Retrieve license keys from license serverto manually refresh the firewall licenses.
- Set up the connection toCortex Data Lakeand check connection status:
- Selectand find theDeviceSetupManagementLogging Servicesettings.
- Enable Logging Serviceto connect the firewall toCortex Data Lake. If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can alsoEnable Enhanced Application Logging.Cortex Data Lakelogging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and thenstart sending logs to.Cortex Data LakeDo notEnable Duplicate Logging. This option applies only to Panorama-managed firewalls.
- Commit and push the config to firewalls.
- Show Statusto checkLogging Service Status(Cortex Data Lake). The status for License, Certificate, and Customer Info should be green.You can also use this command to check the certificate status along with other details related toCortex Data Lake:request logging-service-forwarding status
- The firewall is now connected toCortex Data Lakebut is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall andCortex Data Lake.