: Onboard Firewalls without Panorama (10.1 or Later)
Focus
Focus

Onboard Firewalls without Panorama (10.1 or Later)

Table of Contents

Onboard Firewalls without Panorama (10.1 or Later)

Directly onboard your firewalls running PAN-OS 10.1 or later to
Cortex Data Lake
.
Beginning with PAN-OS 10.1, you can install a device certificate on your firewalls to simplify the onboarding process. Before you start sending logs to
Cortex Data Lake
, you must install device certificates on as many firewalls as you’d like to onboard. After you’ve installed the certificates, use the
Cortex Data Lake
app to complete the onboarding process.
Before you begin, ensure that your firewalls are running PAN-OS 10.1 or later and that they have the device certificate installed.
  1. On your firewalls, allow access to the ports and FQDNs required to connect to
    Cortex Data Lake
    . If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.
    Ensure that you are not decrypting traffic to
    Cortex Data Lake
    .
  2. (
    Optional
    ) To configure firewall to connect to
    Cortex Data Lake
    through a proxy server, select
    Device
    Setup
    Services
    Use proxy to send logs to Cortex Data Lake
    .
  3. By default, the management interface is used to forward logs to
    Cortex Data Lake
    . If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
    1. Select
      Device
      Setup
      Services
      Global
      .
      Global
      on a firewall without multiple virtual system (multi-vsys) capability.
    2. Under Services Features, click
      Service Route Configuration
      .
    3. Select
      Customize
      .
    4. Under Service, select the following:
      • Palo Alto Networks Services
      • CRL status
      • DNS
      • HTTP
      • NTP
    5. Set
      Selected Service Routes
      .
    6. Select the
      Source Interface
      you want to use for activation and then select a
      Source Address
      from that interface and click
      OK
      .
    7. Select
      Destination
      and
      Add
      a destination.
    8. Enter any of the FQDNs above as
      Destination
      .
    9. Select the same
      Source Interface
      and
      Source Address
      that you selected for activation and click
      OK
      .
    10. Add
      two more destinations for the same interface using the remaining two FQDNs.
    11. Click
      OK
      again to exit Service Route Configuration.
    12. Update the access rules required to connect to
      Cortex Data Lake
      for the new interface IP address.
  4. Configure NTP so that the firewall stays in sync with
    Cortex Data Lake
    . Ignore this step if you have enabled proxy configuration:
    • On firewall, click
      Device
      Setup
      Services
      and set the
      NTP Server Address
      . For example:
      pool.ntp.org
      .
  5. Install a device certificate on the firewalls that you want to connect to
    Cortex Data Lake
    .
    1. If this is your first time installing a device certificate, you must delete the
      Cortex Data Lake
      key and re-fetch it by issuing the following commands:
      > delete license key <CDL_License_Key> > request license fetch
      This is only required the first time that you install the device certificate.
  6. Onboard the firewalls to a
    Cortex Data Lake
    instance.
    Ignore this step if you don't have a
    Cortex Data Lake
    license and want to send logs to Cortex XDR only.
    1. Log in to the hub and open the
      Cortex Data Lake
      app to the instance to which you are onboarding.
    2. Select
      Inventory
      Firewalls
      Add
      .
    3. Select
      New
      and
      Next
      .
    4. Select the firewalls to connect to
      Cortex Data Lake
      and choose whether
      Cortex Data Lake
      will store or only ingest their data.
    5. Submit
      your choices.
  7. Select
    Device
    Licenses
    and confirm that the
    Cortex Data Lake
    license is active. Ensure that you have subscribed to a valid support license of
    Cortex Data Lake
    (90 days software warranty is not counted as a valid support license).
    When you purchased your
    Cortex Data Lake
    license, all firewalls registered to your support account received a
    Cortex Data Lake
    license. If you don’t see the
    Cortex Data Lake
    license,
    Retrieve license keys from license server
    to manually refresh the firewall licenses.
  8. Set up the connection to
    Cortex Data Lake
    and check connection status:
    1. Select
      Device
      Setup
      Management
      and find the
      Logging Service
      settings.
    2. Enable Logging Service
      to connect the firewall to
      Cortex Data Lake
      . If you want the firewall to collect data that increases visibility for Palo Alto Networks applications, like Cortex XDR, you can also
      Enable Enhanced Application Logging
      .
      Cortex Data Lake
      logging doesn’t start until after you’ve specified the log types you want to forward. Complete these steps and then
      start sending logs to
      Cortex Data Lake
      .
      Do not
      Enable Duplicate Logging
      . This option applies only to Panorama-managed firewalls.
    3. Commit and push the config to firewalls.
    4. Show Status
      to check
      Logging Service Status
      (
      Cortex Data Lake
      ). The status for License, Certificate, and Customer Info should be green.
      You can also use this command to check the certificate status along with other details related to
      Cortex Data Lake
      :
      request logging-service-forwarding status
  9. The firewall is now connected to
    Cortex Data Lake
    but is not yet forwarding logs. Follow these steps to start sending logs and to best secure traffic between the firewall and
    Cortex Data Lake
    .

Recommended For You