Onboard Panorama-Managed Firewalls to Cortex Data Lake

Use Panorama to start sending firewall logs to Cortex Data Lake at scale.
Firewalls can forward logs directly to Cortex Data Lake. However, you can use Panorama to onboard firewalls at scale to the Cortex Data Lake, instead of onboarding individual firewalls. Onboarding includes provisioning the certificates that firewalls need to securely connect to Cortex Data Lake, configuring device groups and templates with Cortex Data Lake settings, and then pushing those settings to managed firewalls. When this is complete, you can also view the log records that are forwarded to Cortex Data Lake directly in Panorama.
If you’re using GlobalProtect cloud service, using Panorama to implement Cortex Data Lake is required.
Before you begin to onboard Panorama-managed firewalls, review these requirements to make sure you’re ready to get started. You’ll need:
  • A Panorama virtual appliance or hardware-based Panorama applicance running Panorama 8.0.6 or later.
  • A Panorama device management license.
  • The Cloud Services plugin. This plugin is required if you’re using GlobalProtect cloud service. The following workflow shows you how to download the latest plugin version, and install it on Panorama.
  • Next-generation firewalls with a valid support license that are managed by Panorama and are running PAN-OS 8.0.6 or later. Version 8.1.3 or later is recommended if you want to collect enhanced application logs for Magnifier.
  • A Cortex Data Lake license, in addition to the device management for Panorama. When you license the Cortex Data Lake, all firewalls registered to your support account receive a Cortex Data Lake license. You can then use Panorama templates and device groups to configure the firewalls to forward logs to the Cortex Data Lake.
    The Cortex Data Lake license provisions the service in one theatre/region only (for example, Europe or Americas). If you want the firewalls that belong to one template to send logs to one theatre and the firewalls that belong to another template to send logs to a different theatre, you will need two Panorama appliances and two Cortex Data Lake licenses.
  • Consider that Panorama or a next-generation firewall cannot connect to the Cortex Data Lake from behind a proxy (Cortex Data Lake requires mutual authentication).
Now that you’ve reviewed the requirements above, continue on to:

Related Documentation