Cortex Data Lake for Panorama-Managed Firewalls
Table of Contents
Expand all | Collapse all
-
- Cortex Data Lake for Panorama-Managed Firewalls
- Start Sending Logs to a New Cortex Data Lake Instance
- Configure Panorama in High Availability for Cortex Data Lake
- Allocate Storage Based on Log Type
- View Cortex Data Lake Status
- View Logs in Cortex Data Lake
- TCP Ports and FQDNs Required for Cortex Data Lake
- Sizing for Cortex Data Lake Storage
-
- Forward Logs from Cortex Data Lake to a Syslog Server
- Forward Logs from Cortex Data Lake to an HTTPS Server
- Forward Logs from Cortex Data Lake to an Email Server
- Log Record Formats
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
Cortex
Data Lake for Panorama-Managed Firewalls
Cortex
Data Lake
for Panorama-Managed FirewallsUse Panorama™ to onboard a large-scale firewall deployment to
Cortex
Data Lake
.Palo Alto Networks firewalls send logs directly to
Cortex
Data Lake
. However, you can use Panorama™ to onboard firewalls to Cortex
Data Lake
at scale instead of onboarding individual firewalls.
Cortex
Data Lake
onboarding includes provisioning the certificates
that firewalls need to securely connect to Cortex
Data Lake
,
configuring device groups and templates with the right settings, and then pushing those
settings to managed firewalls. When you’re done, you can use Panorama to view records
for the logs that are stored in Cortex
Data Lake
(or you can use the
Explore app to view and interact with your logs).If you’re using
Prisma Access
(Panorama Managed)
, you must use Panorama to onboard firewalls
to Cortex
Data Lake
.You can onboard up to 20 Panorama appliances to a
Cortex
Data Lake
instance. However, if you’re using Prisma Access
(Panorama Managed)
, only one Panorama appliance that is managing Prisma Access
can be
associated with a Cortex
Data Lake
instance at a time. If such a
Panorama appliance is already associated with your instance when you add a Panorama appliance, you will not be able
to select another appliance that is managing Prisma Access
.Before you begin, ensure that you meet these requirements. You’ll
need:
- A Panorama virtual appliance or hardware-based Panorama appliance running a supported PAN-OS version.
- A Panorama device management license.
- A supported version of the Cloud Services plugin. See the configuration for your PAN-OS version to find out how to install.
- Next-generation firewalls with a valid support license that are managed by Panorama and that are running a supported PAN-OS version.
- ACortex Data Lakelicense (in addition to the device management license for Panorama). When you licenseCortex Data Lake, all firewalls registered to your support account receive aCortex Data Lakelicense. You can then use Panorama templates and device groups to configure the firewalls to forward logs toCortex Data Lake.TheCortex Data Lakelicense provisions the service in one theater or region only. If you want the firewalls that belong to one template to send logs to one theater and the firewalls that belong to another template to send logs to a different theater, you need two Panorama appliances and twoCortex Data Lakelicenses.
- Consider that a Panorama™ appliance or firewall running PAN-OS®9.1 and earlier versions cannot connect toCortex Data Lakefrom behind a proxy (Cortex Data Lakerequires mutual authentication).You can, however, enable proxy communication on PAN-OS 10.0 and later versions:
After you review the installation requirements,
- Configure Panorama forCortex Data Lake