Activate Cortex Data Lake (Panorama-Managed)

Follow these steps to activate Cortex Data Lake for Panorama-Managed firewalls.
If you’re using Panorama™ to manage Prisma™ Access or on-premises firewalls, the steps below describe how to use the Customer Support Portal to activate Cortex™ Data Lake. Because Panorama can provision the certificates that firewalls require to securely connect to Cortex Data Lake, this gives you a way to onboard multiple firewalls to Cortex Data Lake simultaneously.
Before you begin, review these requirements to make sure you have everything you need to get started.
If you’re not using Panorama
, Activate Cortex Data Lake on the hub, instead. How you activate and implement Cortex Data Lake varies depending on the products and services you’re using. Learn more about how to get started with Cortex Data Lake based on the product you’re using.
  1. To set up Panorama, install the Panorama virtual appliance and perform initial configuration or set up an M-Series appliance.
    You must configure one or more DNS servers and an NTP server instead of setting the date and time manually so that Panorama can stay in sync with Cortex Data Lake.
    • To configure NTP, select
      Panorama
      Setup
      Services
      NTP
      and set a value for the
      NTP server
      . For example:
      pool.ntp.org
      .
    • To configure DNS servers, select
      Panorama
      Setup
      Services
      and enter a value for the primary and optionally for the secondary DNS servers.
    • (
      Optional, Panorama 10.0 and later versions
      ) To configure Panorama to connect to Cortex Data Lake through a proxy server, select
      Panorama
      Setup
      Services
      Settings ( edit-cog.png )
      and
      Use proxy to send logs to Cortex Data Lake
      .
    1. Log in to the Customer Support Portal (CSP) and select
      Assets
      Devices
      Register New Device
      .
    2. Select
      Register device using Serial Number or Authorization Code
      and then
      Submit
      .
    3. Enter the Panorama Serial Number provided in the email you received with your order fulfillment along with the required Location Information (as indicated by the asterisks) and then
      Agree and Submit the EULA
      .
      After you see the registration complete message, close the Device Registration dialog.
    4. Find the Panorama instance you just registered and click the corresponding edit (Actions column).
    5. To activate the Support license, select
      Activate Auth-Code
      and then enter the Support Authorization Code you received in your email and then
      Agree and Submit
      .
  2. Activate Cortex Data Lake.
    1. Log in to the Customer Support Portal (CSP) and select
      Assets
      Cloud Services
      Activate Cloud Services Auth-Code
      .
    2. To license Cortex Data Lake, enter the
      Authorization code
      you received in your email, select the
      Panorama Serial Number
      for the Panorama you plan to use, select the
      Logging Region
      and then
      Agree and Submit
      the EULA.
      csp-tie-panorama-logging-services.png
      After you see the registration complete message, close the Device Registration dialog.
  3. Verify the Quantity and Part Description of the Cortex Data Lake license (named Logging Service below) that you just activated.
    csp-verify-purchase.png
  4. Retrieve the Cortex Data Lake and support license on Panorama.
    1. Select
      Panorama
      Licenses
      and
      Retrieve license keys from license server
      .
    2. Verify that you see the Cortex Data Lake license and the support license.
      logging-service-license-appliedd.png
  5. Download and install the Cloud Services plugin.
    The way you download and install the plugin depends on whether you are using Panorama 8.0.6 or a later Panorama version.
    On Panorama 8.0.x:
    1. Log in to the Customer Support Portal and select
      Updates
      Software Updates
      .
    2. Find a supported Cloud Services plugin version in the Panorama Integration Plug In section and download it. Plugin 1.0 versions are no longer supported on any version of Panorama.
      Do not rename the plugin file or you will not be able to install it on Panorama.
    3. To install the plugin, log in to the Panorama web
      Panorama
      Plugins
      Upload
      , and
      Browse
      to the plugin
      File
      that you downloaded from the CSP.
    4. Install
      the plugin.
    On Panorama 8.1.0 and later versions:
    On Panorama 8.1 and later versions, you can either download the plugin from the CSP and then upload it to Panorama or you can check for plugin updates directly from Panorama as follows:
    1. Select
      Panorama
      Plugins
      and
      Check Now
      to display the latest
    2. Plugin 1.0 versions are no longer supported on any version of Panorama.
    3. After you download the plugin,
      Install
      it.
    Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If you are installing the plugin for the first time, after you successfully install the plugin, Panorama will refresh and the Cloud Services menu will display on the
    Panorama
    tab.
    plugin-installed.png
  6. Verify your account. You must be a superuser on the CSP to generate the one-time password required to verify your account.
    When you try to use the Cloud Services plugin for the first time after installing it, you are prompted to verify your account. This step ensures that the Panorama serial number is registered to use Cortex Data Lake and enables a secure communication path between Cortex Data Lake and Panorama.
    1. Log in to the Palo Alto Networks Customer Support Portal (CSP) as a superuser and select
      Assets
      Cloud Services
      .
    2. Generate OTP
      .
      csp-otp.PNG
    3. Select the serial number for the
      Panorama
      where you installed the Cloud Services plugin and
      Generate OTP
      .
    4. Copy to Clipboard
      .
      You have ten minutes to enter the OTP before it expires.
    5. Go back to Panorama and select
      Panorama
      Cloud Services
      Status
      to display the Verify Account dialog.
    6. Paste the OTP you just generated and
      Verify
      it.
      If
      Verify
      is disabled, check that you have configured both a DNS server and an NTP server (
      Panorama
      Setup
      Services
      ).
  7. Verify the connection status between Panorama and Cortex Data Lake.
    You can use the Panorama CLI or the Panorama web interface with the Cloud Services plugin to verify that the connection is successful.
    • Use the following CLI command:
      admin@Panorama> show plugins cloud_services status logging-service
      pass{"@status": "success", .....
    • Select
      Panorama
      Cloud Services
      Status
      Status
      and
      details
      to verify that Panorama was able to successfully retrieve the Cortex Data Lake certificate, fetch the Customer Identification number and the region in which your Cortex Data Lake instance is deployed, and confirm that the Panorama appliance is connected to Cortex Data Lake (Logging Service below). If any of these checks fail, the Status is reported as an
      Error
      .
      logging-service-detailed-status.png
  8. On the hub, View Cortex Data Lake Status to verify that Cortex Data Lake is provisioned successfully.
  9. Allocate Storage Based on Log Type. Make sure to allocate log quota for each log type because there are no log quota allocation defaults.
  10. Remember that for any firewalls from which you want to forward logs to Cortex Data Lake and that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.

Recommended For You