To simplify storage allocation for your Cloud NGFW for AWS resources,

Cortex Data Lake

now automatically scales your total allocated storage according to your Cloud NGFW usage. As traffic throughput increases on the Cloud NGFW resources, so does your available storage so that you don’t need to worry about making manual adjustments for

Cortex Data Lake

to save your log data.

Cortex Data Lake

now supports forwarding logs to Exabeam using HTTPS, so if you use Exabeam as your SIEM, you can now seamlessly ingest firewall data from

Cortex Data Lake

for a more complete picture of your network activity.

For more up-to-date and secure authentication, Log Forwarding now uses Java 11. Please review the updated list of trusted certificates to ensure your log receiver has the correct certificates installed.

To comply with data privacy regulations that require you to keep data within Poland, you can now select it as a host region when you activate

Cortex Data Lake

.

To comply with data privacy regulations that require you to keep data within China, you can now select it as a host region when you activate

Cortex Data Lake

.

To comply with data privacy regulations that require you to keep data within France, you can now select it as a host region when you activate Cortex Data Lake.

To comply with data privacy regulations that require you to keep data within Spain, you can now select it as a host region when you activate Cortex Data Lake.

To comply with data privacy regulations that require you to keep data within Italy, you can now select it as a host region when you activate Cortex Data Lake.

To comply with data privacy regulations that require you to keep data within Switzerland regional boundaries, you can now select Switzerland as a host region when you activate Cortex Data Lake.

Cortex Data Lake

now supports forwarding logs to Google Chronicle using HTTPS, so if you use Chronicle as your SIEM, you can now seamlessly ingest firewall data from

Cortex Data Lake

for a more complete picture of your network activity.

For an output that is more consistent with other log types, we’ve updated the following field names for GlobalProtect logs sent from Cortex Data Lake in Common Event Format (CEF):

You can now send DNS Security logs to Cortex Data Lake to facilitate triage, prioritization, and response to security incidents involving DNS. This enables you to view DNS Security logs in Explore to assess the details of a particular log and perform queries for further investigation.

In Explore, You can now use the

=

or

!=

operators to match IPv4 and IPv6 addresses and subnets that use CIDR notation. This allows you to speed up your investigations by quickly narrowing them down to logs from a section of your network.

For example, this search identifies all logs with the specified IPv4 address range in the source address field:

Similarly, this search identifies all logs that do not have the specified IPv4 address range in the destination address field:

To provide a more complete picture of your GlobalProtect application behavior to external logging solutions, you can now forward GlobalProtect Troubleshooting logs from Cortex Data Lake.

On the Dashboard, you can now

Log forwarding profiles that send logs to different destinations now work independently from each other, so if one destination disconnects and stops ingesting logs, the other destinations will remain connected and will continue sending logs to these destinations.

If you are a managed security service provider overseeing the syslog streams for multiple customers, this feature will ensure that a problem with one stream will not affect the others.

Also, if you manage multiple syslog sinks for different purposes, such as SOC investigation, network troubleshooting, and audit and compliance this feature helps you maintain consistent service in the event that one sink goes down.

Cortex Data Lake now features a simplified activation flow to help you get up and running with the product quickly and easily. After you purchase a Cortex Data Lake license, you now receive an email with a link that takes you to a step-by-step process for activating your product.

To comply with data privacy regulations that require you to keep data within India regional boundaries, you can now select India as a host region when you activate Cortex Data Lake.

You can now save log queries and share them with other users. Save log queries to avoid re-entering long, complex, or frequently used queries each time you want to see a particular set of logs. Share queries to quickly present the logs to a team member, support technician, or anyone whom you want to see them.

In the log viewer, you can now create profiles that save preferences so that you can quickly change to a set of preferences for a particular use case or user.

These preferences include the Cloud Identity Engine (CIE) tenant, the time zone in which logs appear, and the columns you’ve chosen to display as well as their order.

The character limit for queries has increased to 4096, and queries now wrap to the next line when the field is filled. This enables you to form longer queries and view their contents at a glance.

You can now choose to view logs in different time zones. This helps you correlate logs generated by different products that may use a different time zone from the timezone of your browser.

You can now create queries with the

time_generated_high_res

field

equal_to

a time in milliseconds. This enables you to correlate logs with events from other systems at a millisecond level.

You can now restore preferences, such as column order and time zone, to the preferences set when you first started the app. This enables you to quickly undo any changes you’ve made if you are no longer satisfied with your preferences.

Cortex Data Lake now has a new role that only grants permission to view the

Explore

tab and export log data. If one of your users only needs to view logs, this enables you to maintain a good security posture by only granting them the permissions they need.

To comply with data privacy regulations that require you to keep data within German regional boundaries, you can now select Germany as a host region when you activate Cortex Data Lake.

The log viewer filter now supports parentheses to determine the order in which it evaluates terms in queries so you can more precisely identify the logs you’re looking for.

For better control over your log data, you can now disable log retention for each of your firewalls from the

Inventory

tab in the Cortex Data Lake app. To do this, set

Store Log Data

to

Off

for the firewalls whose data you do not want to retain.

(

PAN-OS 10.1 or later

) To reduce the number of certificates you need to install and manage to connect to Palo Alto Networks cloud services, you can now authenticate to Cortex Data Lake using a device certificate. This enables you to authenticate to Cortex Data Lake using the same certificate that you would use to connect to Cortex XDR, IoT Security, and Enterprise Data Loss Prevention.

Devices using a device certificate follow a new process to onboard to Cortex Data Lake. Make sure to follow the onboarding process appropriate for your PAN-OS version and deployment style.

You can now get started forwarding logs from Cortex Data Lake more quickly, easily, and cost-effectively by using a self-signed certificate to authenticate your syslog or HTTPS receiver. After installing the certificate on your receiver, you can upload the private CA or self-signed certificate as part of your syslog or HTTPS forwarding profiles.

To ensure your log data arrives safely to its intended destination, Cortex Data Lake now more rigorously inspects the validity of server certificates.

To help you verify that you can connect to the syslog server to which you want to forward logs, Cortex Data Lake Log Forwarding now features a

Test Connection

button in Syslog and HTTPS profile configuration. When you click this button, you will see that the connection either succeeded or failed and why.

For compatibility with services that receive events through HTTPS, such as Splunk HTTP Event Collector (HEC), Cortex Data Lake now supports forwarding logs through HTTPS.

Enabling you to forward logs to Microfocus ArcSight Enterprise Security Manager, Cortex Data Lake now supports CEF as an option when you select the log format for a syslog forwarding profile.

For better control over your log data, Cortex Data Lake now does not retain logs at all if you set log storage

Quota

or

Max Retention Days

to 0 in

Storage

Configuration

. If you do want to store logs, ensure that

Quota

is greater than 0 and

Max Retention Days

is not set to 0.

Certain network logs—Traffic, Threat, URL, File—now show you the other events logged during the same session.

Without leaving the context of the log you’re interested in, you can see the sequence of related events for the session. Related logs are displayed chronologically, top to bottom—the log with the earliest timestamp is listed first.

Select a related log to investigate the details for that event.

Editable Migrated Filters

—You now have the flexibility to modify the queries in log forwarding filters that you may have retained from an earlier version of the Log Forwarding app.

For smoother device onboarding, you can now view a list of your available Panorama and firewall devices and generate onboarding keys for them within the app.

To provide a more consistent experience across Palo Alto Networks platforms, Cortex Data Lake now features a new user interface that you may recognize from products such as Prisma Access.

To simplify the list of available log types for log forwarding, the

tunnel

log type now includes

GTP

logs, and

Threat

logs now include

WildFire

logs.

Because log forwarding profiles can only include one filter per log type, if you had a log forwarding profile with a log filter for both of the formerly separate log types, you will now see a new log forwarding profile. This profile contains the log filter that could not be duplicated in the original profile.

For example, a log forwarding profile with filters for both

tunnel

and

GTP

logs now appears as two profiles, each with a

tunnel

filter. One of the profiles will continue filtering

tunnel

logs and the other will filter

GTP

logs, which are now included in tunnel logs. The new profile will be called

<

original name

> - GTP

or, in the case of

Threat

and

WildFire

,

<

original name

> - WildFire

.

Some log filters created in the previous Log Forwarding app can no longer be edited. If you would like to change such filters, you must delete them and create new ones.

(

PAN-OS 10.0.2 or later and Cloud Services plugin 1.8.0 or later

) From Panorama, you can now generate scheduled reports on Cortex Data Lake data.

(

PAN-OS 10.0 or later

) You can now configure the firewall to forward logs to Cortex Data Lake through a proxy server. This enables you to send log data to Cortex Data Lake from a network without a default gateway.

For compliance with regulations that require you to keep data within regional boundaries, you can now select the UK or Singapore as a host region when you activate Cortex Data Lake.

The quota manager now features a detailed breakdown of firewall log types and a simpler method of allocating remaining storage to help you more easily manage your Cortex Data Lake log storage.

Instead of a single Detailed log type, the quota manager now displays the firewall log types individually. The Infrastructure & Audit log type now appears as System and Config logs.

To allocate all remaining storage to one or more log types, you can now leave the quota percentage of log types blank and the quota manager will automatically assign them the unallocated space.

To help you more easily allocate log storage and visualize the data you're storing in Cortex Data Lake, the Cortex Data Lake app now features a completely redesigned quota manager.

The quota manager now visually displays your total storage capacity as a bar, with color-coded segments representing different log sources so you can instantly identify how much storage a service uses and adjust if necessary.

To authenticate using the new G2 certificate chain, firewalls that you want to onboard to Cortex Data Lake without using Panorama must now run PAN-OS 9.0.6 or later.

Until PAN-OS 9.0.3, Panorama was required to onboard firewalls to Cortex Data Lake, and to view logs stored in Cortex Data Lake. Now, firewalls running PAN-OS 9.0.3 and later can securely connect and log to Cortex Data Lake, without Panorama. The new app, Explore, allows you to see and interact with the log data stored in Cortex Data Lake.

For better application visibility and control, you now have a new App-ID for paloalto-shared-services, in addition to the App-ID for the palo-alto-logging-service. The paloalto-shared-services App-ID identifies traffic for any shared services that are used by Palo Alto Networks including Directory Sync Service, Logging Service, and Magnifier; any paloalto-shared-services traffic that was earlier identified as ssl, web-browsing will now be identified as paloalto-shared-services.

If you have a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to the Cortex Data Lake that the Panorama appliance uses to query logs, and enable communication to the shared services and the Cortex Data Lake for performing certificate status and revocation checks.

To help with visibility on the status and connectivity to the Cortex Data Lake, the Cloud Services plugin 1.2 provides details on the connection status between Panorama and the Cortex Data Lake. On

Panorama

Cloud Services

Status

Status

, you can now verify that Panorama appliance was able to successfully retrieve the Logging Service certificate, view the Customer Identification number and the region in which your Cortex Data Lake instance is deployed, and confirm that the Panorama appliance is connected to the Logging Service. If any of these checks fail, the Status is reported as an error.

For better application visbility and control, you now have a new App-ID for paloalto-shared-services, in addition to the App-ID for the palo-alto-logging-service. The paloalto-shared-services App-ID identifies traffic for any shared services that are used by Palo Alto Networks including Directory Sync Service, Logging Service, and Magnifier; any paloalto-shared-services traffic that was earlier identified as ssl, web-browsing will now be identified as paloalto-shared-services.

If you have a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to the Cortex Data Lake that the Panorama appliance uses to query logs, and enable communication to the shared services and the Cortex Data Lake for performing certificate status and revocation checks.

You can now activate the Cortex Data Lake Auth code from the cloud services portal to upgrade the Traps Included Storage of 100GB to a Cortex Data Lake license with larger storage capacity.