End-of-Life (EoL)

Cortex XDR for Linux Requirements

The Cortex XDR agent for Linux has the following requirements:
Minimum Specification
2.3 GHz
4GB; 8GB recommended
Hard disk space
x86 64-bit
Operating system versions
See Where can I install the Cortex XDR Agent? in the
Palo Alto Networks® Compatibility Matrix
Kernel version
To perform malware analysis of ELF files, and collect data for EDR and behavioral threat analysis, the Cortex XDR agent for Linux requires a supported kernel version of 3.4 or later, as listed in Latest Kernel Module Version Support.
If you deploy the Cortex XDR agent on a Linux server that is not running one of the kernel versions required for these additional protection capabilities, the agent will operate in asynchronous mode, where:
  • Continuous event monitoring required for Behavioral Threat Protection is disabled.
  • Sharing endpoint activity data with Cortex apps is disabled.
  • ELF file examination and Local Privilege Escalation (LPE) examination occur in parallel with the file execution. If the Cortex XDR agent obtains a malware verdict for the file, it terminates the file execution. Security events for malware in asynchronous mode are assigned a high severity due to the potential for continued execution during the verdict request while security events in synchronous mode are medium severity.
  • Alert indicators such as file path or hash could be missing for processes with a very short lifespan.
  • All other exploit and malware protection is enabled per your Linux security policy.
For Cortex XDR agents deployed on endpoints running kernels RHEL, CentOS, Oracle 8, or SUSE 15, you must disable UEFI Secure Boot on the machine to enable synchronous protection. Otherwise, the Cortex XDR agent will operate in asynchronous mode as explained above.
Software packages
  • ca-certificates
  • openssl 1.0.0 or a later release
  • Distributions with SELinux in enforcing or permissive mode:
    • Red Hat Enterprise Linux 6, CentOS 6, and Oracle Linux 6—policycoreutils-python
    • Red Hat Enterprise Linux 7, CentOS 7, and Oracle Linux 7—policycoreutils-python and selinux-policy-devel
    • SUSE—policycoreutils-python and selinux-policy-devel
    • Debian and Ubuntu—policycoreutils and selinux-policy-dev
  • glibc—Required for exploit protection of containerized processes using the ROP Mitigation and Brute Force Protection modules. If glibc is not installed, the modules are disabled but all other exploit and malware protection functionality work as expected.
  • CentOS 6.10—Enable the dynamic CA instead of the legacy CA:
    1. Enable the dynamic CA configuration:
      update-ca-trust force-enable
    2. Import the certificates:
      cp XDR-certificate.crt /etc/pki/ca-trust/source/anchors/
    3. Rebuild the certificate database:
      update-ca-trust extract

Recommended For You