End-of-Life (EoL)

Install the Cortex® XDR™ Agent for Linux

Learn how to install the Cortex® XDR™ agent on a Linux endpoint.
The Cortex XDR agent for Linux is designed to protect Linux servers and operates transparently in the background as a system process. The agent also extends exploit and malware protection to processes that run in Linux containers. When you install the Cortex XDR agent on a Linux server, the agent automatically protects any new and existing containerized processes regardless of the container solution (for example, Docker). Each Linux server receives a single license which includes protection for container processes.
You can also deploy Cortex XDR agents on virtual Linux servers as temporary sessions, to ensure the Cortex XDR agent license returns to the license pool after 90 minutes of session inactivity and to improve your network temporary workloads.
After you install the Cortex XDR agent for Linux, it is typically not necessary to interact with the agent; however, to perform common actions, such as initiating a manual check-in with Cortex XDR, you can use the command-line utility named Cytool. Cytool is available in the
directory and must be run as root or with root permissions.
Before installing the agent on a Linux server, verify that the system meets the requirements described in Cortex XDR Agent for Linux Requirements.
If you intend to use SELinux, make sure to enable it before you proceed with the Cortex XDR agent installation. This ensures that the agent disables any injection-based modules that cause compatibility issues. If you later enable SELinux or change its operation mode, you must reinstall the agent to avoid any compatibility issues.
  1. Download the Cortex XDR agent installation script from Cortex XDR.
  2. Copy the installation package to the Linux server on which you want to install the Cortex XDR agent software.
    For example, to copy the file securely from a local machine to the Linux server:
    user@local ~ $
    scp linux.sh root@ubuntu.example.com:/tmp
    linux.sh 100% 21MB 1.2MB/s 00:18
  3. Log on to the Linux server.
    For example:
    user@local ~ $
    ssh root@ubuntu.example.com
    Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1041-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. Last login: Tue Dec 26 22:14:15 2017 from
  4. Install the Cortex XDR agent software.
    You can install the Cortex XDR agent on the endpoint manually using the shell installer or using the Linux package manager for
    To deploy using package manager:
    1. Depending on your Linux distribution, install the Cortex XDR agent using one of the following commands:
      Install Command
      RHEL, CentOS, or Oracle
      yum install ./
      rpm -i ./
      Ubuntu or Debian
      apt-get install ./
      dpkg -i ./
      zypper install ./
      rpm -i ./
    2. Verify the agent was installed on the endpoint.
      Enter the following command on the endpoint:
      dpkg -l | grep cortex-agent
      rpm -qa | grep cortex-agent
    To deploy the shell installer:
    1. Enable execution of the script using the
      chmod +x
    2. Run the install script as root or with root permissions.
      For example:
      cd /tmp
      linux.sh root@ubuntu:/tmp$
      chmod +x linux.sh
      [ 1] Checking prerequisites Verifying Ubuntu 20 (dpkg) packages: * openssl ... OK * ca-certificates ... OK Done Unpacking cortex-agent ( ... Setting up cortex-agent ( ... [ 1] Installing Cortex XDR [] at /opt/traps Using system libraries Done [ 2] Creating runtime directory Done [ 3] Defining Cortex XDR local services (systemd) Created symlink /etc/systemd/system/multi-user.target.wants/traps_pmd.service→ /etc/systemd/system/traps_pmd.service. Done [ 4] Creating/Verifying Cortex XDR auxiliary user Done [ 5] Configuring connection to server Done [ 6] Starting Cortex XDR security services Name PID User Status Command pmd1364967 root Running /opt/traps/bin/pmd analyzerd1365038 cortexu+ Running /opt/traps/analyzerd/analyzerd 82 84 86 dypd1365021 root Running /opt/traps/bin/dypd -a -- 74 lted N/A N/A STOPPED N/A Done
      Additional options are available to help you customize your installation if needed. The following table describes common options and parameters that you can use but does not provide an exhaustive list. Use the --help option to print the help for the installer.
      If you are using
      installers, you must also add these parameters to the
      file prior to installation. Make sure to remove the first couple of leading double dashes. For example, instead of this:
      -- --proxy-list ”
      , add this:
      . Applies to:
      --proxy-list="" --no-km --restrict=live_terminal
      Without Kernel Module Installation
      Use the
      option if you do not want to install the Cortex XDR agent kernel module. If you install the agent without the Cortex XDR kernel module or your Linux server runs an unsupported kernel version, the Cortex XDR agent will operate in asynchronous mode where:
      • Continuous event monitoring required for Behavioral Threat Protection is disabled.
      • Sharing endpoint activity data with Cortex apps is disabled.
      • ELF file examination and Local Privilege Escalation (LPE) examination occur in parallel with the file execution. If the Cortex XDR agent obtains a malware verdict for the file, it terminates the file execution. Security events for malware in asynchronous mode are assigned a high severity due to the potential for continued execution during the verdict request while security events in synchronous mode are medium severity.
      • All other exploit and malware protection is enabled per your Linux security policy.
      Custom Agent Installation Directory
      Requires Cortex XDR agent 7.5 or a later release
      Install the Cortex XDR agent in a custom directory on the endpoint instead of using the default
      directory. Custom installation directory is a persistent change, and after you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location.
      Before you start, ensure the custom directory exists on the endpoint and has user and group executable permissions.
      • SH installer
        —Run the following command for example:
        root@ubuntu:/tmp# ./linuxshell.sh -- --install-path=
      • RPM and DEB installers
        1. Create a
          file on the endpoint, under
        2. Add to the
          your custom directory parameter, for example:
      --proxy-list ”
      Proxy Communication
      Configure the Cortex XDR agent to communicate through an intermediary such as a proxy or the Palo Alto Networks Broker Service.
      To enable the agent to direct communication to an intermediary, you use this installation option to assign the IP address and port number you want the Cortex XDR agent to use. You can also configure the proxy by entering the FQDN and port number. When you enter the FQDN, you can use both lowercase and uppercase letters. Avoid using special characters or spaces.
      Use commas to separate multiple addresses. For example:
      -- --proxy-list "My.Network.Name:808,"
      You can assign up to five different proxies per agent, and the proxy for communication is selected randomly with equal probability.
      To enable the agent to use the Broker Service, you must set up a broker VM in your network and use this option to assign the agent the Broker VM IP address with port number 8888.
      After the initial installation, you can change the proxy settings from Cortex XDR.
      The Cortex XDR agent does not support proxy communication in environments where proxy authentication is required.
      VM Template
      Temporary session
      Virtual Installation
      Deploy Cortex XDR agents on virtual Linux endpoints as temporary instances, ensuring the Cortex XDR agent license returns back to the license pool after 90 minutes of session inactivity and improving your network temporary workloads. Choose your preferred workflow:
      —Install the Cortex XDR agent only on the Linux endpoint you are using to create the VM template. Every instance you create using this template, will include the pre-installed Cortex XDR agent. For example:
      $ ./installer.sh -- --vm-template
      Fresh install
      —Install the Cortex XDR agent on the Linux VM after creating the VM template, as part of provisioning. For example:
      $ ./installer.sh -- --temporary-session
      Disable Live Terminal, script execution, and file retrieval on the endpoint
      Use to permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. Disabling any of these actions is an irreversible action, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package without this flag
      To disable all actions, use the corresponding flag:
      To disable a specific action, use the corresponding flag:
      • --restrict=live_terminal
        —Use to disable Live Terminal.
      • --restrict=script_execution
        —Use to disable script execution.
      • --restrict=file_retrieval
        —Use to disable file retrieval.
      To disable more than one option, use any combination of these flags.
      --unprivileged-user "
      Use a predefined user for unprivileged Cortex Agent processes
      Instruct the Cortex XDR Agent to use an existing unprivileged auxiliary user instead of creating a new one. Before you start, ensure the specified user exists on the endpoint and is unprivileged.
      The script installs the files for the Cortex XDR agent for Linux in the
      folder with the Cytool utility available at
      After the agent successfully connects to the server for the first time and retrieves a valid license, the agent begins protecting the Linux server.
      If the Cortex XDR agent does not connect to Cortex XDR, verify your internet connection and perform a check-in on the endpoint. If the agent still does not connect, verify the installation package has not been removed from the Cortex XDR management console.
  5. (
    ) Load SecureBoot Certificates.
    If you enabled the SecureBoot kernel, define the following in order to load the Cortex XDR kernel module certificates available for Redhat 8 and Ubuntu 20:
    1. On your server, navigate to
      and locate key name
      to access the public key.
    2. Load the key to the MOK by running the command:
      mokutil --import xdr_kernel_cert.der
    3. Set a password.
    4. Reboot the system.
      During the machine reboot, the Unified Extensible Firmware Interface (UEFI) will ask you to
      Enroll MOK
      . When prompted whether to download the key, select
      and enter the password you defined.
    5. Verify the key was loaded by running the command
      mokutil --list-enrolled
      and locating the key with the
      Palo Alto Networks
  6. For a list of available options, enter the
    command without any arguments or with

Recommended For You