Activate the Local Agent Settings

From the Cortex XDR management console, you can activate or deactivate your local agent collector application.
The Local Agent Settings applet on the Palo Alto Networks Broker VM enables you to:
  • Deploy the Broker VM proxy
    —To deploy
    Cortex
    XDR
    in restricted networks where endpoints do not have a direct connection to the internet, setup the Broker VM to act as a proxy that routes all the traffic between the
    Cortex
    XDR
    management server and
    Cortex
    XDR agents via a centralized and controlled access point. This enables your agents to receive security policy updates, and send logs and files to
    Cortex
    XDR
    without a direct connection. Additionally, with the Broker VM endpoints agents are able to connect to the internet. The Broker VM acts like a transparent proxy and doesn’t decrypt the secure connection between the server and the agent, and hides the agent’s original IP addresses. If your network topology includes SSL decryption in an upstream proxy/firewall, the Broker VM does not participate in the trust relationship as it is not initiating the connection to the server to be fully transparent.
  • Enable Broker caching
    —To reduce your external network bandwidth loads, you can cache
    Cortex
    XDR agent installations, upgrades, and content updates on your
    Cortex
    XDR
    Broker VM. The Broker VM retrieves from
    Cortex
    XDR
    the latest installers and content files every 15 minutes and stores them for a 30-days retention period since an agent last asked for them. If the files were not available on the Broker VM at the time of the ask, the agent proceeds to download the files directly from the
    Cortex
    XDR
    server. If asked by an agent, the Broker VM can also cache a specific installer that is not on the list of latest installers.
The following are prerequisites and limitations for the Local Agent Settings applet.
Requirement
Description
General
Each local setting on the broker VM can support up to 10,000 agents.
Agent Proxy
  • Supported with Traps agent version 5.0.9 and Traps agent version 6.1.2 and later releases.
Agent Installer and Content Caching
  • Supported with
    Cortex
    XDR agent version 7.4 and later releases and Broker VM 12.0 and later.
  • Requires a Broker VM with an 8-core processor to support caching for 10K endpoints.
  • Requires the Broker to have an FQDN record in your local DNS server.
  • Requires you upload a strong cipher SHA256-based SSL certificates when you setup the Broker VM.
  • Requires adding the Broker as a download source in your Agent Settings Profile.
After you configured and registered your Palo Alto Networks Broker VM, proceed to setup you Local Agent Settings applet.
  1. In
    Cortex
    XDR
    , go to
    Settings
    Configurations
    Data Broker
    Broker VMs
    and locate your broker VM.
  2. (
    Optional
    ) To setup the Agent Proxy:
    1. Right-click the broker, select
      Broker Management
      Configure
      .
      Ensure your proxy server is configured. If not, proceed to add it as described in Configure the Broker VM.
    2. From
      Broker Management
      Configure
      , right-click the broker again and select
      Local Agent Settings
      Activate
      .
    3. In the
      Local Agent Settings
      configuration, enable
      Agent Proxy
      . You can also specify the
      Agent Proxy Listening Interface
      .
      When you install your
      Cortex
      XDR agents, you must configure the IP address of the broker VM and a port number during the installation. You can use the default 8888 port or set a custom port. You are not permitted to configure port numbers between 0-1024 and 63000-65000, or port numbers 4369, 5671, 5672, 5986, 6379, 8000, 9100, 15672, 25672. Additionally, you are not permitted to reuse port numbers you already assigned to the Syslog Collector applet.
  3. (
    Optional
    ) To setup up Agent Installer and Content Caching:
    1. Ensure you uploaded your SHA256-based certificates.
      If not, upload them as described in Configure the Broker VM and
      Save
      .
    2. Specify the Broker VM FQDN.
      Right-click the broker, select
      Broker Management
      Configure
      . Under
      Device Name
      , enter your Broker VM
      FQDN
      . This FQDN record must be configured in your local DNS server.
    3. Activate the Local Agent Settings applet on the Broker.
      From
      Broker Management
      Configure
      , right-click the broker again, and select
      Local Agent Settings
      Activate
    4. Activate installer and content caching.
      In the
      Local Agent Settings
      configuration, enable
      Agent Installer and Content Caching
      .
    5. To enable agents to start using broker caching, you must add the Broker VM as a download source in your Agent Settings profile and select which brokers to use, as described in Add a New Agent Settings Profile. Then, ensure the profile is associated with a policy for your target agents.
  4. After a successful activation, the
    Apps
    field displays
    Local Agent Settings - Active
    . Hover over it to view the applet status and resource usage.
    To help you easily troubleshoot connectivity issues for a Local Agent Settings applet on the Palo Alto Networks Broker VM,
    Cortex
    XDR
    displays a list of
    Denied URLs
    . These URLs are displayed when you hover over the Local Agent Settings applet to view the
    Connectivity Status
    . As a result, in a situation where the Local Agent Settings applet is reported as activated with a failed connection, you can easily determine the URLs that need to be allowed in your network environment.
  5. Manage the local agent settings. After the local agent settings have been activated, right-click your broker VM.
    • To change your settings, click
      Local Agent Settings
      Configure
      .
    • To disable the local agent settings altogether, click
      Local Agent Settings
      Deactivate
      .

Recommended For You