Configure the Broker VM
Configure any Cortex XDR broker virtual machine (VM) as necessary.
To set up the broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks on your network or supported cloud infrastructure and activate the available applications. You can set up several broker VMs for the same tenant to support larger environments. Ensure each environment matches the necessary requirements.
Before you set up the broker VM, verify you meet the following requirements:
- Hardware: For standard installation, use a minimum of a 4-core processor, 8GB RAM, and 512GB disk. If you only intend to use the broker VM for agent proxy, you can use a 2-core processor. If you intend to use the broker VM for agent installer and content caching, you must use an 8-core processor.
- Bandwidth is higher than 10mbit/s.
- VM compatible with:InfrastructureImage TypeAdditional RequirementsAmazon Web Services (AWS)VMDKGoogle Cloud PlatformVMDKMicrosoft AzureVHD (Azure)Microsoft Hyper-V 2012VHDHyper-V 2012 or laterAlibaba CloudQCOW2Nutanix HypervisorQCOW2Create a Broker VM Image for a Nutanix HypervisorNutanix AHV 2021UbuntuQCOW2Create a Broker VM Image for UbuntuVersion 18.04VMware ESXiOVAVMware ESXi 6.0 or later
- Enable communication between the Broker Service, and other Palo Alto Networks services and apps.FQDN, Protocol, and PortDescription(Default)
UDP port 123NTP server for clock synchronization between the syslog collector and other apps and services. The broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers, and do not specify a replacement, the broker VM uses the time of the host ESX.br-<XDR tenant>.xdr.<region>.paloaltonetworks.comHTTPS over TCP port 443Broker Service server depending on the region of your deployment, such asusoreu.distributions.traps.paloaltonetworks.comHTTPS over TCP port 443Information needed to communicate with yourCortexXDRtenant. Used by tenants deployed in all regions.br-<xdr-tenant>.xdr.federal.paloaltonetworks.comHTTPS over TCP port 443Broker Service server for Federal (US Government) deployment.distributions-prod-fed.traps.paloaltonetworks.comHTTPS over TCP port 443Used by tenants with Federal (US Government) deployment
- Enable Access to Cortex XDR from the broker VM to allow communication between agents and theCortexXDRapp.If you use SSL decryption in your firewalls, you need to add a trusted self-signed certificate authority on the broker VM to prevent any difficulties with SSL decryption. If adding a CA certificate to the broker is not possible, ensure that you’ve added the Broker Service FQDNs to the SSL Decryption Exclusion list on your firewalls.
Configure your broker VM as follows:
- InCortexXDR, select.SettingsConfigurationsData BrokerBroker VMs
- Downloadand install the broker VM images for your corresponding infrastructure:
- Microsoft Hyper-V 2012—Use theVHDimage.
- VMware ESXi—Use theOVAimage.
- Generate Tokenand copy to your clipboard.The token is valid only for 24 hours. A new token is generated each time you selectGenerate Token.
- Navigate tohttps://<broker_vm_ip_address>/.When DHCP is not enabled in your network and you don’t have an IP address for your broker VM, you need to configure the broker VM with a static IP using the serial console menu of the broker VM.
- Log in with the default password!nitialPassw0rdand then define your own unique password.The password must contain a minimum of eight characters, contain letters and numbers, and at least one capital letter and one special character.
- Configure your broker VM settings:
- In theNetwork Interfacesection, review the pre-configuredName,IPaddress, andMAC Address, select theAddress Allocation:DHCP(default) orStatic, and select to either toDisableor set asAdminthe network address as the broker VM web interface.
- If you chooseStatic, define the following andSaveyour configurations:
- Default Gateway
- DNS Server
- (Requires Broker VM 14.0.42 and later) (Optional)Internal NetworkSpecify a network subnet to avoid the broker VM dockers colliding with your internal network. By default, theNetwork Subnetis set to172.17.0.1/16.Internal IP must be:
For Broker VM version 9.0 and lower,CortexXDRwill accept only172.17.0.0/16.
- Formatted asprefix/mask, for example192.0.2.1/24.
- Must be within/8to/24range.
- Cannot be configured to end with a zero.
- (Optional) Configure aProxy Serveraddress and other related details to route broker VM communication.
- Select the proxyTypeasHTTP,SOCKS4, orSOCKS5.You can configure another broker VM as aProxy Serverfor this broker VM by selecting theHTTPtype. When selectingHTTPto route broker VM communication, you need to add the IPAddressandPortnumber (set when activating the Agent Proxy) for the other broker VM registered in your tenant that you want to designate as a proxy for this broker VM.
- Specify the proxyAddress(IP or FQDN),Port, and an optionalUserandPassword. Select the pencil icon to specify the password.
- Saveyour configurations.
- (Optional) (Requires Broker VM 8.0 and later) Configure yourNTPservers.
- (Requires Broker VM 8.0 and later) (Optional) In theSSH Accesssection,EnableorDisableSSH connections to the broker VM. SSH access is authenticated using a public key, provided by the user. Using a public key grants remote access to colleagues andCortexXDRsupport who the private key. You must have Instance Administrator role permissions to configure SSH access.To enable connection, generate an RSA Key Pair, enter the public key in theSSH Public Keysection. Once one SSH public key is added, you can+Add Another. When you are finished,Saveyour configuration.When using PuTTYgen to create your public and private key pairs, you need to copy the public key generated in thePublic key for pasting into OpenSSH authorized_keys filebox, and paste it in the broker VMSSH Public Keysection as explained above. This public key is only available when the PuTTYgen console is open after the public key is generated. If you close the PuTTYgen console before pasting the public key, you will need to generate a new public key.
- (Requires Broker VM 10.1.9 and later) (Optional) In theSSL Server Certificatesection, upload your signed server certificate and key to establish a validated secure SSL connection between your endpoints and the broker VM. When you configure the server certificate and the key files in the Broker VM UI,CortexXDRautomatically updates them in the tenant UI.CortexXDRvalidates that the certificate and key match, but does not validate the Certificate Authority (CA).When you SSH the Broker VM using PuTTYgen or a command prompt, you need to use theadminusername. For example,ssh -i [/path/to/private.key] admin@[broker_vm_address]The Palo Alto Networks Broker supports only strong cipher SHA256-based certificates. MD5/SHA1-based certificates are not supported.In theTrusted CA Certificatesection, upload your signed Certificate Authority (CA) certificate or Certificate Authority chain file in a PEM format. If you use SSL decryption in your firewalls, you need to add a trusted self-signed CA certificate on the broker VM to prevent any difficulties with SSL decryption. For example, when configuring Palo Alto Networks NGFW to decrypt SSL using a self-signed certificate, you need to ensure the broker VM can validate a self-signed CA by uploading thecert_ssl-decrypt.crtfile on the broker VM.(Requires Broker VM 8.0 and later) (Optional) Collect andGenerate New Logs. YourCortexXDRlogs will download automatically after approximately 30 seconds.
- Registerand enter your uniqueToken, created in the Cortex XDR console.Registration of the Broker VM can take up to 30 seconds.You are directed inAfter a successful registration,CortexXDRdisplays a notification.CortexXDRto. TheSettingsConfigurationsData BrokerBroker VMsBroker VMspage displays your broker VM details and allows you to edit the defined configurations.
Recommended For You
Recommended videos not found.