Add a New Agent Settings Profile

Agent Settings Profiles enable you to customize Cortex XDR agent settings for different platforms and groups of users.
Agent Settings Profiles enable you to customize
Cortex
XDR
agent settings for different platforms and groups of users.
  1. Add a new profile.
    1. From
      Cortex
      XDR
      , select
      Endpoints
      Policy Management
      Prevention
      Profiles
      + Add Profile
      and select whether to
      Create New
      or
      Import from File
      a new profile.
      New imported profiles are added and not replaced.
    2. Select the platform to which the profile applies and
      Agent Settings
      as the profile type.
    3. Click
      Next
      .
  2. Define the basic settings.
    1. Enter a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      Description
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. (
    Windows, Mac, and Linux only
    ) Configure the
    Disk Space
    to allot for
    Cortex
    XDR
    agent logs.
    Specify a value in MB from 100 to 10,000 (default is 5,000).
  4. (
    Windows and Mac only
    ) Configure
    User Interface
    options for the
    Cortex
    XDR
    console.
    By default,
    Cortex
    XDR
    uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
    • Tray Icon
      —Choose whether you want the
      Cortex
      XDR
      agent icon to be
      Visible
      (default) or
      Hidden
      in the notification area (system tray).
    • XDR
      Agent Console Access
      —Enable this option to allow access to the
      Cortex
      XDR
      console.
    • XDR
      Agent User Notifications
      —Enable this option to operate display notifications in the notifications area on the endpoint. When disabled, the
      Cortex
      XDR
      agent operates in silent mode where the
      Cortex
      XDR
      agent does not display any notifications in the notification area. If you enable notifications, you can use the default notification messages, or provide custom text for each notification type. You can also customize a notification footer.
      From version 7.8, you can enable the option to maintain a persistent notification regarding the disconnection of the endpoint from the network. The settings,
      Persistent Isolation Notification
      and
      Blocked Connectivity Notification
      must be enabled. Until the threat on the endpoint has been removed, the endpoint remains disconnected from the network.
    • Live Terminal User Notifications
      —Choose whether to
      Notify
      the end user and display a pop-up on the endpoint when you initiate a Live Terminal session. For
      Cortex
      XDR
      agents 7.3 and later releases only, you can choose to
      Request end-user permission
      to start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.
    • (
      Cortex
      XDR
      agent 7.3 and later releases only
      )
      Live Terminal Active Session Indication
      —Enable this option to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress.
  5. (
    Android only
    ) Configure network usage preferences.
    When the option to
    Upload Using Cellular Data
    is enabled, the
    Cortex
    XDR
    agent uses cellular data to send unknown apps to the
    Cortex
    XDR
    for inspection. Standard data charges may apply. When this option is disabled, the
    Cortex
    XDR
    agent queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
  6. (
    Windows and Mac only
    ) Configure
    Agent Security
    options that prevent unauthorized access or tampering with the
    Cortex
    XDR
    agent components.
    Use the default agent settings or customize them for the profile. To customize agent security capabilities:
    1. Enable
      XDR
      Agent Tampering Protection
      .
    2. (
      Windows only
      ) By default, the
      Cortex
      XDR
      agent protects all agent components, however you can configure protection more granularly for
      Cortex
      XDR
      agent services, processes, files, and registry values according to the following options: With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
      • Service Protection
        -Protects against stopping the agent services. When this protection is on, the service won't accept OS requests to stop willingly.
      • Process Protection
        -Protects against tampering attempts with the agent processes; injecting into them, terminating them, reading, or writing into their virtual memory.
      • File Protection
        -Protects against tampering attempts with the agent files; deleting, replacing, renaming, moving, or writing files/directories.
      • Registry Protection
        -Protects against tampering attempts with the agent registry settings and agent policies, for example; deleting, adding, and renaming registry keys or values which belong to the agent.
      • Pipe Protection
        -Protects against tampering attempts with the agent pipe-based inter-process communication (IPC) mechanism.
  7. (
    Windows and Mac only
    ) Set an
    Uninstall Password
    .
    Define and confirm a password the user must enter to uninstall the
    Cortex
    XDR
    agent. The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred between
    Cortex
    XDR
    and
    Cortex
    XDR
    agents. Additionally, the uninstall password is used to protect tampering attempts when using Cytool commands.
    The default uninstall password is
    Password1
    . A new password must satisfy the
    Password Strength
    indicator requirements:
    • Contain eight or more characters.
    • Contain English letters, numbers, or any of the following symbols:
      !()-._`~@#"'
      .
  8. (
    Windows only
    ) Configure
    Windows Security Center Integration
    .
    The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:
    • Enabled
      —The
      Cortex
      XDR
      agent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where the
      Cortex
      XDR
      agent is installed.
    • Enabled (No Patches)
      —For the
      Cortex
      XDR
      agent 5.0 release only, select this option if you want to register the agent to the Windows Security Center but prevent from Windows to automatically install Meltdown/Spectra vulnerability patches on the endpoint.
    • Disabled
      —The
      Cortex
      XDR
      agent does not register to the Windows Action Center. As a result, Windows Action Center could indicate that Virus protection is Off, depending on other security products that are installed on the endpoint.
    When you
    Enable
    the
    Cortex
    XDR
    agent to register to the Windows Security Center, Windows shuts down Microsoft Defender on the endpoint automatically. If you still want to allow Microsoft Defender to run on the endpoint where
    Cortex
    XDR
    is installed, you must Disable this option. However, Palo Alto Networks does not recommend running Windows Defender and the
    Cortex
    XDR
    agent on the same endpoint since it might cause performance issues and incompatibility issues with Global Protect and other applications.
  9. (
    Windows and Mac only
    )
    Response Actions
    .
    If you need to isolate an endpoint but want to allow access for a specific application , add the process to the
    Network Isolation Allow List
    . The following are considerations to the allow list:
    • When you add a specific application to your allow list from network isolation, the
      Cortex
      XDR
      agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if the
      Cortex
      XDR
      agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
    • (
      Windows
      ) For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, before using the response action you must add the VDI processes and corresponding IP addresses to your allow list.
    1. +Add
      an entry to the allow list.
    2. Specify the
      Process Path
      you want to allow and the
      IPv4
      or
      IPv6
      address of the endpoint. Use the
      *
      wildcard on either side to match any process or IP address. For example, specify
      *
      as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify
      *
      as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
    3. Click the check mark when finished.
  10. (
    Supported on
    Cortex
    XDR
    agent 7.0 or a later for Windows endpoints and
    Cortex
    XDR
    agent 7.3 or later for Mac and Linux endpoints
    ) Specify the
    Content Configuration
    for your
    Cortex
    XDR
    agents.
    • Content Auto-update
      —By default,
      Cortex
      XDR
      agent always retrieves the most updated content and deploys it on the endpoint so it is always protected with the latest security measures. However, you can
      Disable
      the automatic content download. Then, the agent stops retrieving content updates from the
      Cortex
      XDR
      Server and keeps working with the current content on the endpoint.
      • If you disable content updates for a newly installed agent, the agent will retrieve the content for the first time from
        Cortex
        XDR
        and then disable content updates on the endpoint.
      • When you add a
        Cortex
        XDR
        agent to an endpoints group with disabled content auto-upgrades policy, then the policy is applied to the added agent as well.
    • Content Rollout
      —The
      Cortex
      XDR
      agent can retrieve content updates
      Immediately
      as they are available, or after a pre-configured
      Delayed
      period. When you delay content updates, the
      Cortex
      XDR
      agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.
    If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.
  11. Enable
    Agent Auto Upgrade
    for your
    Cortex
    XDR
    agents.
    To ensure your endpoints are always up-to-date with the latest
    Cortex
    XDR
    agent release, enable automatic agent upgrades.
    1. Select the
      Automatic Upgrade Scope
      :
      • Latest agent release
      • Only maintenance release
      • Only maintenance release in a specific version
      • Upgrade to a specific version
    2. Select the
      Upgrade Rollout
      :
      • Immediate
      • Delayed
        —Specify the
        Delay Period In Days
        using a numeric value. Optional values are
        7
        through
        45
        .
      To control the agent auto upgrade scheduler and number of parallel upgrades in your network, see Configure Global Agent Settings.
      Automatic upgrades are not supported with non-persistent VDI and temporary sessions.
    3. (
      Optional
      ) For Critical Environment (CE) versions, make sure to select if you want to upgrade your CE versions only within the CE lines. It can take up to 15 minutes for new and updated auto-upgrade profile settings to take effect on your endpoints.
  12. (
    Supported on
    Cortex
    XDR
    agent 7.0 or a later for Windows endpoints and
    Cortex
    XDR
    agent 7.3 or later for Mac and Linux endpoints
    ) Specify the
    Download Source
    for agent and content updates.
    To reduce your external network bandwidth loads during updates, you can choose the
    Download Source(s)
    from which the
    Cortex
    XDR
    agent retrieves agent release upgrades and content updates: from a peer agent in the local network, from the Palo Alto Networks Broker VM, or directly from the
    Cortex
    XDR
    server. If all options are selected in your profile, then the attempted download order is first using P2P, then from Broker VM, and lastly from the Cortex Server.
    • (
      Requires
      Cortex
      XDR
      agents 7.4 and later for P2P agent upgrade
      )
      P2P
      Cortex
      XDR
      deploys serverless peer-to-peer
      P2P
      distribution to
      Cortex
      XDR
      agents in your LAN network by default. Within the six hour randomization window during which the
      Cortex
      XDR
      agent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.
      To enable P2P, you must enable UDP and TCP over the defined
      PORT
      in
      Download Source
      . By default,
      Cortex
      XDR
      uses port 33221. You can configure another port number.
    • (
      Requires
      Cortex
      XDR
      agents 7.4 and later releases and Broker VM 12.0 and later
      )
      Broker VM
      —If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When enabled and configured, the Broker retrieves from
      Cortex
      XDR
      the latest installers and content every 15 minutes and stores them for a 30-days retention period since an agent last asked for them. If the files were not available on the Broker VM at the time of the ask, the agent proceeds to download the files directly from the
      Cortex
      XDR
      server.
      If you enable the Broker download option, proceed to select one or more available brokers from the list.
      Cortex
      XDR
      enables you to select only brokers that are connected and for which the caching is configured. When you select multiple brokers, the agent chooses randomly which broker to use for each download request.
    • Cortex Server
      —To ensure your agents remain protected, the
      Cortex Server
      download source is always enabled to allow all
      Cortex
      XDR
      agents in your network to retrieve the content directly from the
      Cortex
      XDR
      server on their following heartbeat.
    Limitations in the content download process:
    • When you install the
      Cortex
      XDR
      agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.
    • When you upgrade a
      Cortex
      XDR
      agent to a newer
      Cortex
      XDR
      agent version, if the new agent cannot use the content version running on the endpoint, then the new content update will start within one minute in P2P and within five minutes from
      Cortex
      XDR
      .
  13. Enable
    Network Location Configuration
    for your
    Cortex
    XDR
    agents.
    (
    Requires
    Cortex
    XDR
    agents 7.1 and later releases
    ) If you configure host firewall rules in your network, you must enable
    Cortex
    XDR
    to determine the network location of your device, as follows:
    1. A domain controller (DC) connectivity test
      — When
      Enabled
      , the DC test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, then it is in the organization. Otherwise, if the DC test failed or returned an external domain,
      Cortex
      XDR
      proceeds to a DNS connectivity test.
    2. A DNS test
      —In the DNS test, the
      Cortex
      XDR
      agent submits a DNS name that is known only to the internal network. If the DNS returned the pre-configured internal IP, then the device is within the organization. Otherwise, if the DNS IP cannot be resolved, then the device is located elsewhere. Enter the
      IP Address
      and
      DNS Server Name
      for the test.
    If the
    Cortex
    XDR
    agent detects a network change on the endpoint, the agent triggers the device location test, and re-calculates the policy according to the new location.
  14. (
    Supported for
    Cortex
    XDR
    7.7 or later for Linux only
    ) Define the
    Agent Operation Mode
    .
    1. Select with which
      Mode
      you want the Cortex XDR to run the Linux endpoint. You can select either
      Kernel
      (default) or
      User Space
      .
    2. Enable whether you want to run User Space mode when Kernel mode is unavailable. By default, the User Space fall-back is disabled.
  15. Define your
    Agent Proxy Settings
    .
    Select whether to
    Enable
    to
    Disable
    Direct Server Access
    for the agent when connected using a proxy.
  16. Create
    your profile to save the changes to your profile.
  17. You can do this in two ways: You can
    Create a new policy rule using this profile
    from the right-click menu or you can launch the new policy wizard from
    Policy Rules
    .

Recommended For You