Enable Access to Cortex XDR
To complete your Cortex XDR setup, you must enable access to Cortex XDR services.
After you receive your account details, enable and verify access to
- (Optional) If you are deploying the broker VM as a proxy betweenCortexXDRand theCortexXDR agents, start by enabling the communication between them.
- In your firewall configuration, enable access toCortexXDRcommunication servers, storage buckets, and resources.For the complete list or resources, refer to Resources Required to Enable Access to Cortex.
- cortex-xdr—Requires PAN-OS Applications and Threats content update version 8279 or a later release.
- traps-management-service—Requires PAN-OS Applications and Threats content update version 793 or a later release.
- (Optional for endpoints running the following or later releases: Cortex XDR 7.5.1 Hotfix 1 and later, Cortex XDR 7.4.3 Hotfix 1 and later, Cortex XDR 7.3.4 Hotfix 1 and later, Traps 6.1.8 Hotfix 1 and later, Traps 6.1.7 Hotfix 1 and later, and Traps 5.0.12 Hotfix 1 and later) To establish secure communication (TLS) toCortexXDR, the endpoints, and any other devices that initiate a TLS connection withCortex, you must have the following certificates installed on the operating system.CertificateFingerprintGoDaddy Root Certificate Authority - G2 (Godaddy)
GoDaddy Class 2 Root Certification Authority Certificate
- SHA1 Fingerprint—47 BE AB C9 22 EA E8 0E 78 78 34 62 A7 9F 45 C2 54 FD E6 8B
- SHA256 Fingerprint—45 14 0B 32 47 EB 9C C8 C5 B4 F0 D7 B5 30 91 F7 32 92 08 9E 6E 5A 63 E2 74 9D D3 AC A9 19 8E DA
R1 GlobalSign Root Certificate (Google)
- SHA1 Fingerprint—27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4
- SHA256 Fingerprint—C3 84 6B F2 4B 9E 93 CA 64 27 4C 0E C6 7C 1E CC 5E 02 4F FC AC D2 D7 40 19 35 0E 81 FE 54 6A E4
For theCortexXDR agent 5.X release installed on endpoints running a Windows version that does not support SHA256 by default, you must install KB2868626 to establish a connection betweenCortexXDRand the agent. This applies to Windows Server 2003 R2 (32-bit) (SP2 & later), Windows Server 2003 (32-bit) (SP2 & later), Windows XP (32-bit) (SP3 & later), Windows Server 2008 (all editions; FIPS Mode), and Windows Vista (SP1 & later; FIPS Mode).
- SHA1 Fingerprint—b1 bc 96 8b d4 f4 9d 62 2a a8 9a 81 f2 15 01 52 a4 1d 82 9c
- SHA256 Fingerprint—eb d4 10 40 e4 3e c7 c9 e3 81 d3 1e f2 a4 1a 48 b6 68 5c 96 e7 ce f3 c1 df 6c d4 33 1c 99
- (Windows only) Enable access for Windows CRL checks.(Endpoints running the following or later releases: Traps 6.0.3, Traps 6.1.1, and Cortex XDR 7.0 and later) When theCortexXDR agent examines portable executables (PEs) running on the endpoint as part of the enforced Malware Security Profile, the agent performs a certificate revocation (CRL) check. The CRL check ensures that the certificate used to sign a given PE is still considered valid by its Certificate Authority (CA), and has not been revoked. To validate the certificate, theCortexXDR agent leverages Microsoft Windows APIs and triggers the operating system to fetch the specific Certificate Revocation List (CRL) from the internet. To complete the certificate revocation check, the endpoint needs HTTP access to a dynamic list of URLs, based on the PEs that are executed or scanned on the endpoint.
- If a system-wide proxy is defined for the endpoint (statically or using a PAC file), Microsoft Windows downloads the CRL lists through the proxy.
- If a specific proxy is defined for theCortexXDR agent, and the endpoint has no access to the internet over HTTP, then Microsoft Windows will fail to download the CRL lists. As a result, the certificate revocation check will fail and the certificate will be considered valid by the agent, while creating a latency in executing PEs. If theCortexXDR agent is running in an isolated environment that prohibits the successful completion of certificate revocation checks, the Palo Alto Networks Support team can provide a configuration file that will disable the revocation checks and avoid unnecessary latency in the execution time of PEs.
- (Supported on) Enable peer-to-peer (P2) content updates.CortexXDR agent 7.0 or a later for Windows endpoints andCortexXDR agent 7.3 or later for Mac and Linux endpointsBy default, theCortexXDR agent retrieves content updates from its peerCortexXDR agents on the same subnet. To enable P2P, you must enable UDP and TCP over port 33221. You can change the port number or choose to download the content directly from theCortexXDRsever in the Agent settings profile.
- Verify that you can access yourCortexXDRtenant.After you download and install theCortexXDR agent software on your endpoints and configure your endpoint security policy, verify that theCortexXDR agents can check in withCortexXDRto receive the endpoint policy.
- If you use SSL decryption and experience difficulty in connecting theCortexXDR agent to the server, we recommend that you add the FQDNs required for access to your SSL Decryption Exclusion list.In PAN-OS 8.0 and later releases, you can configure the list in.DeviceCertificate ManagementSSL Decryption Exclusion
Recommended For You
Recommended videos not found.