Configure the Broker VM

Configure any Cortex XDR broker virtual machine (VM) as necessary.
To set up the broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks on your network or supported cloud infrastructure and activate the available applications. You can set up several broker VMs for the same tenant to support larger environments. Ensure each environment matches the necessary requirements.
Before you set up the broker VM, verify you meet the following requirements:
  • Hardware: For standard installation, use a minimum of a 4-core processor, 8GB RAM, and 512GB disk. If you only intend to use the broker VM for agent proxy, you can use a 2-core processor. If you intend to use the broker VM for agent installer and content caching, you must use an 8-core processor.
    The broker VM comes with a 512GB disk. Therefore, deploy the broker VM with thin provisioning, meaning the hard disk can grow up to 512GB but will do so only if needed.
  • Bandwidth is higher than 10mbit/s.
  • VM compatible with:
    Infrastructure
    Image Type
    Additional Requirements
    Amazon Web Services (AWS)
    VMDK
    Google Cloud Platform
    VMDK
    Microsoft Azure
    VHD (Azure)
    Microsoft Hyper-V 2012
    VHD
    Hyper-V 2012 or later
    Alibaba Cloud
    QCOW2
    Nutanix Hypervisor
    QCOW2
    Ubuntu
    QCOW2
    VMware ESXi
    OVA
    VMware ESXi 6.0 or later
  • Enable communication between the Broker Service, and other Palo Alto Networks services and apps.
    FQDN, Protocol, and Port
    Description
    (
    Default
    )
    • time.google.com
    • pool.ntp.org
    UDP port 123
    NTP server for clock synchronization between the syslog collector and other apps and services. The broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers, and do not specify a replacement, the broker VM uses the time of the host ESX.
    br-
    <XDR tenant>
    .xdr.<region>.paloaltonetworks.com
    HTTPS over TCP port 443
    Broker Service server depending on the region of your deployment, such as
    us
    or
    eu
    .
    distributions.traps.paloaltonetworks.com
    HTTPS over TCP port 443
    Information needed to communicate with your
    Cortex
    XDR
    tenant. Used by tenants deployed in all regions.
    br-
    <xdr-tenant>
    .xdr.federal.paloaltonetworks.com
    HTTPS over TCP port 443
    Broker Service server for Federal (US Government) deployment.
    distributions-prod-fed.traps.paloaltonetworks.com
    HTTPS over TCP port 443
    Used by tenants with Federal (US Government) deployment
  • Enable Access to Cortex XDR from the broker VM to allow communication between agents and the
    Cortex
    XDR
    app.
    If you use SSL decryption in your firewalls, you need to add a trusted self-signed certificate authority on the broker VM to prevent any difficulties with SSL decryption. If adding a CA certificate to the broker is not possible, ensure that you’ve added the Broker Service FQDNs to the SSL Decryption Exclusion list on your firewalls.
Configure your broker VM as follows:
  1. In
    Cortex
    XDR
    , select
    Settings
    Configurations
    Data Broker
    Broker VMs
    .
  2. Download
    and install the broker VM images for your corresponding infrastructure:
  3. Generate Token
    and copy to your clipboard.
    The token is valid only for 24 hours. A new token is generated each time you select
    Generate Token
    .
  4. Navigate to
    https://<broker_vm_ip_address>/
    .
    When DHCP is not enabled in your network and you don’t have an IP address for your broker VM, you need to configure the broker VM with a static IP using the serial console menu of the broker VM.
  5. Log in with the default password
    !nitialPassw0rd
    and then define your own unique password.
    The password must contain a minimum of eight characters, contain letters and numbers, and at least one capital letter and one special character.
  6. Configure your broker VM settings:
    1. In the
      Network Interface
      section, review the pre-configured
      Name
      ,
      IP
      address, and
      MAC Address
      , select the
      Address Allocation
      :
      DHCP
      (default) or
      Static
      , and select to either to
      Disable
      or set as
      Admin
      the network address as the broker VM web interface.
      • If you choose
        Static
        , define the following and
        Save
        your configurations:
        • Static
          IP
          address
        • Netmask
        • Default Gateway
        • DNS Server
    2. (
      Requires Broker VM 14.0.42 and later
      ) (
      Optional
      )
      Internal Network
      Specify a network subnet to avoid the broker VM dockers colliding with your internal network. By default, the
      Network Subnet
      is set to
      172.17.0.1/16
      .
      Internal IP must be:
      • Formatted as
        prefix/mask
        , for example
        192.0.2.1/24
        .
      • Must be within
        /8
        to
        /24
        range.
      • Cannot be configured to end with a zero.
      For Broker VM version 9.0 and lower,
      Cortex
      XDR
      will accept only
      172.17.0.0/16
      .
    3. (
      Optional
      ) Configure a
      Proxy Server
      address and other related details to route broker VM communication.
      • Select the proxy
        Type
        as
        HTTP
        ,
        SOCKS4
        , or
        SOCKS5
        .
        You can configure another broker VM as a
        Proxy Server
        for this broker VM by selecting the
        HTTP
        type. When selecting
        HTTP
        to route broker VM communication, you need to add the IP
        Address
        and
        Port
        number (set when activating the Agent Proxy) for the other broker VM registered in your tenant that you want to designate as a proxy for this broker VM.
      • Specify the proxy
        Address
        (IP or FQDN),
        Port
        , and an optional
        User
        and
        Password
        . Select the pencil icon to specify the password.
      • Save
        your configurations.
    4. (
      Optional
      ) (
      Requires Broker VM 8.0 and later
      ) Configure your
      NTP
      servers.
      Specify the required server addresses using the FQDN or IP address of the server.
    5. (
      Requires Broker VM 8.0 and later
      ) (
      Optional
      ) In the
      SSH Access
      section,
      Enable
      or
      Disable
      SSH connections to the broker VM. SSH access is authenticated using a public key, provided by the user. Using a public key grants remote access to colleagues and
      Cortex
      XDR
      support who the private key. You must have Instance Administrator role permissions to configure SSH access.
      To enable connection, generate an RSA Key Pair, enter the public key in the
      SSH Public Key
      section. Once one SSH public key is added, you can
      +Add Another
      . When you are finished,
      Save
      your configuration.
      When using PuTTYgen to create your public and private key pairs, you need to copy the public key generated in the
      Public key for pasting into OpenSSH authorized_keys file
      box, and paste it in the broker VM
      SSH Public Key
      section as explained above. This public key is only available when the PuTTYgen console is open after the public key is generated. If you close the PuTTYgen console before pasting the public key, you will need to generate a new public key.
    6. (
      Requires Broker VM 10.1.9 and later
      ) (
      Optional
      ) In the
      SSL Server Certificate
      section, upload your signed server certificate and key to establish a validated secure SSL connection between your endpoints and the broker VM. When you configure the server certificate and the key files in the Broker VM UI,
      Cortex
      XDR
      automatically updates them in the tenant UI.
      Cortex
      XDR
      validates that the certificate and key match, but does not validate the Certificate Authority (CA).
      The Palo Alto Networks Broker supports only strong cipher SHA256-based certificates. MD5/SHA1-based certificates are not supported.
    7. In the
      Trusted CA Certificate
      section, upload your signed Certificate Authority (CA) certificate or Certificate Authority chain file in a PEM format. If you use SSL decryption in your firewalls, you need to add a trusted self-signed CA certificate on the broker VM to prevent any difficulties with SSL decryption. For example, when configuring Palo Alto Networks NGFW to decrypt SSL using a self-signed certificate, you need to ensure the broker VM can validate a self-signed CA by uploading the
      cert_ssl-decrypt.crt
      file on the broker VM.
      If adding a CA certificate to the broker is not possible, ensure that you’ve added the Broker Service FQDNs to the SSL Decryption Exclusion list on your firewalls. See Enable Access to Cortex XDR.
    8. (
      Requires Broker VM 8.0 and later
      ) (
      Optional
      ) Collect and
      Generate New Logs
      . Your
      Cortex
      XDR
      logs will download automatically after approximately 30 seconds.
  7. Register
    and enter your unique
    Token
    , created in the Cortex XDR console.
    Registration of the Broker VM can take up to 30 seconds.
    After a successful registration,
    Cortex
    XDR
    displays a notification.
    You are directed in
    Cortex
    XDR
    to
    Settings
    Configurations
    Data Broker
    Broker VMs
    . The
    Broker VMs
    page displays your broker VM details and allows you to edit the defined configurations.

Recommended For You