Configure the Broker VM

Configure any Cortex® XDR™ broker virtual machine (VM) as necessary.

To set up the broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks on your network or supported cloud infrastructure and activate the available applications. You can set up several broker VMs for the same tenant to support larger environments. Ensure each environment matches the necessary requirements.

Before you set up the broker VM, verify you meet the following requirements:

Hardware: For standard installation, use a minimum of a 4-core processor, 8GB RAM, and 512GB disk. If you only intend to use the broker VM for agent proxy, you can use a 2-core processor. If you intend to use the broker VM for agent installer and content caching, you must use an 8-core processor.

The broker VM comes with a 512GB disk. Therefore, deploy the broker VM with thin provisioning, meaning the hard disk can grow up to 512GB but will do so only if needed.

Bandwidth is higher than 10mbit/s.

VM compatible with:

Infrastructure	Image Type	Additional Requirements
Amazon Web Services (AWS)	VMDK	Create a Broker VM Amazon Machine Image (AMI)
Google Cloud Platform	VMDK	Set up the Broker VM on Google Cloud Platform (GCP)
Microsoft Azure	VHD (Azure)	Create a Broker VM Azure Image
Microsoft Hyper-V 2012	VHD	Hyper-V 2012 or later
Alibaba Cloud	QCOW2	Create a Broker VM Image for Alibaba Cloud
Nutanix Hypervisor	QCOW2	Create a Broker VM Image for a Nutanix Hypervisor Nutanix AHV 2021
Ubuntu	QCOW2	Create a Broker VM Image for Ubuntu Version 18.04
VMware ESXi	OVA	VMware ESXi 6.0 or later

Enable communication between the Broker Service, and other Palo Alto Networks services and apps.

FQDN, Protocol, and Port	Description
(`Default`) time.google.com pool.ntp.org UDP port 123	NTP server for clock synchronization between the syslog collector and other apps and services. The broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers, and do not specify a replacement, the broker VM uses the time of the host ESX.
br-`<XDR tenant>`.xdr.<region>.paloaltonetworks.com HTTPS over TCP port 443	Broker Service server depending on the region of your deployment, such as us or eu .
distributions-prod-us.traps.paloaltonetworks.com HTTPS over TCP port 443	Information needed to communicate with your Cortex XDR tenant. Used by tenants deployed in all regions.

Enable Access to Cortex® XDR™ from the broker VM to allow communication between agents and the Cortex XDR app.

You must also add the Broker Service FQDNs to the SSL Decryption Exclusion list on your Palo Alto Networks firewalls. If you are using self-signed certificate authority, make sure configure

cert_ssl-decrypt.crt

on the broker.

Configure your broker VM as follows:

In Cortex XDR, select

Settings (

)

Configurations

Broker VM

Download

and install the broker VM images for your corresponding infrastructure:

Amazon Web Services (AWS)—Use the

VMDK

to Create a Broker VM Amazon Machine Image (AMI).

Google Cloud Platform—Use the

VMDK

image to Set up the Broker VM on Google Cloud Platform (GCP).

Microsoft Hyper-V—Use the

VHD

image.

Microsoft Azure—Use the

VHD (Azure)

image to Create a Broker VM Azure Image.

VMware ESXi—Use the

OVA

image.

Generate Token

and copy to your clipboard.

The token is valid only for 24 hours. A new token is generated each time you select

Generate Token

Navigate to

https://<broker_vm_ip_address>/

!nitialPassw0rd

and then define your own unique password.

The password must contain a minimum of eight characters, contain letters and numbers, and at least one capital letter and one special character.

Configure your broker VM settings:

In the

Network Interface

section, review the pre-configured

Name

address, and

MAC Address

, select the

Address Allocation

DHCP

(default) or

Static

, and select to either to

Disable

or set as

Admin

the network address as the broker VM web interface.

If you choose

Static

, define the following and

Save

your configurations:

Static

address

Netmask

Default Gateway

DNS Server

(Requires Broker VM 14.0.42 and later) (Optional)

Internal Network

Specify a network subnet to avoid the broker VM dockers colliding with your internal network. By default, the

Network Subnet

is set to

172.17.0.1/16

Internal IP must be:

Formatted as

prefix/mask

, for example

192.0.2.1/24

Must be within

/24

range.

Cannot be configured to end with a zero.

For Broker VM version 9.0 and lower, Cortex XDR will accept only

172.17.0.0/16

(Optional) Configure a

Proxy Server

Select the proxy

Type

HTTP

SOCKS4

SOCKS5

Enter the proxy

Address

Port

and an optional

User

and

Password

. Select the pencil icon to enter the password.

Save

your configurations.

(Optional) (Requires Broker VM 8.0 and later) Configure your

NTP

servers.

Enter the required server addresses using the FQDN or IP address of the server.

(Requires Broker VM 8.0 and later) (Optional) In the

SSH Access

section,

Enable

Disable

SSH connections to the broker VM. SSH access is authenticated using a public key, provided by the user. Using a public key grants remote access to colleagues and Cortex XDR support who the private key. You must have Instance Administrator role permissions to configure SSH access.

To enable connection, generate an RSA Key Pair, enter the public key in the

SSH Public Key

section. Once one SSH public key is added, you can

+Add Another

. When you are finished,

Save

your configuration.

When using PuTTYgen to create your public and private key pairs, you need to copy the public key generated in the

Public key for pasting into OpenSSH authorized_keys file

box, and paste it in the broker VM

SSH Public Key

section as explained above. This public key is only available when the PuTTYgen console is open after the public key is generated. If you close the PuTTYgen console before pasting the public key, you will need to generate a new public key.

(Requires Broker VM 10.1.9 and later) (Optional) In the

SSL Certificates

section, upload your signed server certificate and key to establish a validated secure SSL connection between your endpoints and the broker VM. Cortex XDR validates that the certificate and key match, but does not validate the Certificate Authority (CA).

The Palo Alto Networks Broker supports only strong cipher SHA256-based certificates. MD5/SHA1-based certificates are not supported.

In the

Trusted CA Certificate

section, upload your signed Certificate Authority (CA) certificate or Certificate Authority chain file in a PEM format. Configuring a trusted CA certificate is useful when the Broker VM communication with Cortex XDR is inspected by an SSL decrypting device. For example, when configuring Palo Alto Networks NGFW to decrypt SSL using a self-signed certificate. To ensure the broker can validate a self-signed CA, configure

cert_ssl-decrypt.crt

on the broker vm.

(Requires Broker VM 8.0 and later) (Optional) Collect and

Download Logs

. Your XDR logs will download automatically after approximately 30 seconds.

and enter your unique

Token

, created in Cortex XDR console.

Registration of the Broker VM can take up to 30 seconds.

After a successful registration, Cortex XDR displays a notification.

You are directed in Cortex XDR to

Settings (

)

Configurations

Broker VM

. The

Broker VMs

page displays your broker VM details and allows you to edit the defined configurations.

Document:Cortex XDR™ Pro Administrator’s Guide

Configure the Broker VM

Configure the Broker VM

Recommended For You

Document:Cortex XDR™ Pro Administrator’s Guide

Configure the Broker VM

Configure the Broker VM

Recommended For You

Recommended Videos