Add a New Agent Settings Profile
Agent Settings Profiles enable you to customize Cortex XDR agent settings for different platforms and groups of users.
Agent Settings Profiles enable you to customize
XDRagent settings for different platforms and groups of users.
- Add a new profile.
- FromCortexXDR, selectand select whether toEndpointsPolicy ManagementPreventionProfiles+ New ProfileCreate NeworImport from Filea new profile.New imported profiles are added and not replaced.
- Select the platform to which the profile applies andAgent Settingsas the profile type.
- Define the basic settings.
- Enter a uniqueProfile Nameto identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
- To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profileDescription. For example, you might include an incident identification number or a link to a help desk ticket.
- (Windows, Mac, and Linux only) Configure theDisk Spaceto allot forCortexXDRagent logs.Specify a value in MB from 100 to 10,000 (default is 5,000).
- (Windows and Mac only) ConfigureUser Interfaceoptions for theCortexXDRconsole.By default,CortexXDRuses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
- Tray Icon—Choose whether you want theCortexXDRagent icon to beVisible(default) orHiddenin the notification area (system tray).
- —Enable this option to allow access to theXDRAgent Console AccessCortexXDRconsole.
- —Enable this option to operate display notifications in the notifications area on the endpoint. When disabled, theXDRAgent User NotificationsCortexXDRagent operates in silent mode where theCortexXDRagent does not display any notifications in the notification area. If you enable notifications, you can use the default notification messages, or provide custom text for each notification type. You can also customize a notification footer.
- Live Terminal User Notifications—Choose whether toNotifythe end user and display a pop-up on the endpoint when you initiate a Live Terminal session. ForCortexXDRagents 7.3 and later releases only, you can choose toRequest end-user permissionto start the session. If the end user denies the request, you will not be able to initiate a Live Terminal session on the endpoint.
- ()CortexXDRagent 7.3 and later releases onlyLive Terminal Active Session Indication—Enable this option to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress.
- (Android only) Configure network usage preferences.When the option toUpload Using Cellular Datais enabled, theCortexXDRagent uses cellular data to send unknown apps to theCortexXDRfor inspection. Standard data charges may apply. When this option is disabled, theCortexXDRagent queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
- (Windows and Mac only) ConfigureAgent Securityoptions that prevent unauthorized access or tampering with theCortexXDRagent components.Use the default agent settings or customize them for the profile. To customize agent security capabilities:
- Enable.XDRAgent Tampering Protection
- (Windows only) By default, theCortexXDRagent protects all agent components, however you can configure protection more granularly forCortexXDRagent services, processes, files, and registry values. With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
- (Windows and Mac only) Set anUninstall Password.Define and confirm a password the user must enter to uninstall theCortexXDRagent. The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred betweenCortexXDRandCortexXDRagents. Additionally, the uninstall password is used to protect tampering attempts when using Cytool commands.The default uninstall password isPassword1. A new password must satisfy thePassword Strengthindicator requirements:
- Contain eight or more characters.
- Contain English letters, numbers, or any of the following symbols:!()-._`~@#"'.
- (Windows only) ConfigureWindows Security Center Integration.The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases:
When youEnabletheCortexXDRagent to register to the Windows Security Center, Windows shuts down Microsoft Defender on the endpoint automatically. If you still want to allow Microsoft Defender to run on the endpoint whereCortexXDRis installed, you must Disable this option. However, Palo Alto Networks does not recommend running Windows Defender and theCortexXDRagent on the same endpoint since it might cause performance issues and incompatibility issues with Global Protect and other applications.
- Enabled—TheCortexXDRagent registers with the Windows Security Center as an official Antivirus (AV) software product. As a result, Windows shuts down Microsoft Defender on the endpoint automatically, except for endpoints that are running Windows Server versions. To avoid performance issues, Palo Alto Networks recommends that you disable or remove Windows Defender from endpoints that are running Windows Server versions and where theCortexXDRagent is installed.
- Enabled (No Patches)—For theCortexXDRagent 5.0 release only, select this option if you want to register the agent to the Windows Security Center but prevent from Windows to automatically install Meltdown/Spectra vulnerability patches on the endpoint.
- Disabled—TheCortexXDRagent does not register to the Windows Action Center. As a result, Windows Action Center could indicate that Virus protection is Off, depending on other security products that are installed on the endpoint.
- ConfigureAlerts Datacollection options.When theCortexXDRagent alerts on process-related activity on the endpoint, theCortexXDRagent collects the contents of memory and other data about the event in what is known as a alert data dump file. You can customize theAlert Data Dump File Size—Small,Medium, orFull(the largest and most complete set of information)—and whether toAutomatically Upload Alert Data Dump FiletoCortexXDR. During event investigation, if automatic uploading of the alert data dump file was disabled, you can manually retrieve the data.
- (Requires a Cortex XDR Pro per Endpoint license) Enable and configureCortex XDR Pro Endpointcapabilities on the endpoint, including enhanced data collection, advanced responses, and available Pro add-ons.
- EnableXDR Pro Endpoints Capabilitiesto configure which Pro capabilities to activate on the endpoint.The Pro features are hidden until you enable the capability. Enabling this capability consumes a Cortex XDR Pro per Endpoint license.
- (Supported on) EnableCortexXDRagent 6.0 or a later for Windows endpoints andCortexXDRagent 6.1 or later for Mac and Linux endpointsMonitor and Collect Enhanced Endpoint Data.By default, theCortexXDRagent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware Security profile, theCortexXDRagent also collects information about all active file, process, network, and registry activity on an endpoint (see Endpoint Data Collected by Cortex XDR). When you enable theCortexXDRagent to monitor and collect enhanced endpoint data, you enableCortexXDRto share the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs so that you can gain insight on the overall event scope during investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, theCortexXDRagent will not share endpoint activity logs.
- (Requires Host Insights add-on and)CortexXDRagent 7.1 or later releasesEnable Host Insights Capabilities.
- EnableEndpoint Information Collectionto allow theCortexXDRagent to collect Host Inventory information such as users, groups, services, drivers, hardware, and network shares, as well as information about applications installed on the endpoint, including CVE and installed KBs for Vulnerability Assessment.
- (Supported on) EnableCortexXDRagent 7.2 or a later for Windows endpoints andCortexXDRagent 7.3 or later for Mac endpointsFile Search and Destroy Action Modeto allow theCortexXDRagent to collect detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files database in real-time.With this option you can also choose theFile Search and Destroy Monitored File TypeswhereCortexXDRmonitors all file types or only common file types. If you chooseCommonfile types,CortexXDRmonitors the following file types:
Additionally, you can exclude files that exist under a specific local path on the endpoint from inclusion in the files database.
- Windows—bat, bmp, c, cab, cmd, cpp, csv, db, dbf, doc, docb, docm, docx, dotm, dotx, dwg, dxf, exe, exif, gif, gz, jar, java, jpeg, jpg, js, keynote, mdb, mdf, msi, myd, pages, pdf, png, pot, potm, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, ps1, pub, py, rar, rtf, sdf, sldm, sldx, sql, sqlite, sqlite3, svg, tar, txt, url, vb, vbe, vbs, vbscript, vsd, vsdx, wsf, xla, xlb, xlm, xls, xlsm, xlsx, xlt, xltm, xltx, xps, zip,and7z.
- Mac—acm, apk, ax, bat, bin, bundle, csv, dll, dmg, doc, docm, docx, dylib, efi, hta, jar, js, jse, jsf, lua, mpp, mppx, mui, o, ocx, pdf, pkg, pl, plx, pps, ppsm, ppsx, ppt, pptm, pptx, py, pyc, pyo, rb, rtf, scr, sh, vds, vsd, wsf, xls, xlsm, xlsx, xsdx,andzip.
- (Requires Forensics Add-on and) EnableCortexXDRagent 7.4 or a later for Windows endpointsMonitor and Collect Forensics Dataallow theCortexXDRagent to collect detailed information about what happened on your endpoint to create a forensics database. Define the following if to enable collection and in what time intervals of the following entity types:
Data collected by the agent is displayed in the Forensic Data Analysis page.
- Process Execution
- File Access
- Command History
- Remote Access
- Search Collections
- (Supported on) EnableCortexXDRagent 7.5 or a later for Windows endpoints and requires to15Distributed Network Scanto allow theCortexXDRagent to scan your network using Ping to provide updated identifiers of your unmanaged network assets, such as IP addresses and OS platforms. The result scans can be viewed in theAsset Managementtable.
- Enable theAction Mode.
- InScan Mode, selectNmaporPing.
- If you selected Nmap, enable or disableOS Fingerprinting.
- (Windows and Mac only)Response Actions.If you need to isolate an endpoint but want to allow access for a specific application , add the process to theNetwork Isolation Allow List. The following are considerations to the allow list:
- When you add a specific application to your allow list from network isolation, theCortexXDRagent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if theCortexXDRagent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
- (Windows) For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, before using the response action you must add the VDI processes and corresponding IP addresses to your allow list.
- +Addan entry to the allow list.
- Specify theProcess Pathyou want to allow and theIPv4orIPv6address of the endpoint. Use the*wildcard on either side to match any process or IP address. For example, specify*as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify*as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
- Click the check mark when finished.
- (Supported on) Specify theCortexXDRagent 7.0 or a later for Windows endpoints andCortexXDRagent 7.3 or later for Mac and Linux endpointsContent Configurationfor yourCortexXDRagents.
If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.
- Content Auto-update—By default,CortexXDRagent always retrieves the most updated content and deploys it on the endpoint so it is always protected with the latest security measures. However, you canDisablethe automatic content download. Then, the agent stops retrieving content updates from theCortexXDRServer and keeps working with the current content on the endpoint.
- If you disable content updates for a newly installed agent, the agent will retrieve the content for the first time fromCortexXDRand then disable content updates on the endpoint.
- When you add aCortexXDRagent to an endpoints group with disabled content auto-upgrades policy, then the policy is applied to the added agent as well.
- Content Rollout—TheCortexXDRagent can retrieve content updatesImmediatelyas they are available, or after a pre-configuredDelayedperiod. When you delay content updates, theCortexXDRagent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.
- EnableAgent Auto Upgradefor yourCortexXDRagents.To ensure your endpoints are always up-to-date with the latestCortexXDRagent release, enable automatic agent upgrades.
- Select theAutomatic Upgrade Scope:
- Latest agent release
- Only maintenance release
- Only maintenance release in a specific version
- Upgrade to a specific version
- Select theUpgrade Rollout:
To control the agent auto upgrade scheduler and number of parallel upgrades in your network, see Configure Global Agent Settings.Automatic upgrades are not supported with non-persistent VDI and temporary sessions.
- Delayed—Specify theDelay Period In Daysusing a numeric value. Optional values are7through45.
- (Optional) For Critical Environment (CE) versions, make sure to select if you want to upgrade your CE versions only within the CE lines. It can take up to 15 minutes for new and updated auto-upgrade profile settings to take effect on your endpoints.
- (Supported on) Specify theCortexXDRagent 7.0 or a later for Windows endpoints andCortexXDRagent 7.3 or later for Mac and Linux endpointsDownload Sourcefor agent and content updates.To reduce your external network bandwidth loads during updates, you can choose theDownload Source(s)from which theCortexXDRagent retrieves agent release upgrades and content updates: from a peer agent in the local network, from the Palo Alto Networks Broker VM, or directly from theCortexXDRserver. If all options are selected in your profile, then the attempted download order is first using P2P, then from Broker VM, and lastly from the Cortex Server.
Limitations in the content download process:
- (Requires)CortexXDRagents 7.4 and later for P2P agent upgradeP2P—CortexXDRdeploys serverless peer-to-peerP2Pdistribution toCortexXDRagents in your LAN network by default. Within the six hour randomization window during which theCortexXDRagent attempts to retrieve the new version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the files from other agents in both queries, it will proceed to the next download source defined in your profile.To enable P2P, you must enable UDP and TCP over the definedPORTinDownload Source. By default,CortexXDRuses port 33221. You can configure another port number.
- (Requires)CortexXDRagents 7.4 and later releases and Broker VM 12.0 and laterBroker VM—If you have a Palo Alto Networks Broker VM in your network, you can leverage the Local Agent Settings applet to cache release upgrades and content updates. When enabled and configured, the Broker retrieves fromCortexXDRthe latest installers and content every 15 minutes and stores them for a 30-days retention period since an agent last asked for them. If the files were not available on the Broker VM at the time of the ask, the agent proceeds to download the files directly from theCortexXDRserver.If you enable the Broker download option, proceed to select one or more available brokers from the list.CortexXDRenables you to select only brokers that are connected and for which the caching is configured. When you select multiple brokers, the agent chooses randomly which broker to use for each download request.
- Cortex Server—To ensure your agents remain protected, theCortex Serverdownload source is always enabled to allow allCortexXDRagents in your network to retrieve the content directly from theCortexXDRserver on their following heartbeat.
- When you install theCortexXDRagent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.
- When you upgrade aCortexXDRagent to a newerCortexXDRagent version, if the new agent cannot use the content version running on the endpoint, then the new content update will start within one minute in P2P and within five minutes fromCortexXDR.
- EnableNetwork Location Configurationfor yourCortexXDRagents.(Requires) If you configure host firewall rules in your network, you must enableCortexXDRagents 7.1 and later releasesCortexXDRto determine the network location of your device, as follows:
If theCortexXDRagent detects a network change on the endpoint, the agent triggers the device location test, and re-calculates the policy according to the new location.
- A domain controller (DC) connectivity test— WhenEnabled, the DC test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, then it is in the organization. Otherwise, if the DC test failed or returned an external domain,CortexXDRproceeds to a DNS connectivity test.
- A DNS test—In the DNS test, theCortexXDRagent submits a DNS name that is known only to the internal network. If the DNS returned the pre-configured internal IP, then the device is within the organization. Otherwise, if the DNS IP cannot be resolved, then the device is located elsewhere. Enter theIP AddressandDNS Server Namefor the test.
- (Supported for) Define theCortexXDR7.7 or later for Linux onlyAgent Operation Mode.
- Select with whichModeyou want the Cortex XDR to run the Linux endpoint. You can select eitherKernel(default) orUser Space.
- Enable whether you want to run User Space mode when Kernel mode is unavailable. By default, the User Space fall-back is disabled.
- Savethe changes to your profile.
- You can do this in two ways: You canCreate a new policy rule using this profilefrom the right-click menu or you can launch the new policy wizard fromPolicy Rules.
Recommended For You
Recommended videos not found.