Activate your Network Devices

With a Cortex XDR Pro per TB license, if you use Palo Alto Networks firewalls as a traffic log source, you must activate your firewalls and Panorama. If you use Panorama to manage firewalls, you must activate your firewalls before you continue with activation of Cortex XDR. If you only use one firewall or use multiple firewalls but do not manage them using Panorama, you can activate your firewalls after you activate Cortex XDR.
  1. Register and activate your firewalls and Panorama.
  2. Upgrade firewalls and Panorama to the latest software and content releases.
    PAN-OS 8.0.6 is the minimum required software release version for Palo Alto Networks firewalls and Panorama. However, to enable Cortex XDR to leverage the Directory Sync Service and Enhanced Application Logs, upgrade firewalls and Panorama to PAN-OS 8.1.1 or later and to the latest content release:
  3. Ensure that firewalls have visibility into internal traffic and applications.
    It’s important that at least one firewall sending logs to the Cortex Data Lake is processing or has visibility into internal traffic and applications.
    If you have deployed only internet gateway firewalls, one option might be to configure a tap interface to give a firewall visibility into data center traffic even though the firewall is not in the traffic flow. Connect the tap mode interface to a data center switch SPAN or mirror port that provides the firewall with the mirrored traffic, and make sure that the firewall is enabled to log the traffic and send it to the Cortex Data Lake.
    Because data center firewalls already have visibility into internal network traffic, you don’t need to configure these firewalls in tap mode; however, contact Palo Alto Networks Professional Services for best practices to ensure that the Cortex Data Lake and Cortex XDR-required configuration updates do not affect data center firewall deployments.
  4. Configure firewalls to forward Cortex XDR-required logs to Cortex Data Lake.
    The Cortex Data Lake provides centralized, cloud-based log storage for firewalls, and Panorama provides an interface you can use to view the stored logs. The rich log data that firewalls forward to the Cortex Data Lake provides the Cortex XDR analytics engine the network visibility it requires to perform data analytics.
    To support Cortex XDR, firewalls must forward at least Traffic logs to the Cortex Data Lake. The complete set of log types that a firewall should forward to the Cortex Data Lake are:
    • Traffic (required)
    • URL Filtering
    • User-ID
    • Configuration
    • Correlation
    • HIP
    • System Logs
    • Enhanced application logs (PAN-OS 8.1.1 or later)
    Enhanced application logs are designed to increase visibility into network activity for Palo Alto Networks Cloud Services apps, and Cortex XDR requires these logs to support certain features.

Recommended For You