Enable Access to Cortex XDR

To complete your Cortex XDR setup, you must enable access to Cortex XDR services.
After you receive your account details, enable and verify access to Cortex XDR.
Some of the IP addresses required for access are registered in the United States. As a result, some GeoIP databases do not correctly pinpoint the location in which IP addresses are used. In regard to customer data, Cortex Data Lake stores all data in your deployment region, either EU or US, regardless of the IP address registration and restricts data transmission through any infrastructure to that region.
Throughout this topic,
<xdr-tenant>
refers to the chosen subdomain of your Cortex XDR tenant and
<region>
is the region in which your Cortex Data Lake is deployed, either
us
or
eu
.
Some steps also require you to know your Cortex Data Lake tenant ID (
<cortex-data-lake-tenant-ID>
). To identify the ID of your Cortex Data Lake tenant:
Cortex XDR management console
Traps management service
  1. Log in to the Cortex XDR management console.
  2. From your username, select
    About
    .
    menu-bar-user.png
  3. Under
    Server Version
    , locate your
    Cortex Data Lake Tenant ID
    .
  1. Log in to the Cortex XDR management console.
  2. From your username, select
    About
    .
    traps-about.png
  3. Under
    Traps Management Service
    , locate your
    Cortex Data Lake Tenant ID
    .
  1. (
    Optional
    ) If you are deploying the broker VM as a proxy between Cortex XDR and the Cortex XDR agents, start by enabling the communication between them.
  2. In your firewall configuration, enable access to Cortex XDR communication servers and storage buckets.
    With Palo Alto Networks firewalls, we recommend that you use the following App-IDs to allow communication between Cortex XDR agents and Cortex XDR management console when you configure your security policy:
    • cortex-xdr
      —Used for communication between the XDR console and the information stored in Google Cloud Platform. Requires PAN-OS Applications and Threats content update version 8279 or a later release.
    • traps-management-service
      —Used for communication between Cortex XDR agents and the Cortex XDR management console. Requires PAN-OS Applications and Threats content update version 793 or a later release.
    If you do not use Palo Alto Networks firewalls, ensure that you configure your firewall policy to enable communication with the FQDNs.
    FQDN
    App-ID Coverage
    distributions.traps.paloaltonetworks.com
    traps-management-service
    dc-
    <xdr-tenant>
    .traps.paloaltonetworks.com
    traps-management-service
    ch-
    <xdr-tenant>
    .traps.paloaltonetworks.com
    traps-management-service
    cc-
    <xdr-tenant>
    .traps.paloaltonetworks.com
    traps-management-service
    contentprod.traps.paloaltonetworks.com
    traps-management-service
    wss://lrc-
    <region>
    .paloaltonetworks.com
    cortex-xdr
    panw-xdr-installers-prod-us.storage.googleapis.com
    This storage bucket is used for all regions.
    cortex-xdr
    panw-xdr-payloads-prod-us.storage.googleapis.com
    This storage bucket is used for all regions.
    cortex-xdr
    global-content-profiles-policy.storage.googleapis.com
    cortex-xdr
    panw-xdr-evr-prod-
    <region>
    .storage.googleapis.com
    cortex-xdr
  3. To establish secure communication (TLS) to Cortex XDR, the endpoints, and any other devices that initiate a TLS connection with Cortex, you must have the following certificates installed on the operating system:
    Certificate
    Fingerprint
    GoDaddy Root Certificate Authority - G2 (Godaddy)
    • SHA1 Fingerprint—
      47 BE AB C9 22 EA E8 0E 78 78 34 62 A7 9F 45 C2 54 FD E6 8B
    • SHA256 Fingerprint—
      45 14 0B 32 47 EB 9C C8 C5 B4 F0 D7 B5 30 91 F7 32 92 08 9E 6E 5A 63 E2 74 9D D3 AC A9 19 8E DA
    GlobalSign (Google)
    • SHA1 Fingerprint—
      75 E0 AB B6 13 85 12 27 1C 04 F8 5F DD DE 38 E4 B7 24 2E FE
    • SHA256 Fingerprint—
      CA 42 DD 41 74 5F D0 B8 1E B9 02 36 2C F9 D8 BF 71 9D A1 BD 1B 1E FC 94 6F 5B 4C 99 F4 2C 1B 9E
  4. If you use SSL decryption, we recommend that you do not decrypt Cortex XDR services.
    To exclude Cortex XDR services from decryption, add the following domains to your SSL Decryption Exclusion list where
    <region>
    is your deployment region, either
    us
    or
    eu
    :
    • *.traps.paloaltonetworks.com
    • *.xdr.
      <region>
      .paloaltonetworks.com
    • panw-xdr-evr-prod-
      <region>
      .storage.googleapis.com
    • panw-xdr-installers-prod-us.storage.googleapis.com
    • panw-xdr-payloads-prod-us.storage.googleapis.com
    • global-content-profiles-policy.storage.googleapis.com
    In PAN-OS 8.0 and later releases, you can configure the list in
    Device
    Certificate Management
    SSL Decryption Exclusion
    .
  5. (
    Windows only
    ) Enable access for Windows CRL checks.
    (
    Endpoints running the following or later releases: Traps 6.0.3, Traps 6.1.1, and Cortex XDR 7.0
    ) When the Cortex XDR agent examines portable executables (PEs) running on the endpoint as part of the enforced Malware Security Profile, the agent performs a certificate revocation (CRL) check. The CRL check ensures that the certificate used to sign a given PE is still considered valid by its Certificate Authority (CA), and has not been revoked. To validate the certificate, the Cortex XDR agent leverages Microsoft Windows APIs and triggers the operating system to fetch the specific Certificate Revocation List (CRL) from the internet. To complete the certificate revocation check, the endpoint needs HTTP access to a dynamic list of URLs, based on the PEs that are executed or scanned on the endpoint.
    1. If a system-wide proxy is defined for the endpoint (statically or using a PAC file), Microsoft Windows downloads the CRL lists through the proxy.
    2. If a specific proxy is defined for the Cortex XDR agent, and the endpoint has no access to the internet over HTTP, then Microsoft Windows will fail to download the CRL lists. As a result, the certificate revocation check will fail and the certificate will be considered valid by the agent, while creating a latency in executing PEs. If the Cortex XDR agent is running in an isolated environment that prohibits the successful completion of certificate revocation checks, the Palo Alto Networks Support team can provide a configuration file that will disable the revocation checks and avoid unnecessary latency in the execution time of PEs.
  6. (
    Windows only
    ) Enable serverless peer-to-peer (P2) content updates.
    By default, the Cortex XDR agent retrieves content updates from its peer Cortex XDR agents on the same subnet. To enable P2P, you must enable UDP and TCP over port 33221. You can change the port number or choose to download the content directly from the Cortex XDR sever in the Agent settings profile.
  7. Verify that you can access your Cortex XDR tenant.
    After you download and install the Cortex XDR agent software on your endpoints and configure your endpoint security policy, verify that the Cortex XDR agents can check in with Cortex XDR to receive the endpoint policy.

Recommended For You