Configure Firewalls and Panorama to Support Cortex XDR – Analytics

Follow these required steps to configure Palo Alto Networks firewalls and Panorama to support Cortex XDR – Analytics:

Upgrade Firewalls and Panorama to the Latest Software and Content Releases

PAN-OS 8.0.5 is the minimum required software release version for Palo Alto Networks firewalls and Panorama. However, to enable Cortex XDR – Analytics to leverage the Directory Sync Service and Enhanced Application Logs, upgrade firewalls and Panorama to PAN-OS 8.1.1 or later and to the latest content release:

Ensure Firewalls Have Visibility Into Internal Traffic and Applications

It’s important that at least one firewall sending logs to the Cortex Data Lake is processing or has visibility into internal traffic and applications.
If you have deployed only internet gateway firewalls, one option might be to configure a tap interface to give a firewall visibility into data center traffic even though the firewall is not in the traffic flow. Connect the tap mode interface to a data center switch SPAN or mirror port that provides the firewall with the mirrored traffic, and make sure that the firewall is enabled to log the traffic and send it to the Cortex Data Lake (Configure Firewalls to Forward Cortex XDR – Analytics-Required Logs to the Cortex Data Lake).
Because data center firewalls already have visibility into internal network traffic, you don’t need to configure these firewalls in tap mode; however, contact Palo Alto Networks Professional Services for best practices to ensure that the Cortex Data Lake and Cortex XDR – Analytics-required configuration updates do not affect data center firewall deployments.

Configure Firewalls to Forward Cortex XDR – Analytics-Required Logs to Cortex Data Lake

The Cortex Data Lake provides centralized, cloud-based log storage for firewalls, and Panorama provides an interface you can use to view the stored logs. The rich log data that firewalls forward to the Cortex Data Lake gives Cortex XDR – Analytics the network visibility it requires to perform data analytics.
To support Cortex XDR – Analytics, firewalls must forward at least Traffic logs to the Cortex Data Lake. The complete set of log types that a firewall should forward to the Cortex Data Lake are:
  • Traffic (required)
  • URL Filtering
  • User-ID
  • Configuration
  • Correlation
  • HIP
  • System Logs
  • Enhanced application logs (PAN-0S 8.1.1 or later)
Enhanced application logs are designed to increase visibility into network activity for Palo Alto Networks Cloud Services apps, and Cortex XDR – Analytics requires these logs to support certain features.

Verify your Firewall and Panorama Configuration

Make sure your firewalls are forwarding the required logs to the Cortex Data Lake:
  • Verify that the firewall logs are being forwarded to the Cortex Data Lake.
    1. From Panorama, select MonitorLogs and select a log type to view.
    2. To verify that the logs you are seeing are from the Cortex Data Lake, run the following CLI command on the firewall:
      > show logging-status
      -----------------------------------------------------------------------------------------------------------------------------
            Type      Last Log Created        Last Log Fwded       Last Seq Num Fwded  Last Seq Num Acked         Total Logs Fwded
      -----------------------------------------------------------------------------------------------------------------------------
      > CMS 0
              Not Sending to CMS 0
      > CMS 1
              Not Sending to CMS 1
      
      >Log Collection Service
      'Log Collection log forwarding agent' is active and connected to xx.xxx.xxx.xx
      
          config   2017/07/26 16:33:20   2017/07/26 16:34:09                      323                 321                        2
          system   2017/07/31 12:23:10   2017/07/31 12:23:18                 13634645            13634637                    84831
          threat   2014/12/01 14:47:52   2017/07/26 16:34:24                557404252           557404169                       93
         traffic   2017/07/28 18:03:39   2017/07/28 18:03:50               3619306590          3619306590                     1740
        hipmatch         Not Available         Not Available                        0                   0                        0
      gtp-tunnel         Not Available         Not Available                        0                   0                        0
          userid         Not Available         Not Available                        0                   0                        0
            auth         Not Available         Not Available                        0                   0                        0
                
      Look for the ‘Log collection log forwarding agent’ is active and connected to <IP_address> line. You can also see that CMS 0 and CMS (the Log Collectors) are not receiving logs.
  • Use the ACC on Panorama and firewalls to monitor network activity. Check for applications like SMBv2, ms-rdp, DNS, and Kerberos to verify that the firewalls have visibility into internal network traffic.
    You can also use MonitorManage Custom Reports and generate Run Now reports on summary logs. You cannot generate scheduled reports or generate reports on detailed logs stored on the Cortex Data Lake.

Related Documentation