Set Up Pathfinder

Pathfinder™ is a highly recommended, but optional, component that Cortex XDR™ – Analytics uses to examine network hosts, servers, and workstations for malicious or risky software. When paired with Pathfinder, the app supports all the alerts described in the Cortex XDR – Analytics Alert Reference.
To enable Pathfinder to investigate your network endpoints, you must install one or more Pathfinder virtual machines (VMs) on your network. The Pathfinder VMs use Remote Procedure Calls (RPCs) to examine endpoints, so that you don’t need to locally install kernel drivers or other software agents on each host. The steps to set up Pathfinder include deploying the Pathfinder VM and pairing Pathfinder with the app.
  1. Start by confirming that you have Everything You Need to Configure Cortex XDR, and only set up Pathfinder after you Activate Cortex XDR Apps.
    Prerequisites that are specific to a Cortex XDR – Analytics deployment with Pathfinder include:
    • Hardware to support the Pathfinder VM (2 core, 8 GB RAM, 128 GB disk). VMware is required.
    • Pathfinder requires an internal DNS server.
    • The following ports must be open to allow Pathfinder to communicate with the devices it examines: port 135, port 137, port 139, and port 445.
    • Port 443 must be open so that Pathfinder can communicate with the Cortex XDR – Analytics app.
    • Devices that Pathfinder examines must provide the following services: WMI Service, Eventlog Service, PowerShell.
  2. Download the latest Pathfinder software from the Palo Alto Networks Software Updates page and deploy the Pathfinder VMware or Hyper-V virtual machine (VM).
    If you deploy a Hyper-V VM, follow the wizard, and specify generation 1. For both virtual machines, make sure the VM has at least 8 GBs of startup memory. Do not use dynamic memory and select the same subnet connection as Pathfinder.
  3. Ensure the Pathfinder VM clock is correctly synchronized.
    Clock synchronization is required both to pair Pathfinder with Cortex XDR – Analytics, and for proper network-to-process association (N2PA).
    By default, the Pathfinder VM performs time synchronization using pre-configured NTP servers: rolex.usg.edu, ntp2.netwrx1.com,and 0.north-america.pool.ntp.org. Follow the steps to Sync the Pathfinder Clock to specify a different NTP server than the defaults, or to enable a VMware ESX host to perform time synchronization.
  4. Open the Pathfinder VM Console.
    pathfinder-console-menu.png
  5. Configure Pathfinder to use an internal DNS server.
    1. Select netconfig.
    2. Choose the network card that the Pathfinder VM is using to connect to your network.
    3. Choose either DHCP or Static. If you choose DHCP then your DHCP server must be configured to use an internal DNS server. In this case, accept the configuration change and you're done.
      If you choose Static, then in the Networking panel enter the IP Address, Netmask, Default gateway, and DNS server you want Pathfinder to use. Then, select OK to save your changes.
  6. Return to the top-level Pathfinder VM console screen, and select the pair menu. Record the Pathfinder VM ID (you will use this in the next step).
    pathfinder-console-pair-vm-id.png
  7. Generate the token you will use to pair the Pathfinder VM with the Cortex XDR – Analytics app.
    1. In the Cortex XDR – Analytics app, click on the gearbox in the upper right-hand corner of the Analyst Interface, and select Configuration.
    2. Select the Pathfinder VMs page.
    3. Enter the Pathfinder VM ID that was displayed in the Pathfinder VM console in the UUID field.
    4. Click Generate Pairing Token.
    5. Record the Pairing Token and the Cortex XDR – Analytics Tenant ID to use them in the next step.
    mag-app-pairing-generate-token.png
  8. Connect the Pathfinder VM to the Cortex XDR – Analytics app.
    1. Open the Pathfinder VM console and select the pair menu.
      pathfinder-console-pair.png
    2. Give the Pathfinder VM a descriptive name: Pathfinder VM Name.
    3. Enter the Pairing Token and the Cortex XDR – Analytics ID that you recorded from the Cortex XDR – Analytics app in the last step.
    4. Click OK.
      The pairing might take a few moments, after which you’ll be prompted to continue the pairing process in the Cortex XDR – Analytics administrator interface.
  9. Authorize the Cortex XDR – Analytics app and Pathfinder VM pairing.
    1. In the Cortex XDR – Analytics app, click on the gearbox in the upper right-hand corner of the Analyst Interface, and select Configuration.
    2. Select the Pathfinder VMs page.
    3. Check that the Pathfinder VM that you just connected to the Cortex XDR – Analytics app is displayed, and Authorize the Pathfinder VM and Cortex XDR – Analytics app pairing.
      mag-app-pairing-authorize.png
    4. Wait until the Pathfinder VM status displays Connected.
      mag-app-pairing-connected.png
      You can confirm that Pathfinder is connected to Cortex XDR – Analytics by using connectivity from the Pathfinder VM console.
  10. Configure the credentials for Pathfinder to use to authenticate to the devices it examines.
    To configure these credentials locally on the Pathfinder VM, navigate to the Pathfinder Console menu, and select Credentials. Otherwise, you can configure them in the Cortex XDR – Analytics app:
    1. In the Cortex XDR – Analytics app, click on the gearbox in the upper right-hand corner of the Analyst Interface, and select Configuration.
    2. Select Pathfinder.
    3. Select Default Configuration and enter the login credentials that Pathfinder should use to access your Microsoft Windows endpoints for interrogation. You can also use this page to indicate whether you want Pathfinder to automatically scan workstations and/or servers, and whether you want N2PA enabled.
  11. Enable the Pathfinder VM to scan your network devices or limit the Pathfinder VM to scan certain network ranges or specific devices.
    It’s recommended to assign the Pathfinder VM to scan all network ranges; however, you can assign different Pathfinder VMs to scan different network ranges or in certain environments, like a lab environment, you can choose to limit Pathfinder scans to certain devices.
    1. In the Cortex XDR – Analytics app, click on the gearbox in the upper right-hand corner of the Analyst Interface, and select Configuration.
    2. Select Network Segments and, if you haven’t done so already, configure the IP ranges (network assets) that Cortex XDR Analytics monitors.
    3. On the Network Segments page, use the final column (Assigned Pathfinder VM) for each table row to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then do not identify a Pathfinder VM for that segment's table row.
    4. (Optional) If you want to further limit Pathfinder scans to specific devices, go to the Pathfinder page and then select Per Asset Configuration. Use these settings to override the default Pathfinder configuration on a per-asset basis.

Related Documentation