Set Up Pathfinder

Pathfinder™ is a highly recommended, but optional, component that Cortex XDR™ uses to examine network hosts, servers, and workstations for malicious or risky software. When paired with Pathfinder, Cortex XDR supports all the Analytics alerts described in the Cortex XDR Analytics Alert Reference.
To enable Pathfinder to investigate your network endpoints, you must install one or more Pathfinder virtual machines (VMs) on your network. The Pathfinder VMs use Remote Procedure Calls (RPCs) to examine endpoints, so that you don’t need to locally install kernel drivers or other software agents on each host. The steps to set up Pathfinder include deploying the Pathfinder VM and pairing Pathfinder with the app.
  1. Start by confirming that you have Everything You Need to Configure Cortex XDR, and only set up Pathfinder after you Activate Cortex XDR.
    Prerequisites that are specific to a Cortex XDR deployment with Pathfinder include:
    • Hardware to support the Pathfinder VM (2 core, 8 GB RAM, 128 GB disk). VMware is required.
    • Pathfinder requires an internal DNS server.
    • The following ports must be open to allow Pathfinder to communicate with the devices it examines: port 135, port 137, port 139, and port 445.
    • Port 443 must be open so that Pathfinder can communicate with the Cortex XDR app.
    • Devices that Pathfinder examines must provide the following services: WMI Service, Eventlog Service, PowerShell.
  2. Download the latest Pathfinder software from the Palo Alto Networks Software Updates page and deploy the Pathfinder VMware or Hyper-V virtual machine (VM).
    If you deploy a Hyper-V VM, follow the wizard, and specify generation 1. For both virtual machines, make sure the VM has at least 8 GBs of startup memory. Do not use dynamic memory and select the same subnet connection as Pathfinder.
  3. Ensure the Pathfinder VM clock is correctly synchronized.
    Clock synchronization is required both to pair Pathfinder with Cortex XDR, and for proper network-to-process association (N2PA).
    By default, the Pathfinder VM performs time synchronization using pre-configured NTP servers:
    rolex.usg.edu, ntp2.netwrx1.com,and 0.north-america.pool.ntp.org
    . Follow the steps to Sync the Pathfinder Clock to specify a different NTP server than the defaults, or to enable a VMware ESX host to perform time synchronization.
  4. Open the Pathfinder VM Console.
    pathfinder-console-menu.png
  5. Configure Pathfinder to use an internal DNS server.
    1. Select
      netconfig
      .
    2. Choose the network card that the Pathfinder VM is using to connect to your network.
    3. Choose either
      DHCP
      or
      Static
      . If you choose
      DHCP
      then your DHCP server must be configured to use an internal DNS server. In this case, accept the configuration change and you're done.
      If you choose
      Static
      , then in the
      Networking
      panel enter the
      IP Address
      ,
      Netmask
      ,
      Default gateway
      , and
      DNS
      server you want Pathfinder to use. Then, select
      OK
      to save your changes.
  6. Return to the top-level Pathfinder VM console screen, and select the
    pair
    menu. Record the
    Pathfinder VM ID
    (you will use this in the next step).
    pathfinder-console-pair-vm-id.png
  7. Generate the token you will use to pair the Pathfinder VM with the Cortex XDR app.
    1. In Cortex XDR, click
      gear.png
      Analytics Management
      Configuration
      .
    2. Select the
      Pathfinder VMs
      page.
    3. Enter the Pathfinder VM ID that was displayed in the Pathfinder VM console in the
      UUID
      field.
    4. Click
      Generate Pairing Token
      .
    5. Record the
      Pairing Token
      and the tenant ID to use them in the next step.
    mag-app-pairing-generate-token.png
  8. Connect the Pathfinder VM to the Cortex XDR app.
    1. Open the Pathfinder VM console and select the
      pair
      menu.
      pathfinder-console-pair.png
    2. Give the Pathfinder VM a descriptive name:
      Pathfinder VM Name
      .
    3. Enter the
      Pairing Token
      and the tenant ID that you recorded from the Cortex XDR app in the last step.
    4. Click
      OK
      .
      The pairing might take a few moments, after which you’ll be prompted to continue the pairing process in the Cortex XDR app.
  9. Authorize the Cortex XDR app and Pathfinder VM pairing.
    1. In the Cortex XDR app, click
      gear.png
      Analytics Management
      Configuration
      .
    2. Select the
      Pathfinder VMs
      page.
    3. Check that the Pathfinder VM that you just connected to the Cortex XDR app is displayed, and
      Authorize
      the Pathfinder VM and Cortex XDR app pairing.
      mag-app-pairing-authorize.png
    4. Wait until the Pathfinder VM status displays
      Connected
      .
      mag-app-pairing-connected.png
      You can confirm that Pathfinder is connected to Cortex XDR by using
      connectivity
      from the Pathfinder VM console.
  10. Configure the credentials for Pathfinder to use to authenticate to the devices it examines.
    To configure these credentials locally on the Pathfinder VM, navigate to the Pathfinder Console menu, and select
    Credentials
    . Otherwise, you can configure them in the Cortex XDR app:
    1. In the Cortex XDR app, click
      gear.png
      Analytics Management
      Configuration
      .
    2. Select
      Pathfinder
      .
    3. Select
      Default Configuration
      and enter the login credentials that Pathfinder should use to access your Microsoft Windows endpoints for interrogation. You can also use this page to indicate whether you want Pathfinder to automatically scan workstations and/or servers, and whether you want N2PA enabled.
  11. Enable the Pathfinder VM to scan your network devices or limit the Pathfinder VM to scan certain network ranges or specific devices.
    It’s recommended to assign the Pathfinder VM to scan all network ranges; however, you can assign different Pathfinder VMs to scan different network ranges or in certain environments, like a lab environment, you can choose to limit Pathfinder scans to certain devices.
    1. In the Cortex XDR app, click
      gear.png
      Analytics Management
      Configuration
      .
    2. Select
      Network Segments
      and, if you haven’t done so already, configure the IP ranges (network assets) that Cortex XDR monitors.
    3. On the Network Segments page, use the final column (
      Assigned Pathfinder VM
      ) for each table row to assign a Pathfinder VM to the network segment. If you do not want Pathfinder to scan a particular segment, then do not identify a Pathfinder VM for that segment's table row.
    4. (Optional) If you want to further limit Pathfinder scans to specific devices, go to the
      Pathfinder
      page and then select
      Per Asset Configuration
      . Use these settings to override the default Pathfinder configuration on a per-asset basis.

Related Documentation