Set Up the Palo Alto Networks Broker Service

The Palo Alto Networks Broker Service acts as a proxy that mediates communication between the cloud-based Traps management service and Traps agents in restricted networks, where the endpoints are not connected directly to the internet. Once the communication between the Traps endpoints and the Traps management service is established through the Broker Service, the endpoints in your network are fully protected and all Traps capabilities are supported: the Traps agents collect and forward EDR data on the endpoint, receive the latest security policy from the Traps management service, and send back logs and files for analysis.
To set up the Broker Service, you deploy a broker VM on your network. After you authenticate the broker VM ID with the Traps management service token and activate the broker VM, you install Traps on your Mac, Linux, and Windows endpoints. During installation you assign the Traps agent the broker VM IP address and port through which Traps can communicate with Traps management service.
tms-broker-service-with-DL.png
To set up an on-prem proxy:
  1. Before you begin:
    1. Plan your deployment.
      • You can set up several broker VMs for the same tenant.
      • Each broker VM supports 10,000 Traps agents.
      • All broker VMs associated with the same Support Account are visible in the
        Broker VMs
        screen. Once you pair a broker VM with a specific tenant, that broker VM can be managed only from that tenant.
    2. Locate your Support Account auth code.
      Locate your Auth code either in the confirmation email you received after you purchased Traps licenses or in the Customer Support Portal (
      Assets
      Advanced Endpoint Protection
      ).
    3. Assign user permissions.
      Ensure that you and any additional users have the appropriate roles in the hub. To further refine the administrative access available for your Traps management service users, Assign Roles to Traps Management Service Users.
  2. Verify your environment meets the following requirements:
    • Hardware to support the broker VM: 4-core processor, 8GB RAM, 512GB disk.
    • VM compatible with VMware ESXi 6.0 or later.
    • Enable communication between the Broker Service, and other Palo Alto Networks services and apps:
      FQDN
      Protocol and Port
      Description
      apitrusted.paloaltonetworks.com
      TCP port 443
      PKI server used for passing an one-time password and receiving a certificate.
      api.paloaltonetworks.com
      TCP port 443
      PKI server used for certificate renewal and revocation.
      bintray-cdn.paloaltonetworks.com
      TCP port 443
      Server used to distribute the broker upgrade package.
      dl.magnifier.paloaltonetworks.com
      TCP port 443
      Server used to distribute the broker and analytics engine upgrade package.
      pathfinder-docker.magnifier.paloaltonetworks.com
      TCP port 443
      Server used to distribute the broker docker images required by upgrade packages.
      (
      Default
      )
      • rolex.usg.edu
      • ntp2.netwrx1.com
      • 0.north-america.pool.ntp.org
      UDP port 123
      NTP server for clock synchronization. The broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers and do not specify a replacement, the broker VM uses the time of the host ESX.
      • US:
        brokerservice-us.paloaltonetworks.com
      • EU:
        brokerservice-eu.paloaltonetworks.com
      TCP port 443
      Broker Service region of your deployment. Choose one.
  3. Log in to the hub to activate Traps management service. During activation you can also associate Traps management service with a Cortex Data Lake instance and Directory Sync Service instance.
  4. Download and install the broker VM.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select
      Updates
      Software Updates
      .
    3. Filter the results by
      On Prem Broker VM
      .
    4. Download
      the
      broker-vm-
      <version>
      .ova
      file.
    5. Install the OVA file on endpoint that will act as your broker VM.
  5. Configure the network settings.
    1. Open the VM Console and select
      Netconfig
      to configure your broker VM network. Click
      OK
      .
      tms-broker-console.png
    2. Choose your network interface.
      tms-broker-network-card-multiple.png
    3. Choose either
      DHCP
      or
      Static
      .
      tms-broker-vard-chooser.png
      • If you choose DHCP, accept the configuration change and you’re done.
      • If you choose
        Static
        , you must configure your interface definitions manually.
        console-networking-static-config.png
    4. To verify the VM connectivity, return to the VM console and select
      Connectivity
      .
      If successful, you will see a list of all the hosts to which you allowed access in Step 2 above.
  6. Register your broker VM in the Traps management service.
    The registration process establishes a trusted network connection between your broker VM and the Broker Service, and involves the exchange of the VM ID and Traps unique token.
    During registration, copy and paste are disabled and you must enter the data manually.
    1. Open the broker VM console.
    2. Select
      Registration
      and click
      OK
      .
      tms-broker-console.png
    3. Record your broker VM ID in the Registration window.
      registration-info.png
    4. Log in to Traps management service.
    5. From the gear menu, select
      Broker VMs
      and click
      Add
      .
      tms-broker-VMs-menu.png
    6. Assign a unique
      VM Name
      to your broker VM.
      You cannot have two broker VMs with the same name.
    7. Enter the
      VM ID
      .
      tms-new-broker-vm.png
    8. Generate
      and then record your registration key.
      tms-new-broker-vm-token.png
    9. Click
      OK
      and return to the VM console.
    10. Enter the registration key you generated in the previous step.
    11. Enter your account ID in the Customer ID field.
      To verify your account ID, sign in to your account on the Customer Support Portal. You can identify your account ID in the browser URL.
      csp-account-number.png
    12. Click
      OK
      .
      registration-info-entered.png
      Tokens expire after five minutes. If after five minutes you did not complete this step, you have to repeat the token generation step.
      Exit the broker VM console and return to Traps management service to activate the broker VM.
  7. Activate your broker VM.
    After you’ve established a trusted connection between the Broker Service and the broker VM on your network, you must activate the broker VM.
    1. From the Traps management service gear icon, select
      Broker VMs
      and click
      Add
      .
    2. Locate your Broker VM by
      VM Name
      . It will be marked as disconnected.
    3. Activate
      . If successful, the
      Traps Broker Status
      changes to connected.
      tms-broker-vms-window.png
  8. (
    Windows, Linux, and Mac endpoints only
    ) Install Traps agents.
    Installing Traps agents on your endpoints is a two step procedure: first you create and download agent installation packages from Traps management service; then you run the installation packages on your endpoints. During installation you must configure the IP address and port 8888 of the Broker VM.
    1. From Traps management service, create an agent installation package and download it to the endpoint.
      The Broker Service is supported with Traps agent version 6.1.2 or later.
      tms-broker-agent-install.png
    2. Run the installation package on each endpoint according to the endpoint OS. During installation you must configure the IP address of the Broker VM and use port 8888. See the Traps Agent Administrator’s Guide for installation instructions.
    3. After you set up the Broker Service and the agents, perform a check-in test from your agents to verify they can connect and communicate with your Traps management service.

Related Documentation