Set Up the Palo Alto Networks Broker Service

The Palo Alto Networks Broker Service acts as a proxy that mediates communication between the cloud-based Traps management service and Traps agents in restricted networks, where the endpoints are not connected directly to the internet. Once the communication between the Traps endpoints and the Traps management service is established through the Broker Service, the endpoints in your network are fully protected and all Traps capabilities are supported: the Traps agents collect and forward EDR data on the endpoint, receive the latest security policy from the Traps management service, and send back logs and files for analysis.
To set up the Broker Service, you deploy a broker VM on your network. After you authenticate the broker VM ID with the Traps management service token and activate the broker VM, you install Traps on your Mac, Linux, and Windows endpoints. During installation you assign the Traps agent the broker VM IP address and port through which Traps can communicate with Traps management service.
To set up an on-prem proxy:
  1. Before you begin:
    1. Plan your deployment.
      • You can set up several broker VMs for the same tenant.
      • Each broker VM supports 10,000 Traps agents.
      • All broker VMs associated with the same Support Account are visible in the
        Broker VMs
        screen. Once you pair a broker VM with a specific tenant, that broker VM can be managed only from that tenant.
    2. Locate your Support Account auth code.
      Locate your Auth code either in the confirmation email you received after you purchased Traps licenses or in the Customer Support Portal (
      Advanced Endpoint Protection
    3. Assign user permissions.
      Ensure that you and any additional users have the appropriate roles in the hub. To further refine the administrative access available for your Traps management service users, Assign Roles to Traps Management Service Users.
  2. Verify your environment meets the following requirements:
    • Hardware to support the broker VM: 4-core processor, 8GB RAM, 512GB disk.
    • VM compatible with VMware ESXi 6.0 or later.
    • Enable communication between the Broker Service, and other Palo Alto Networks services and apps:
      Protocol and Port
      TCP port 443
      PKI server used for passing an one-time password and receiving a certificate.
      TCP port 443
      PKI server used for certificate renewal and revocation.
      TCP port 443
      Server used to distribute the broker upgrade package.
      TCP port 443
      Server used to distribute the broker and analytics engine upgrade package.
      TCP port 443
      Server used to distribute the broker docker images required by upgrade packages.
      UDP port 123
      NTP server for clock synchronization. The broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers and do not specify a replacement, the broker VM uses the time of the host ESX.
      • US:
      • EU:
      TCP port 443
      Broker Service region of your deployment. Choose one.
  3. Log in to the hub to activate Traps management service. During activation you can also associate Traps management service with a Cortex Data Lake instance and Directory Sync Service instance.
  4. Download and install the broker VM.
    1. Log in to the Palo Alto Networks Customer Support Portal.
    2. Select
      Software Updates
    3. Filter the results by
      On Prem Broker VM
    4. Download
    5. Install the OVA file on endpoint that will act as your broker VM.
  5. Configure the network settings.
    1. Open the VM Console and select
      to configure your broker VM network. Click
    2. Choose your network interface.
    3. Choose either
      • If you choose DHCP, accept the configuration change and you’re done.
      • If you choose
        , you must configure your interface definitions manually.
    4. To verify the VM connectivity, return to the VM console and select
      If successful, you will see a list of all the hosts to which you allowed access in Step 2 above.
  6. Register your broker VM in the Traps management service.
    The registration process establishes a trusted network connection between your broker VM and the Broker Service, and involves the exchange of the VM ID and Traps unique token.
    During registration, copy and paste are disabled and you must enter the data manually.
    1. Open the broker VM console.
    2. Select
      and click
    3. Record your broker VM ID in the Registration window.
    4. Log in to Traps management service.
    5. From the gear menu, select
      Broker VMs
      and click
    6. Assign a unique
      VM Name
      to your broker VM.
      You cannot have two broker VMs with the same name.
    7. Enter the
      VM ID
    8. Generate
      and then record your registration key.
    9. Click
      and return to the VM console.
    10. Enter the registration key you generated in the previous step.
    11. Enter your account ID in the Customer ID field.
      To verify your account ID, sign in to your account on the Customer Support Portal. You can identify your account ID in the browser URL.
    12. Click
      Tokens expire after five minutes. If after five minutes you did not complete this step, you have to repeat the token generation step.
      Exit the broker VM console and return to Traps management service to activate the broker VM.
  7. Activate your broker VM.
    After you’ve established a trusted connection between the Broker Service and the broker VM on your network, you must activate the broker VM.
    1. From the Traps management service gear icon, select
      Broker VMs
      and click
    2. Locate your Broker VM by
      VM Name
      . It will be marked as disconnected.
    3. Activate
      . If successful, the
      Traps Broker Status
      changes to connected.
  8. (
    Windows, Linux, and Mac endpoints only
    ) Install Traps agents.
    Installing Traps agents on your endpoints is a two step procedure: first you create and download agent installation packages from Traps management service; then you run the installation packages on your endpoints. During installation you must configure the IP address and port 8888 of the Broker VM.
    1. From Traps management service, create an agent installation package and download it to the endpoint.
      The Broker Service is supported with Traps agent version 6.1.2 or later.
    2. Run the installation package on each endpoint according to the endpoint OS. During installation you must configure the IP address of the Broker VM and use port 8888. See the Traps Agent Administrator’s Guide for installation instructions.
    3. After you set up the Broker Service and the agents, perform a check-in test from your agents to verify they can connect and communicate with your Traps management service.

Recommended For You