Set Up the Palo Alto Networks Broker Service
The Palo Alto Networks Broker Service acts as a proxy that mediates communication between the cloud-based Traps management service and Traps agents in restricted networks, where the endpoints are not connected directly to the internet. Once the communication between the Traps endpoints and the Traps management service is established through the Broker Service, the endpoints in your network are fully protected and all Traps capabilities are supported: the Traps agents collect and forward EDR data on the endpoint, receive the latest security policy from the Traps management service, and send back logs and files for analysis.
To set up the Broker Service, you deploy a broker VM on your network. After you authenticate the broker VM ID with the Traps management service token and activate the broker VM, you install Traps on your Mac, Linux, and Windows endpoints. During installation you assign the Traps agent the broker VM IP address and port through which Traps can communicate with Traps management service.
To set up an on-prem proxy:
- Before you begin:
- Plan your deployment.
- You can set up several broker VMs for the same tenant.
- Each broker VM supports 10,000 Traps agents.
- All broker VMs associated with the same Support Account are visible in theBroker VMsscreen. Once you pair a broker VM with a specific tenant, that broker VM can be managed only from that tenant.
- Locate your Support Account auth code.
- Verify your environment meets the following requirements:
- Hardware to support the broker VM: 4-core processor, 8GB RAM, 512GB disk.
- VM compatible with VMware ESXi 6.0 or later.
- Enable communication between the Broker Service, and other Palo Alto Networks services and apps:FQDNProtocol and PortDescriptionapitrusted.paloaltonetworks.comTCP port 443PKI server used for passing an one-time password and receiving a certificate.api.paloaltonetworks.comTCP port 443PKI server used for certificate renewal and revocation.bintray-cdn.paloaltonetworks.comTCP port 443Server used to distribute the broker upgrade package.dl.magnifier.paloaltonetworks.comTCP port 443Server used to distribute the broker and analytics engine upgrade package.pathfinder-docker.magnifier.paloaltonetworks.comTCP port 443Server used to distribute the broker docker images required by upgrade packages.(Default)
UDP port 123NTP server for clock synchronization. The broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers and do not specify a replacement, the broker VM uses the time of the host ESX.
TCP port 443Broker Service region of your deployment. Choose one.
- Log in to the hub to activate Traps management service. During activation you can also associate Traps management service with a Cortex Data Lake instance and Directory Sync Service instance.
- Download and install the broker VM.
- Log in to the Palo Alto Networks Customer Support Portal.
- Select.UpdatesSoftware Updates
- Filter the results byOn Prem Broker VM.
- Install the OVA file on endpoint that will act as your broker VM.
- Configure the network settings.
- Open the VM Console and selectNetconfigto configure your broker VM network. ClickOK.
- Choose your network interface.
- Choose eitherDHCPorStatic.
- If you choose DHCP, accept the configuration change and you’re done.
- If you chooseStatic, you must configure your interface definitions manually.
- To verify the VM connectivity, return to the VM console and selectConnectivity.
- Register your broker VM in the Traps management service.The registration process establishes a trusted network connection between your broker VM and the Broker Service, and involves the exchange of the VM ID and Traps unique token.During registration, copy and paste are disabled and you must enter the data manually.
- Open the broker VM console.
- SelectRegistrationand clickOK.
- Record your broker VM ID in the Registration window.
- Log in to Traps management service.
- From the gear menu, selectBroker VMsand clickAdd.
- Assign a uniqueVM Nameto your broker VM.You cannot have two broker VMs with the same name.
- Enter theVM ID.
- Generateand then record your registration key.
- ClickOKand return to the VM console.
- Enter the registration key you generated in the previous step.
- Enter your account ID in the Customer ID field.
- ClickOK.Tokens expire after five minutes. If after five minutes you did not complete this step, you have to repeat the token generation step.Exit the broker VM console and return to Traps management service to activate the broker VM.
- Activate your broker VM.After you’ve established a trusted connection between the Broker Service and the broker VM on your network, you must activate the broker VM.
- From the Traps management service gear icon, selectBroker VMsand clickAdd.
- Locate your Broker VM byVM Name. It will be marked as disconnected.
- Activate. If successful, theTraps Broker Statuschanges to connected.
- (Windows, Linux, and Mac endpoints only) Install Traps agents.Installing Traps agents on your endpoints is a two step procedure: first you create and download agent installation packages from Traps management service; then you run the installation packages on your endpoints. During installation you must configure the IP address and port 8888 of the Broker VM.
- From Traps management service, create an agent installation package and download it to the endpoint.The Broker Service is supported with Traps agent version 6.1.2 or later.
- Run the installation package on each endpoint according to the endpoint OS. During installation you must configure the IP address of the Broker VM and use port 8888. See the Traps Agent Administrator’s Guide for installation instructions.
- After you set up the Broker Service and the agents, perform a check-in test from your agents to verify they can connect and communicate with your Traps management service.