Enable Access to Cortex XDR

Enable Access to Cortex XDR

16670
Created On 12/30/19 08:55 AM - Last Modified 01/17/20 07:44 AM


Objective
How to configure the firewall to work with XDR 

Environment
Cortex XDR 

Procedure

After you receive your account details, enable and verify access to Cortex XDR.

STEP 1 | To establish secure communication (TLS) to Cortex XDR, the endpoints, or other devices that initiate a TLS connection with Cortex, must trust the following root CA certificates:• Go Daddy Secure Certificate Authority - G2• Baltimore CyberTrust Root

STEP 2 | If you use SSL decryption, we recommend that you do not decrypt Cortex XDR services.To exclude Cortex XDR services from decryption, add *.traps.paloaltonetworks.com and either *.xdr.us.paloaltonetworks.com or *.xdr.eu.paloaltonetworks.com (depending on your region) to your SSL Decryption Exclusion list. In PAN-OS 8.0 and later releases, you can configure the list in Device > Certificate Management > SSL Decryption Exclusion.

STEP 3 | In your firewall configuration, enable access to Cortex XDR communication servers.
    • Enable access to the following addresses over port 443 where <tenant> is your chosen subdomain and <region> is your deployment region, either us or eu.
    •<tenant>.xdr.<region>.paloaltonetworks.com—Used to access your tenant of CortexXDR.
    •distributions.traps.paloaltonetworks.com—Used for provisioning Cortex XDR agents for the first time to obtain the agent provisioning URL for the tenant.
    •dc-<tenant>.traps.paloaltonetworks.com—Used for EDR data collection between theCortex XDR agent and Cortex XDR.
    •ch-<tenant>.traps.paloaltonetworks.com—Used for communication between theCortex XDR agent and the preferred Cortex XDR for the home region.
    •cc-<tenant>.traps.paloaltonetworks.com—Used for communication between roamingCortex XDR agents and Cortex XDR.
    •contentprod.traps.paloaltonetworks.com—(Existing Traps management service customers migrating to Cortex XDR) Used to host content updates.
    • To allow Cortex XDR agents to access Palo Alto Networks GCS buckets in GCP, enable access to:https://storage.googleapis.com
To allow Live Terminal communication between Cortex XDR agents and Cortex XDR, enable access to: wss://lrc-<region>.paloaltonetworks.com where <region> is your deployment region, either us or eu


STEP 4 | Verify that you can access your Cortex XDR tenant.After you download and install the Cortex XDR agent software on your endpoints and configure your endpoint security policy, verify that the Cortex XDR agents can check in with Cortex XDR to receive the endpoint policy.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNzPCAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language