Cortex XDR Agent and Content upgrades - Administrator Guide - 8.5 - Cortex XDR Agent - Cortex XDR - Advanced Endpoint Protection - Cortex - Security Operations

Cortex XDR Agent Administrator Guide

Product
Cortex XDR Agent
Cortex XDR
Version
8.5
Creation date
2024-05-06
Last date published
2024-12-01
Category
Administrator Guide
Abstract

Palo Alto Networks deployment recommendations for Cortex XDR agents.

With Endpoint Protection, you can use any of several available methods to keep definitions up to date on endpoints in your organization. The information in this topic will help you to select and configure these methods. With deployment processes varying, Cortex offers these suggestions to be reviewed as a baseline for deployment maintenance.

  • Customizable Agent Settings Profiles for each Operating System and different endpoint targets.

  • Configure global agent configurations that apply to all the endpoints in your network: Configure Global Settings.

  • Use a phased-in approach in first deployment and continuous versioning. Deploy Cortex XDR agents on a pilot batch, perform testing and then deploy to other sets of endpoints in batches. The pilot batch should be compiled across different operating systems, as appropriate for your organization, (Windows/Linux/Mac/Android/iOS/Kubernetes), select various versions and types (server/endpoint/Kubernetes), and business context (clients, databases, servers, applications servers), in order to verify as wide a range of endpoints as possible.

    For example; Control Group 10%, low risk endpoints 30%, medium risk endpoints 20%, delta of high risk endpoints 20%.

  • Use Endpoint groups and Endpoint tags to manage which endpoints have the appropriate profile.

Agent upgrade settings

Various options are offered for controlling agent upgrades per dynamic endpoint scope.

Item

Options

More details

Agent Auto-Upgrade

  • Enabled

  • Disabled (Default)

Upgrade Cortex XDR agents to the most recent version automatically.

Agent auto upgrade in a profile is disabled by default.

Automatic Upgrade Scope

  • Latest agent release

  • One release before the latest one

  • Only maintenance releases

  • Only maintenance releases in a specific version

For One release before the latest one, Cortex XDR upgrades the agent to the previous release before the latest, including maintenance releases. Major releases are numbered X.X, such as release 8.0, or 8.2. Maintenance releases are numbered X.X.X, such as release 8.2.2.

For Only maintenance releases in a specific version, select the required release version.

Upgrade Rollout

  • Immediate

  • Delayed

For Delayed, set the delay period (number of days) to wait after the version release before upgrading endpoints. Choose a value between 7 and 45.

To control the agent auto upgrade scheduler and number of parallel upgrades in your network, configure Global Agent Settings.

Global agent upgrade settings

  • Applied across all auto upgrades in the system, the agent upgrade scheduler determines the number of parallel upgrades, and on which days and hours the upgrade will occur.

    Agent Upgrade Scheduler, (SettingsConfigurationsAgent Configurations)

  • If Agent auto upgrades are enabled for your Cortex XDR agents, you can control the automatic upgrade process in your network. To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network with the number of parallel upgrades as configured.

  • Amount of Parallel Upgrades: Set the number of parallel agent upgrades, where the maximum is 500 agents.

  • Days in week: You can schedule the upgrade task for specific days of the week and a specific time range. The minimum range is four hours.

See the Configure Global Agent Settings section in the Cortex XDR Admin Guide for full details.

Content management

When a new content update is available, Cortex XDR notifies the Cortex XDR agent. The Cortex XDR agent then randomly chooses a time within a six-hour window during which it will retrieve the content update from Cortex XDR. By staggering the distribution of content updates, Cortex XDR reduces the bandwidth load and prevents bandwidth saturation due to the high volume and size of the content updates across many endpoints. You can view the distribution of endpoints by content update version from the dashboard.

Settings available per dynamic endpoint scope: (ProfilesAgent SettingsContent Configuration)

Item

Options

More details

Content Auto-update

  • Enabled

  • Disabled

By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint, to ensure that it is always protected with the latest security measures.

If you disable content updates, the agent stops retrieving them from the Cortex XDR tenant, and keeps working with the current content on the endpoint.

Content Rollout

  • Immediately

  • Delayed

The Cortex XDR agent can retrieve content updates immediately as they are available, or after a pre-configured delay period of up to 30 days.

When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.

  • Global settings are available to manage the content updates bandwidth and frequency in your network:

    Content Management, (SettingsConfigurationsAgent Configurations)

    • Enable bandwidth control: Palo Alto Networks enables you to control your Cortex XDR agent network consumption by adjusting the bandwidth it is allocated. Based on the number of agents you want to update with content and upgrade packages, active or future agents, the Cortex XDR calculator configures the recommended amount of Mbps (Megabits per second) required for a connected agent to retrieve a content update over a 24 hour period or a week. Cortex XDR supports between 20 - 10000 Mbps, you can enter one of the recommended values or enter one of your own. For optimized performance and reduced bandwidth consumption, it is recommended that you install and update new agents with Cortex XDR agents 7.3 and later include the content package built in using SCCM.

    • Enable minor content version updates: The Cortex XDR research team releases more frequent content updates in-between major content versions to ensure your network is constantly protected against the latest and newest threats in the wild. Enabled by default, the Cortex XDR agent receives minor content updates, starting with the next content releases. To learn more about the minor content numbering format, refer to the About content updates topic.About content updates

Leveraging the key items above, and balancing between important security updates to business processes and assets, while applying your deployment and versioning strategy is important.

Related information

For more details refer to the section Plan your agent deployment in the Cortex XDR Documentation or Cortex XSIAM Documentation.

Contact your Palo Alto Networks representative for more assistance with your specific deployment.