Get started with Cortex Network Scanner - Set up Cortex Network Scanner for the first time. - Administrator Guide - Cortex XDR - Cortex

Get started with Cortex Network Scanner - Set up Cortex Network Scanner for the first time. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-04

Deployment recommendations

Network vulnerability scanning is a resource-intensive task. To ensure optimal and consistent scan performance, we recommend the following:

Ensure that your Broker VM has at least 4 CPU cores and 8Gb of RAM.
Have dedicated Broker VMs for Cortex Network Scanner (or at least minimize the number of other applets running concurrently) to preserve sufficient resources for scanning.

Note

The Cortex Network Scanner applet is not supported in High Availability (HA) cluster configurations.

The Cortex Network Scanner applet is not supported for FedRAMP customers.

The Cortex Network Scanner uses various methods to actively detect, probe and assess detected services on all or most TCP and UDP ports. The nature of vulnerability scanning conflicts with security controls such as firewalls and IPS that are meant to block such activity. When deploying Broker VMs that run the Cortex Network Scanner (further - Scanners), we recommend taking one or both of the following actions:

[Recommended] Deploy scanners strategically within each target security zone or segment (e.g., firewall-configured segments). This ensures scanner traffic remains local to the segment and avoids crossing the firewall or other network security device.
Configure security policy rules on the firewall and other network security controls that prevent the blocking of traffic from Cortex Network Scanner. Follow the guidelines for your security controls and keep rules as narrow as possible. For Palo Alto Networks NGFW, you must allow traffic from the scanner to the target, using “Application” (App-ID) and “Service” (port) set to “any”.

Authenticated scans can collect more detailed information about target assets, and detect vulnerabilities that are not detectable with purely remote non-authenticated scans. If credentials are provided for the authenticated scan, the Cortex Network Scanner will attempt to login into the target machines using the provided account.

To set up a successful authenticated scan:

Provide correct credentials for SMB (Windows-bases systems) and SSH service (Unix-based systems).
Make sure related traffic (SMB or SSH) is allowed from the scanner to the target host.
Configure the account with permissions that allow remote logins.

See Add credentials for authenticated scans for more information about setting up authenticated scans.

To ensure successful scans on Windows-based hosts, configure the following services and registry settings:

Under Services, enable the Remote Registry on startup.
Create a service account and add it to the Administrators group.
Navigate to the active network connection under Ethernet Properties → Networking and make sure File and Printer Sharing for Microsoft Networks is enabled.
If not part of a Windows domain, In the registry (regedit.exe), check that DWORD LocalAccountTokenFilterPolicy is set to 1.
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\' -Name 'LocalAccountTokenFilterPolicy' -Value 1

Configure the following Windows Firewall settings:

Make sure ports 149, 445, and other services you want to scan are allowed in the firewall rules.

Activate Cortex Network Scanner

The Cortex Network Scanner identifies and analyzes devices, services, and vulnerabilities in your internal network. It discovers responsive hosts within specified IP ranges, including on-premises and cloud environments. The scanner supports both non-authenticated and authenticated vulnerability scanning, with authenticated scans providing deeper insights through credential-based access. Scan results are seamlessly integrated into the inventory and vulnerability management views in Cortex XSIAM, providing a centralized view of all discovered assets, vulnerabilities, and issues.

Cortex Network Scanner is installed as an applet on a Broker VM.

Notice

Requires the Exposure Management add-on.

Important

The Cortex Network Scanner applet is not supported for FedRAMP customers.

Cortex Network Scanner does not support high availability (HA) Broker VM configuration.

Prerequisites

Review the Cortex Network Scanner deployment recommendations and complete any prerequisites.
Set up and configure Broker VM

How to activate Cortex Network Scanner

Navigate to Settings → Configurations → Data Broker → Broker VMs.
Right click the Broker VM, and select Add App → Network Scanner.
After the applet has installed, the scanner should automatically connect to the tenant. If the connection is successful, you’ll see a green dot next to Network Scanner in the Apps column of the Broker VMs table.
A red dot indicates that an error occurred and the scanner is not connected.
(Optional) Click on the network scanner in the table to display details about the scanner or to deactivate it.
Validate the installation. Navigate to Modules → Vulnerability & Exposure Management → Network Scanners → Network Scanners and find your new scanner in the list.
The Network Scanners page displays all your deployed and configured scanners, along with additional details about each of them.

After setting up a Broker VM and activating Cortex Network Scanner, refer to Get started with Cortex Network Scanner for information about adding networks, adding credentials for authenticated scans, and configuring scans.