Ingest data from Cloud Next-Generation Firewall - Learn how to ingest detection data from Cloud Next-Generation Firewall. - Administrator Guide - Cortex XDR - Cortex

Ingest data from Cloud Next-Generation Firewall - Learn how to ingest detection data from Cloud Next-Generation Firewall. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Notice

Requires the Data Collection add-on.

Cloud Next-Generation Firewall (CNGFW) is a fully managed, cloud-native security service from Palo Alto Networks. Enabling CNGFW data collection allows for the ingestion of CNGFW logs into the platform by establishing a dedicated connector within the existing data source configuration flow. The connection is established at the CSP account. You can connect resources regardless of whether they are managed by Strata Cloud Manager (SCM). The interface supports:

Connecting CNGFW to the current account
Connecting CNGFW from other accounts

Cortex products utilize the Cloud Logging Collection Service (CLCS), a pub/sub service, and the Strata Logging Service (SLS) to stream this data. Adding and removing CNGFW devices is recorded in audit logs, and users can view the consent audit during the process. Any issues related to CNGFW logs are created in the same manner as traditional NGFW issues.

Prerequisite

Cortex XDR RBAC permissions: Requires View/Edit permissions for Data Sources (under Configurations → Data Collections).
Cloud Service Provider (CSP) account permissions: Configuration of data ingestion from multiple accounts and regions requires Super User permissions on both the Cortex XDR tenant and on the device accounts.
Note
Cross CSP (Cloud Service Provider) is supported only within the same SFDC hierarchy. Consequently, MSSP use cases where the customer owns one end of the solution are not supported.

Once ingested, your data is stored in the panw_ngfw_*_raw datasets. You can query this data using Cortex Query Language (XQL).

The following log types are supported for CNGFW ingestion:

Log Type	Dataset Name
Authentication Logs	`panw_ngfw_auth_raw`
Configuration Logs	`panw_ngfw_config_raw`
File Data Logs	`panw_ngfw_filedata_raw`
Global Protect Logs	`panw_ngfw_globalprotect_raw`
Hipmatch Logs	`panw_ngfw_hipmatch_raw`*
System Logs	`panw_ngfw_system_raw`
Threat Logs	`panw_ngfw_threat_raw`*
Traffic Logs	`panw_ngfw_traffic_raw`*
Tunnel Logs	`panw_ngfw_tunnel_raw`
URL Logs	`panw_ngfw_url_raw`*
User ID Logs	`panw_ngfw_userid_raw`

*Note: These datasets use the query field names as described in the Cortex schema documentation.

Select Settings → Data Sources & Integrations
On the Data Sources & Integrations page, click + Add New, search for CNGFW, then hover over and click Add.
In the Add Cloud Next-Generation Firewall dialog box, you can choose to connect CNGFW to this account or other accounts.
- To connect CNGFW from the current account, select Connect Cloud NGFW from current account (default), and select the applicable regions.
- To connect CNGFW from another account, select Connect Cloud NGFW from other accounts and select the applicable regions for the other accounts. You can search and multi-select accounts by account number, account name, or region. For cross-account connections, you must have Super User permissions on the CSP account and the device account.
  Important
  This cross-account support is limited to the same SFDC hierarchy; it does not extend to MSSP scenarios where the customer and provider own separate ends of the solution.
Depending on the regions selected, you may need to read the Cloud NGFW Connection from other regions disclaimer and approve the CNGFW connection.
Note
If you change a device region, you must first disconnect the device from Cortex XDR and then reconnect it after the region change is complete.
Click Connect to establish the instance.
Connection is established regardless of the firewall credential status and can take up to several minutes, select Sync now to refresh your instances.

Notice

Prerequisite

Note

Important

Note