Learn more about activating a Local Agent Settings applet on a Broker VM.
The Local Agent Settings applet on the Palo Alto Networks Broker VM enables you to:
To deploy Cortex XDR in restricted networks where endpoints do not have a direct connection to the internet, setup the Broker VM to act as a proxy that routes all the traffic between the Cortex XDR management server and XDR agents/XDR Collectors via a centralized and controlled access point. This enables your agents and XDR Collectors to receive security policy updates, upgrades, and send logs and files to Cortex XDR without a direct internet connection. The Broker VM acts like a transparent proxy and doesn’t decrypt the secure connection between the server and the XDR agent/XDR Collectors, and hides the XDR agent’s/XDR Collector's original IP addresses. If your network topology includes SSL decryption in an upstream proxy/firewall, the Broker VM does not participate in the trust relationship as it is not initiating the connection to the server to be fully transparent.
To reduce your external network bandwidth loads, you can cache XDR agent installations, upgrades, and content updates on your Cortex XDR Broker VM. The Broker VM retrieves from Cortex XDR the latest installers and content files every 15 minutes and stores them for a 30-days retention period since an agent last asked for them. If the files were not available on the Broker VM at the time of the ask, the agent proceeds to download the files directly from the Cortex XDR server. If asked by an agent, the Broker VM can also cache a specific installer that is not on the list of latest installers.
Before you activate the Local Agent Settings applet, verify the following prerequisites and limitations listed by the main features.
Each local setting on the Broker VM can support up to 50,000 agents.
Note
This is assuming a standard hardware setup with 2vCPU 8GB memory.
Supported with Traps agent version 5.0.9 and Traps agent version 6.1.2 and later releases.
Broker VM supports forwarding the XDR Collectors request URLs on all Broker VM versions.
Supported with all XDR Collector versions.
Note
Broker VMs can act as as a proxy for routing XDR Collector traffic to the Cortex XDR tenant. The Broker VM does not cache XDR Collector installers.
Supported with XDR agent version 7.4 and later releases and Broker VM 12.0 and later.
Requires a Broker VM with an 8-core processor to support caching for 10K endpoints.
For the agent installer and content caching to work properly, you must configure different settings where the instructions differ depending on whether you are configuring a standalone Broker VM or High Availability (HA) cluster:
FQDN: A FQDN must be configured for the standalone broker as configured in your local DNS server. This is to ensure that XDR agents know who to access to receive agent installer and content caching data.
SSL certificates: Ensure you upload strong cipher SHA256-based SSL certificates when you setup the Broker VM.
Download source: Requires adding the Broker VM as a download source in your Agent Settings Profile. For more information, see Add a New Agent Settings Profile.
FQDN: A FQDN must be configured in the cluster settings as configured in your local DNS server, which points to a Load Balancer. This ensures that the XDR agents turn to the load balancer to route the requests for the agent installer and content caching data to the correct broker. For more information on configuring the Load Balancer FQDN in a HA cluster, see Configure a High Availability Cluster.
SSL certificates: In each broker in the cluster, ensure you upload strong cipher SHA256-based SSL certificates when you setup the Broker VM.
Download source: Requires adding the cluster as a download source in your Agent Settings Profile. For more information, see Add a New Agent Settings Profile.
Agents communicate with the Broker VM using Hypertext Transfer Protocol Secure (https) over port 443. You must ensure this port is open so that the Broker VM is accessible to all agents that are configured to use its cache.
The broker needs to communicate with the same URLs that the agents communicate with to avoid receiving any inaccessible URLs errors. For a complete list of the URLs that you need to allow access, see Resources Required to Enable Access.
After you configure and register your Palo Alto Networks Broker VM, proceed to set up your Local Agent Settings applet.
Select Settings → Configurations → Data Broker → Broker VMs.
In either the Brokers tab or the Clusters tab, locate your Broker VM.
(Optional) To set up the Agent Proxy:
Right-click the Broker VM, select Configure.
Ensure your proxy server is configured. If not, proceed to add it as described in Configure the Broker VM.
You can either right-click the Broker VM and select Add App → Local Agent Settings, or in the APPS column, left-click Add → Local Agent Settings.
In the Activate Local Agent configuration, enable Agent Proxy by setting the Proxy to Enabled, and specify the Port. You can also configure the Listening Interface, where the default is set to All.
Note
When you install your XDR agents, you must configure the IP address of the Broker VM and a port number during the installation. You can use the default 8888 port or set a custom port. You are not permitted to configure port numbers between 0-1024 and 63000-65000, or port numbers 4369, 5671, 5672, 5986, 6379, 8000, 9100, 15672, 25672. Additionally, you are not permitted to reuse port numbers you already assigned to the Syslog Collector applet.
(Optional) To setup up Agent Installer and Content Caching:
Ensure you uploaded your SHA256-based certificates.
If not, upload them as described in Configure the Broker VM and Save.
Specify the Broker VM FQDN.
Right-click the Broker VM, select Configure. Under Device Name, enter your Broker VM FQDN. This FQDN record must be configured in your local DNS server.
Important
A FQDN must be configured for WEC and Agent Installer and Content Caching to function properly.
Activate the Local Agent Settings applet on the Broker VM.
You can either right-click the Broker VM and select Add App → Local Agent Settings, or in the APPS column, select Add → Local Agent Settings.
Activate installer and content caching.
In the Activate Local Agent configuration, enable Agent Installer and Content Caching by setting Caching to Enabled.
Important
You can only enable Agent Installer and Content Caching, when in the Broker VM Configuration, you've uploaded your signed SSL Server Certificate and key and set the FQDN. For more information, see the Agent Installer and Content Caching requirements explained above.
To enable agents to start using Broker VM caching, you must add the Broker VM as a download source in your Agent Settings profile and select which Broker VMs to use, as described in Add a New Agent Settings Profile. Then, ensure the profile is associated with a policy for your target agents.
After a successful activation, the APPS field displays Local Agent Settings with a green dot indicating a successful connection. Left-click the Local Agent Settings connection to view the applet status and resource usage.
To help you easily troubleshoot connectivity issues for a Local Agent Settings applet on the Palo Alto Networks Broker VM, Cortex XDR displays a list of Denied URLs. These URLs are displayed when you left-click the Local Agent Settings applet to view the Connectivity Status. As a result, in a situation where the Local Agent Settings applet is reported as activated with a failed connection, you can easily determine the URLs that need to be allowed in your network environment.
Manage the local agent settings. After the local agent settings have been activated, left-click the Local Agent Settings connection in the APPS column to display the settings, and select:
Configure to change your settings.
Deactivate to disable the local agent settings altogether.