Configure the Broker VM - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

To set up the Broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks on your network or supported cloud infrastructure and activate the available applications. You can set up several Broker VMs for the same tenant to support larger environments. Ensure each environment matches the necessary requirements.

Before you set up the Broker VM, verify you meet the following requirements.

  • Hardware: For standard installation, use a minimum of a 4-core processor, 8GB RAM, and 512GB disk. If you only intend to use the Broker VM for agent proxy, you can use a 2-core processor. If you intend to use the Broker VM for agent installer and content caching, you must use an 8-core processor.


    The Broker VM comes with a 512GB disk. Therefore, deploy the Broker VM with thin provisioning, meaning the hard disk can grow up to 512GB but will do so only if needed.

  • Bandwidth is higher than 10mbit/s.

  • VM compatible with:


    Image Type

    Additional Requirements

    Amazon Web Services (AWS)


    Create a Broker VM Amazon Machine Image (AMI)

    Google Cloud Platform


    Set up the Broker VM on Google Cloud Platform (GCP)

    Microsoft Azure

    VHD (Azure)

    Create a Broker VM Azure Image

    Microsoft Hyper-V 2012


    Hyper-V 2012 or later

    Create a Broker VM Image for Microsoft Hyper-V

    Alibaba Cloud


    Create a Broker VM Image for Alibaba Cloud

    Nutanix Hypervisor


    Nutanix AHV 2021

    Create a Broker VM Image for a Nutanix Hypervisor



    Create a Broker VM Image for a KVM using Ubuntu

    VMware ESXi


    VMware ESXi 6.5 or later

  • Enable communication between the Broker Service, and other Palo Alto Networks services and apps.

    FQDN, Protocol, and Port





    UDP port 123

    NTP server for clock synchronization between the syslog collector and other apps and services. The Broker VM provides default servers you can use, or you can define an NTP server of your choice. If you remove the default servers, and do not specify a replacement, the Broker VM uses the time of the host.


    If the Broker VM is unable to access any of the configured NTP servers in the management console, you'll need to delete all of them for the Broker VM to use the time configured in the host.

    br-<XDR tenant>.xdr.<region>

    HTTPS over TCP port 443

    Broker Service server depending on the region of your deployment, such as us or eu.

    HTTPS over TCP port 443

    Information needed to communicate with your Cortex XDR tenant. Used by tenants deployed in all regions.


    HTTPS over TCP port 443

    Broker Service server for Federal (US Government) deployment.

    HTTPS over TCP port 443

    Used by tenants with Federal (US Government) deployment

  • Enable Access to Cortex XDR from the Broker VM to allow communication between agents and collectors and the Cortex XDR app.


    If you use SSL decryption in your firewalls, you need to add a trusted self-signed certificate authority on the Broker VM to prevent any difficulties with SSL decryption. If adding a CA certificate to the Broker is not possible, ensure that you’ve added the Broker Service FQDNs to the SSL Decryption Exclusion list on your firewalls.

Configure your Broker VM as follows:

  1. In Cortex XDR , select Settings ConfigurationsData BrokerBroker VMs.

  2. Add Broker and install the Broker VM images for your corresponding infrastructure:

  3. Select Add BrokerGenerate Token, and copy to your clipboard.


    The token is valid only for 24 hours. A new token is generated each time you select Generate Token.

  4. Navigate to either of the following URLs, which is dependent on the Broker VM version you are using:

    • From Broker VM version 19.x.x and higher: https://<broker_vm_ip_address>.:4443

    • From Broker VM version 18.x.x and lower: https://<broker_vm_ip_address>/


    When DHCP is not enabled in your network and you don’t have an IP address for your Broker VM, you need to configure the Broker VM with a static IP using the serial console menu of the Broker VM.

  5. Log in with the default password !nitialPassw0rd and then define your own unique password.


    The password must contain a minimum of eight characters, contain letters and numbers, and at least one capital letter and one special character.

  6. Configure your Broker VM settings:

    1. In the Network Interface section, review the pre-configured Name, IP address, and MAC Address, and select the Address Allocation: DHCP (default) or Static. You can also specify which of the network interfaces is designated as the Admin and can be used to access the Broker VM web interface. Only one interface can be assigned for this purpose from all of the available network interface on the Broker VM, and the rest should be set to Disable.

      • If you choose Static, define the following and Save your configurations:

        • Static IP address

        • Netmask

        • Default Gateway


          When configuring more than one network interface, ensure that only one Default Gateway is defined. The rest must be set to, which configures them as undefined.

        • DNS Server

    2. (Requires Broker VM 14.0.42 and later) (Optional) Internal Network

      Specify a network subnet to avoid the Broker VM dockers colliding with your internal network. By default, the Network Subnet is set to


      Internal IP must be:

      • Formatted as prefix/mask, for example

      • Must be within /8 to /24 range.

      • Cannot be configured to end with a zero.

      For Broker VM version 9.0 and lower, Cortex XDR will accept only

    3. (Optional) Configure a Proxy Server address and other related details to route Broker VM communication.

      • Select the proxy Type as HTTP, SOCKS4, or SOCKS5.


        You can configure another Broker VM as a Proxy Server for this Broker VM by selecting the HTTP type. When selecting HTTP to route Broker VM communication, you need to add the IP Address and Port number (set when activating the Agent Proxy) for the other Broker VM registered in your tenant that you want to designate as a proxy for this Broker VM.

      • Specify the proxy Address (IP or FQDN), Port, and an optional User and Password. Select the pencil icon to specify the password.


        Avoid using special characters in the proxy username and password.

      • Save your configurations.

    4. (Optional) (Requires Broker VM 8.0 and later) Configure your NTP servers.

      Specify the required server addresses using the FQDN or IP address of the server.

    5. (Requires Broker VM 8.0 and later) (Optional) In the SSH Access section, Enable or Disable SSH connections to the Broker VM. SSH access is authenticated using a public key, provided by the user. Using a public key grants remote access to colleagues and Cortex XDR support who the private key. You must have Instance Administrator role permissions to configure SSH access.

      To enable connection, generate an RSA Key Pair, enter the public key in the SSH Public Key section. Once one SSH public key is added, you can +Add Another. When you are finished, Save your configuration.

      When using PuTTYgen to create your public and private key pairs, you need to copy the public key generated in the Public key for pasting into OpenSSH authorized_keys file box, and paste it in the Broker VM SSH Public Key section as explained above. This public key is only available when the PuTTYgen console is open after the public key is generated. If you close the PuTTYgen console before pasting the public key, you will need to generate a new public key.

      When you SSH the Broker VM using PuTTY or a command prompt, you need to use the admin username. For example:

      ssh -i [/path/to/private.key] admin@[broker_vm_address]
    6. (Requires Broker VM 10.1.9 and later) (Optional) In the SSL Server Certificate section, upload your signed server certificate and key to establish a validated secure SSL connection between your endpoints and the Broker VM. When you configure the server certificate and the key files in the Broker VM UI, Cortex XDR automatically updates them in the tenant UI. Cortex XDR validates that the certificate and key match, but does not validate the Certificate Authority (CA).


      The Palo Alto Networks Broker supports only strong cipher SHA256-based certificates. MD5/SHA1-based certificates are not supported.

    7. In the Trusted CA Certificate section, upload your signed Certificate Authority (CA) certificate or Certificate Authority chain file in a PEM format with the associated key, and click Save. If you use SSL decryption in your firewalls, you need to add a trusted self-signed CA certificate on the Broker VM to prevent any difficulties with SSL decryption. For example, when configuring Palo Alto Networks NGFW to decrypt SSL using a self-signed certificate, you need to ensure the Broker VM can validate a self-signed CA by uploading the cert_ssl-decrypt.crt file on the Broker VM.


      If adding a CA certificate to the Broker VM is not possible, ensure that you’ve added the Broker Service FQDNs to the SSL Decryption Exclusion list on your firewalls. See Enable Access to Cortex XDR.

    8. (Requires Broker VM 8.0 and later) (Optional) Collect and Generate New Logs. Your Cortex XDR logs will download automatically after approximately 30 seconds.

  7. Register and enter your unique Token, created in the console.


    Registration of the Broker VM can take up to 30 seconds.

    After a successful registration, Cortex XDR displays a notification.

    You are directed in Cortex XDR to SettingsConfigurationsData BrokerBroker VMs. The Broker VMs page displays your Broker VM details and allows you to edit the defined configurations.