Ingest Data from Next-Generation Firewall - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

You can forward firewall data from your Next-Generation Firewall (NGFW) and Panorama devices.

Existing integrations should be migrated to the Cortex Native Data Lake. Make sure you select all your devices to connect directly to Cortex XDR. Integrations not migrated manually will be migrated automatically 2 weeks before the end of the contract with Cortex Data Lake.

Make sure you have completed the following:

  • Retrieve (CDL/LGS) license keys and push to devices.

  • Ensure the cloud services plug-in is installed on Panorama.

  • Activate Logging Service or duplicate Logging, including EAL, directly or using device templates.

  • Enable Log forwarding profiles on firewall rules.


Ingesting logs from Next-Generation Firewall requires a Cortex XDR Pro per GB license.

You can only stream data from firewalls allocated to the same Customer Support Account (CSP) and operating in the same region.

As soon as Cortex XDR begins receiving detection data, the console begins stitching logs with other Palo Alto Network-generated logs to form stories. Use the XQL Search dataset panw_ngfw_*_raw to query your data, where the following logs are supported:

*These datasets use the query field names as described in the Cortex schema documentation.

For stitched raw data, you can query the xdr_data dataset or use any preset designated for stitched data, such as network_story. For query examples, refer to the in-app XQL Library. Cortex XDR can also raise Cortex XDR alerts (Analytics, Correlation Rules, IOC, and BIOC only) when relevant from Cortex Data Lake detection data. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.


IOC and BIOC alerts are applicable on stitched data only and are not available on raw data.

To ingest detection data from NGFW.

  1. Select SettingsConfigurationsData CollectionCollection Integrations.

  2. In the Collection Integrations page, locate your NGFW data source and select Add Instance to begin a new connection.

  3. Select Add NGFW Device or Add Panorama Device.

    A list of all available devices allocated to your account is displayed.

    Devices already connected are listed at the end. A device may be connected via Cortex Data Lake (CDL) or the Cortex XDR console. Depending on the type of connection, you can rectify any streaming issues that may arise.

  4. Depending on your PAN-OS or Panorama version, generate either a certificate or PSK.

    For PAN-OS and Panorama versions 10.1 and later, each firewall requires a separate certificate. Certificates need to be requested through the Customer Support portal. To sign in to the portal, click here. For PAN-OS and Panorama versions 10.0 and earlier, you are only required to generate one global PSK for all the firewall devices.


    Cortex XDR does not validate your firewall credentials, you must ensure the certificates or PSK details have been updated in your firewalls in order for data to stream.

  5. Connect to establish the instance.

    Connection is established regardless of the firewall credential status and can take up to several minutes, select Sync now to refresh your instances.

  6. Validate that your data is streaming.

    To ensure the data is streaming into your tenant:

    • In your NGFW Standalone Firewall Devices, track the Last communication timestamp.

    • Run XQL Query: dataset = panw_ngfw_system_raw| filter log_source_id = "[NGFW device SN]"

  7. (Optional) Manage your Instance.

    After you create the NGFW instance, in the Collection Integrations page, expand the NGFW to track the status of your Standalone Firewall Devices and Panorama Devices.

    Select the ellipses to Request Certificate, if required, or Delete the instance.


You can see an overview of ingestion status for all log types, and a breakdown of each log type and its daily consumption quota on the NGFW Ingestion Dashboard.