Set up Network Analysis - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about setting up your network sensors and defining network coverage for your internal networks.

With a Cortex XDR Pro per GB license, you must set up your network sensors and define network coverage for your internal networks.

  1. Set up your network sensors.

    1. If you use unmanaged Palo Alto Networks firewalls and did not configure log-forwarding on your firewalls before activating Cortex XDR, Start Sending Logs to Cortex Data Lake.

    2. (Optional) Set up External Data Ingestion.

      If you have external (non-Palo Alto Networks) network sensors, you can set up a Syslog collector to receive alerts or logs from them. If you send external alerts, Cortex XDR can include any of them in relevant incidents for a more complete picture of the activity involved. If you send logs and alerts from external sources such as Check Point firewalls, Cortex XDR can apply analytics analysis and raise analytics alerts on the external logs and include the external alerts in incidents for additional context.

    3. (Optional) If you use a third-party authentication service, you can Ingest Authentication Logs and Data into authentication stories. After you set up log collection, you can search for authentication data using the Query Builder.

    4. (Optional) If you want to use Pathfinder to examine unmanaged network hosts, servers, and workstations for malicious or risky software, Activate Pathfinder.

  2. Configure the internal networks that you want Cortex XDR to monitor.

    1. From the Cortex XDR management console, navigate to AssetsNetwork Configuration.

    2. Define your IP Address Ranges.Configure Your Network Parameters

      This page provides a table of the IP address ranges Cortex XDR Analytics monitors, which is pre-populated with the default IPv4 and IPv6 address spaces.

    3. Define your Domain Names.Configure Your Network Parameters

  3. If you use GlobalProtect or Prisma Access, add the GlobalProtect VPN IP address pool for the VPN traffic that you want to monitor.

    1. To enable the Cortex XDR app to analyze your VPN traffic, add (+) a new segment and specify the first and last IP address of your GlobalProtect VPN IP address pool.

    2. Identify this network segment as Reserved for VPN. GlobalProtect dynamically assigns IP addresses from the IP pool to the mobile endpoints that connect to your network. The Cortex XDR analytics engine creates virtual entity profiles for network segments that are reserved for VPN.

    3. Save (save-icon.png) the network segment. If the Configuration saved notification does not appear, save again.

  4. If you selected a Cloud Identity Engine (Directory Sync instance) during the Cortex XDR activation process, Set Up Cloud Identity Engine.