Set up the Broker VM on Google Cloud Platform (GCP) - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

You can deploy the Broker VM on Google Cloud Platform. The Broker VM facilitates communication with external services through the installation and setup of applets such as the syslog collector.

To set up the Broker VM on the Google Cloud Platform, you install the VMDK image provided in Cortex XDR. To complete the set up, you must have G Cloud installed and have an authenticated user account.

  1. Download the Broker VM VMDK image from Cortex XDR (see Configure the Broker VM).

  2. From G Cloud, create a Google Cloud Storage bucket to store the Broker VM image.

    1. Create a project in GCP and enable Google Cloud Storage, for example: brokers-project. Make sure you have defined a Default Network.

    2. Create a bucket to store the image, such as broker-vms.

  3. Open a command prompt and run the following.

    gcloud config set project <project-name>

  4. Upload the VMDK image to the bucket, run the following.

    gsutil cp </path/to/broker.vmdk> gs://<bucket-name>

  5. Import the GCP image.

    You can import the GCP image using either G Cloud CLI or Google Cloud console.


    The import tool uses Cloud Build API, which must be enabled in your project. For image import to work, Cloud Build service account must have compute.admin and iam.serviceAccountUser roles. When using the Google Cloud console to import the image, you will be prompted to add these permissions automatically.

    • gcloud CLI

      Before importing a GCP image using the gcloud CLI, ensure that you update the Google Cloud components to version 371.0.0 and above using the following command.

      gcloud components update

      The following command uses the minimum required parameters. For more information on permissions and available parameters, refer to the Google Cloud SDK.

      Open a command prompt and run the following.

      gcloud compute images import <VMDK image> --data-disk --source-file="gs://<image path>" --network=<network_name> --subnet=<subnet_name> --zone=<region> --async

    • Google Cloud Console

    1. Navigate to Compute EngineImages.

    2. Create Image.

    3. Complete the following fields.

      • Specify a meaningful Name for this image, such as broker-9-0-32.

      • Select Virtual disk (VMDK, VHD) as the Source.

      • To select the Cloud Storage file, Browse and select the bucket and the VMDK image you uploaded.

      • Select Ubuntu 18.04 Bionic as the Operating system on virtual disk.

      • Allow Compute Engine to Install guest packages.

      • Create the image.

        The image creation process can take up to 20 minutes.

  6. When the Google Compute completes the image creation, create a new instance.

    1. From the Google Cloud Platform, select Compute EngineVM instances.

    2. Create instance.

    3. In Boot disk option, choose Custom images and select the image you created.

    4. Set up the instance according to your needs.

      If you are using the Broker VM to facilitate only Agent Proxy, use e2-startdard-2. If you are using the Broker VM for multiple applets, use e2-standard-4.

  7. Allow the 4443 port in your firewall configuration by creating a firewall rule.

    1. From the Google Cloud menu, select VPC networkFirewall, and click CREATE FIREWALL RULE.

    2. Set the following parameters for the rule:

      • Name: Name of the rule.

      • Network: Select the applicable network where the Broker VM resides.

      • Direction of traffic: Select Ingress (default).

      • Targets: Select All instances in the network.

      • Source IPv4 ranges: Enter the IP network of computers that will be connecting to the Broker VM. To include all machines, enter

      • TCP: Enter port 4443.

    3. Click CREATE.

      The rule is listed under VPC firewall rules.

  8. Verify that the firewall rule is assigned to the Broker VM.

    1. From the Google Cloud menu, select Compute EngineVM instances.

    2. For the particular Broker VM containing the rule, select the ellipse to display More actions, and select View network details.

    3. In the Firewall and routes details section, select the FIREWALLS tab.

    4. Verify that the firewall rule is listed.

    You can now connect to the Broker VM web console using the Broker VM IP address. Connect via https over port 4443 using the format https://<ip address>:4443.

  9. Continue the steps to Configure the Broker VM.