Activate your firewalls and Panorama for log forwarding to Cortex Data Lake.
With a Cortex XSIAM license, if you use Palo Alto Networks firewalls as a traffic log source, you must activate your firewalls and Panorama and either configure them to stream directly to your tenant or your Cortex XDR Data Lake.
Register and activate your firewalls and Panorama.
Upgrade firewalls and Panorama to the latest software and content releases.
PAN-OS 8.0.6 is the minimum required software release version for Palo Alto Networks firewalls and Panorama. However, to enable Cortex XSIAM to leverage the Directory Sync Service and Enhanced Application Logs, upgrade firewalls and Panorama to PAN-OS 8.1.1 or later and to the latest content release:
Get the latest application and threat content updates.
Ensure that firewalls have visibility into internal traffic and applications.
It’s important that at least one firewall sending logs to the Data Lake is processing or has visibility into internal traffic and applications.
If you have deployed only internet gateway firewalls, one option might be to configure a tap interface to give firewall visibility into data center traffic even though the firewall is not in the traffic flow. Connect the tap mode interface to a data center switch SPAN or mirror port that provides the firewall with the mirrored traffic, and make sure that the firewall is enabled to log the traffic and send it to the Data Lake.
Because data center firewalls already have visibility into internal network traffic, you don’t need to configure these firewalls in tap mode. Yet, contact Palo Alto Networks Professional Services for best practices to ensure that the Data Lake and Cortex XSIAM -required configuration updates do not affect data center firewall deployments.
Configure Panorama-managed firewalls.
To stream data directly to your tenant, follow the instructions for Palo Alto Networks Integrations.
If you decide to use Cortex Data Lake as your streaming method, make sure to configure the following:
Start sending Panorama-managed firewalls to Cortex Data Lake.
Configure firewalls to forward Cortex XSIAM-required logs to Data Lake.
The Data Lake provides centralized, cloud-based log storage for firewalls, and Panorama provides an interface you can use to view the stored logs. The rich log data that firewalls forward to the Data Lake provides the Cortex XSIAM analytics engine the network visibility it requires to perform data analytics.
To support Cortex XSIAM , firewalls must forward at least Traffic logs to the Data Lake. The complete set of log types that a firewall should forward to the Data Lake are:
Traffic (required)
Threat (spyware, anti-exploit, anti-malware, dns security, etc)
URL Filtering
User-ID
HIP
Enhanced application logs (PAN-OS 8.1.1 or later)
Enhanced application logs are designed to increase visibility into network activity for Palo Alto Networks Cloud Services apps, and Cortex XSIAM requires these logs to support certain features.