Engines Overview - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Understand Cortex XSOAR engine architecture, load balancing groups, installation and configurations.

Cortex XSOAR engines are installed in a remote network and allow communication between the remote network and the Cortex XSOAR server. You can run scripts and integration commands on an engine. It is possible to install a single engine or multiple engines.

You can install multiple engines on the same machine (Shell installation only) which is useful in a dev-prod environment where you do not want to have numerous engines in different environments, and to manage those machines. In a multi-tenant environment, users may want to deploy engines for tenants on the same machine, and you can share an engine between tenants.

Note

You cannot share a multiple engine installation with a single engine installation.

An engine is implemented as follows.

Engine Proxy

Cortex XSOAR engines enable the Cortex XSOAR server to access internal or external services that are otherwise blocked by a firewall or a proxy, etc. For example, if a firewall blocks external communication and you want to run the Rasterize integration, you need to install an engine to access the Internet.

Engine Architecture

engine_architecture.png

Within the network, you need to allow the engine to access the Cortex XSOAR server's IP address and listening port (by default, TCP 443). The engine always initiates the communication to the server.

Engine Load-Balancing

Engines can be part of a load-balancing group, which enables distribution of the command execution load. The load-balancing group uses an algorithm to efficiently share the workload for integrations that the group is assigned to, thereby speeding up execution time. In general, heavy workloads are caused by playbooks that run a high number of commands.

Before configuring an integration to run using multiple engines in a load-balancing group, it is recommended that you test the integration using a single engine in the load-balancing group.

load-balance.png

Note

When you add an engine to a load balancing group, you cannot use that engine separately. The engine does not appear in the engines drop-down menu when configuring an integration instance.

Engine Installation and Configuration

You can Install an Engine on Linux and Windows machines. After installing the engine, you can configure and manage engines, including setting a web proxy, adding and removing engines, configuring the number of workers, etc. Before installing, review the the system requirements in Install an Engine.

Note

You need to install Docker before installing an engine. If you use the Shell installer, Docker is automatically installed. Therefore, we highly recommend using Linux and not Windows to be able to use the Shell Installer which installs all dependencies.