You can install Cortex XSOAR engines on all Linux and Windows machines. Although Cortex XSOAR engines are intended for Linux operating systems, they can be used on Windows, but Docker on Windows machines must be configured to run Linux containers. Docker/Podman needs to be installed before installing an engine. If you are using the Shell installer for an engine, Docker/Podman is installed automatically.
Engine Hardware Requirements
If your hard drive is partitioned, we recommend a minimum of 50GB for the /var
partition for your development environment, and 50GB for the /var
partition for your production environment. If you are using RHEL 8.x and Podman, we recommend allocating a minimum of 50GB for the /home partition and 50GB for the /var partition.
Component | Dev Environment Minimum | Production Minimum |
---|---|---|
CPU | 8 CPU cores | 16 CPU cores |
Memory | 16GB RAM | 32GB RAM |
Storage | 100GB | 100GB |
Operating System Requirements
You can deploy Cortex XSOAR Engines on the following operating systems and must meet the minimum hardware requirements:
Operating System | Supported Versions |
---|---|
CentOS | 7.x |
Ubuntu | 18.04, 20.04 |
RHEL | 7.x, 8.0, 8.1, 8.2, 8.3, 8.4 |
Oracle Linux | 7.x |
Amazon Linux | 2 |
Note
Centos 8.x reached End of Life (EOL) on December 31, 2021, and is no longer a supported operating system. If you are running Centos 8.x, we recommend moving to Centos 7.x or another supported operating system.
Engine Required URLs
You need to allow the following URLs for Cortex XSOAR engines to operate properly.
FUNCTION | SERVICE | PORT | DIRECTION |
---|---|---|---|
Integrations | Integration-specific ports | Outbound | |
Engine connectivity | HTTPS | 443 (configurable) | Outbound |
Engine Installation
Before you install the engine, you need to define the base URL in the Settings page so the engine can communicate with the server. When creating an engine in the Engines page, you can download one of the following file types for installation on the engine machine:
Shell: For all Linux deployments except RHEL 7.x (for example Ubuntu, CentOS, etc.). Automatically installs Docker/Podman, downloads Docker/Podman images, enables remote engine upgrade, and allows installation of multiple engines on the same machine. For RHEL 7.x, see Install Docker Distribution for Red Hat on Cortex XSOAR.
The installation file is selected for you. Shell installation supports the purge flag, which by default is false.
DEB: For Ubuntu operating systems.
RPM: CentOS and RHEL operating systems. If you require a signed RPM file for installation, Install a Signed Engine.
Note
Use DEB and RPM installation when shell installation is not available.
Zip: Used for Windows machines.
Configuration: Configuration file for download. When you install one of the other options, this config file (d1.conf) is installed on the engine machine.
Note
For DEB/RPM and Windows engines, Python (including 3.x) and containerization platform (Docker/Podman) must be installed and configured.
For Docker or Podman to work correctly on an engine, IPv4 forwarding must be enabled. If installing on RHEL v7 or CentOS v7 you need to install Mirantis Container Runtime. For more information, see System Requirements.
For air-gapped users, you can Install an Engine Offline. If you need a signed RPM file for installing an engine, follow the procedure in Install a Signed Engine.
For engines installed on RHEL machines and using Podman as containerization platform Configure the SELinux Policy for PowerShell Integrations (add
python.pass.extra.keys
andpowershell.pass.extra.keys
configurations to the engine).
Before you install the engine, you need to define the base URL in the Settings page so the engine can communicate with the server. The base URL is the external IP address of your Cortex XSOAR server. If you do not define the base URL, you need to add it to the d1.conf
file after you create the engine.
When you install the engine, the d1.config
is installed on the engine machine, which contains engine properties such as proxy, log level, log files, etc. If Docker/Podman is already installed, the python.engine.docker
and powershell.engine.docker key
is set to true. If Docker or Podman is not available when the engine is installed, the key is set to false
. If so, you need to set the key to true. Verify that python.engine.docker
and powershell.engine.docker
configuration key is present in the d1.conf
file.
For engines running on a Windows machine, add the following keys to the d1.config
file:
The
python.runner.loop.script.path
configuration key with the path to the_script_docker_python_loop.py
file (located in the engine’s installation folder). The path to the_script_docker_python_loop.py
must be taken from WSL installed on the Windows machine (for example,/mnt/c/Users/<user>/Desktop/<engine folder>/_script_docker_python_loop.py
).The powershell.runner.loop.script.path configuration key with the WSL path to the
_script_docker_powershell_loop.ps1
file (also located in engine’s installation folder).
After you install and deploy an engine, there are several ways that you can Manage Engines. For Linux systems, you can run Python integrations on an engine. Ensure you have Python 2.7 or later installed on the engine machine. Running Python integrations needs to be through Docker.
Define the base URL.
Go to
→ → .From the Server Configuration section, in the Base URL (for D2 Agents and Engines) type the Base URL.
For example, for https://ec2-54-228-48-128.eu-west-1.compute.amazonaws.com/, type
eu-west-1.compute.amazonaws.com
We recommend using the FQDN (fully qualified domain name). If the engine does not have an external address, the IP address can be used instead of the FQDN. For high availability environments or multi-tenant deployments, the FQDN should always be used.
Create an engine.
Select
→ → → .In the Engine Name field, add a meaningful name for the engine.
Select one of the installer types from the dropdown list.
For Linux systems it is recommended to use the Shell installer.
(Optional) (Shell only) Select the checkbox to enable multiple engines to run on the same machine.
If you have an existing engine, you did not select the checkbox, and you want to install another engine on the same machine, you need to delete the existing engine.
(Optional) Add any required configuration in JSON format.
Click Create New Engine.
For Shell installation, do the following:
Move the
.sh
file to the engine machine using a tool like SSH or PuTTY.On the engine machine, grant execution permission by running the following command:
chmod +x <engine-file-path>
Install the engine by typing one of the following commands:
With tools:
sudo ./d1-<engine-name>-<XSOAR-version>-xxxxxxx.sh
Without tools:
sudo ./d1-<engine-name>-<XSOAR-version>-xxxxxxx.sh -- -tools=false
For example:
sudo ./d1-engine1-6.6-2458567.sh -- -tools=false
If you receive a
permissions denied
error, it is likely that you do not have permission to access the/tmp
directory.
For RPM/DEB installation do the following:
Move the file to the required machine using a tool like SSH or PuTTY.
Type one of the following installation commands:
Machine Type
Install Command
CentOS/RHEL (RPM)
sudo rpm -Uvh d1-2.5_15418-1.x86_64.rpm
Ubuntu (DEB)
sudo dpkg --install d1_xxx_amd64.deb
Start the engine by running one of the following commands:
Machine Type
Start Command
CentOS/RHEL (RPM)
sudo systemctl start d1
Ubuntu (DEB)
sudo service d1 restart
For zip file installation, do the following.
Move the d1
zip
file to the engine machine using a tool like WinSCP.Unzip the file and move it to any location you require.
Open the file and run the d1_windows_amd64.exe file.
Every time you want to connect to Cortex XSOAR you need to run the D1 Application file.
(Optional) If you experience performance issues you may need to Configure the Number of Workers for the Server and Engine . To troubleshoot installation, upgrade, connectivity, or issues with integrations, see Troubleshoot Engines.