Install Cortex XSOAR on a VM deployed on OCI - Administrator Guide - 8.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation
Product
Cortex XSOAR
Version
8.13
Creation date
2026-02-12
Last date published
2026-05-27
Category
Administrator Guide
Solution
On-prem

The following procedure describes the steps for deploying an OVA image on OCI and then installing Cortex XSOAR on your deployed virtual machines.

Important

The IPs of all VMs (nodes) in a cluster as well as the virtual IP must be on the same subnet, they currently cannot be split across subnets.

Task 1. Download the OVA image and license from Cortex Gateway

Abstract

Download an image from Cortex Gateway, deploy the image, and use the textual user interface to configure environment settings, and to install a Cortex XSOAR tenant.

To install a Cortex XSOAR 8 tenant, you need to log into Cortex Gateway, which is a portal for downloading the relevant image file and license. Downloading a file image from Cortex Gateway ensures you have the latest pre-configured software package for easy deployment and updates. If you have multiple or development tenants, you must repeat these tasks for each tenant.

Prerequisite

  • A Customer Support Portal (CSP) account.

    You need to set up your CSP account. For more information, see How to Create Your CSP User Account.

    When you create a CSP account you can set up two-factor authentication (2FA) to log into the CSP, by using an Email, Okta Verify, or Google Authenticator (non-FedRAMP accounts). For more information, see How to Enable a Third Party IdP.

  • Have one of the following roles assigned:

    Role

    Details

    CSP role

    The Super User role is assigned to your CSP account. The user who creates the CSP account is granted the Super User role.

    Cortex role

    You must have the Account Admin role.

    If you are the first user to access Cortex Gateway with the CSP Super User role, you are automatically granted Account Admin permissions for the Cortex Gateway. You can also add Account Admin users as required.

  • To download the Cortex XSOAR 8 images from Cortex Gateway, you need a license (or evaluation license via sales) assigned to your CSP account.

  • Review the System requirements for deploying a Cortex XSOAR tenant.

  • Have a basic understanding of how to deploy the OVA file format.

  • For VMWare ESXi 6.5 and later, you need hardware version 13.

How to download the image and license

  1. Log in to Cortex Gateway.

  2. In the Available for Activation section, use the serial number to locate the tenant to download.

    By default, the Production-Standalone license is selected. You can also select Dev.

    Production and development are separate Kubernetes clusters with no dependency between them. For example, you can deploy a three-node cluster for production and a standalone node for development, or you can support small-scale for development and large-scale for production.

    If you want to use a production and a development tenant with a private remote repository, select Dev. If you don't select it now, you can install a development tenant later.

  3. Select Download On Prem.

  4. Click Next.

  5. Select the OVA image format to download.

    OVA is supported by AWS, Oracle Cloud Infrastructure (OCI), and VMWare (for example, VSphere).

  6. Select the checkbox to agree to the terms and conditions of the license and click Download.

    Tip

    In Google Chrome, to download the image and license files together, you may need to set the the browser SettingsPrivacy and securitySite settingsAdditional permissionsAutomatic downloads to the default behavior Sites can ask to automatically download multiple files.

    Two files download: A zipped license file containing one or more JSON license files with instructions, and a zipped image file of the type you selected (.ova, .vhd)

  7. Extract (unzip) the license and image files.

Task 2. Deploy your virtual machine on OCI

Abstract

Download an image from Cortex Gateway, deploy the a VM on OCI, and use the textual user interface to configure network, IP, and environment settings, and to install a Cortex XSOAR tenant.

Currently, only Oracle Public Cloud is supported (not Government Cloud).

If you set your Cortex XSOAR environment as a standalone (single node), you cannot add nodes to it and switch to a cluster. If you deploy three nodes, you can later add nodes and expand the cluster. For more information, see Manage nodes in a cluster.

Important

To implement built-in High Availability, deploy a cluster with three nodes (VMs), with each VM on a different hypervisor. This ensures that if one hypervisor fails, the other VMs continue to operate.

You then need to:

  • Establish trust between all nodes in the cluster (Task 6).

  • Set the Cluster FQDN to the reverse proxy/ingress controller IP address (Task 7). The reverse proxy/ingress controller serves as a single entry point to distribute traffic across the nodes in the cluster.

To configure backup and restore in your tenant, see Back up data.

  1. In OCI, upload the OVA image file to a private bucket.

    Note

    Make sure the bucket is private and secure.

  2. Import the image from the bucket into the OCI environment.

  3. Disable CPU logging and performance (DRS). For more information, see Oracle Define or Edit Server Pool Policies.

  4. Create the instance.

  5. Create a block volume.

    The block volume size depends on the scale you want to use. For example, 1024 GB (1TB) corresponds to the hardware requirements for a small scale deployment with a 256 GB boot disk plus an additional separate 775 GB data disk.

    Important

    Every virtual machine is provided with a 256 GB hard disk to run the OS. However, you also need to add an extra hard disk for each virtual machine instance you want to deploy to run the application.

    All virtual machines in a cluster must have the same storage size.

    To ensure successful deployment, make sure the hard disks meet performance requirements detailed in the System requirements.

  6. Attach the block volume to the running instance.

    Note

    The attachment type needs to be Paravirtualized (and not iSCSI).

  7. Repeat these steps for each VM in a cluster.

  8. For first time login, open an external terminal and use the ssh admin<server ip address> command to SSH log in. The default user name and password is admin.

    opp-oci-cloud-shell.png

    Give the admin a new password as follows.

    Important

    Save the SSH password securely. If you lose this password you cannot recover or change it, and to use SSH you will need to redeploy the cluster.

    The password must be at least eight characters long and contain at least:

    • One lower case letter

    • One upper case letter

    • One number, or one of the following special characters: !@#%

    If this is not a first time login, you can log in from the web console or from a terminal using the ssh admin@<server ip address> command to SSH log in.

    The textual UI menu opens with all the configuration and installation options.

    Tip

    • To start using the textual UI, click anywhere on the screen.

    • To navigate between the menu items, use the up and down arrow keys. To select a menu item, press the Enter key.

    • To navigate between fields within a menu item, use the Tab key. To save settings, tab to the Save button and press the Enter key.

    • To go back to the menu from a specific menu item field, press the esc key.

Task 3. Validate tenant network and IP settings

Important

Since the Cloud platform handles network and IP settings, skip the Host ConfigurationNetwork Configuration settings in the textual UI. For a Cloud VM deployment, if you save the Network Configuration in the textual UI, a known issue in this version may prevent you from accessing the textual UI.

Confirm the following network and IP settings are added to the rules of the security group or the firewall rules for each node in a cluster (for standalone there is just a single node). If they are not added to the rules, the installation may fail.

Port configurations
URLs

Check the following URLs to ensure Cortex XSOAR operates properly.

Function

Service

Port

Direction

Web interface

HTTPS

443

Inbound

Engine connectivity

HTTPS

443 (configurable)

Inbound

Integrations

Integration-specific ports

Outbound

Unit42 Intel Inventory (TIM license)

https://unit42intel.xsoar.paloaltonetworks.com

443

Outbound

Marketplace

  • https://marketplace.xsoar.paloaltonetworks.com/

    Download content packs and view the Marketplace (to view content pack images, the domain should also be reachable from the browser).

  • storage.googleapis.com

    Download content packs and view the Marketplace. This domain stores content pack artifacts (to view content pack images, the domain should also be reachable from the browser). It is possible to further limit the url prefix to: https://storage.googleapis.com/marketplace-dist/

  • api.demisto.com

    Download content Packs and view the Marketplace (this file maps the Marketplace URL to the Cortex XSOAR version).

    Note

    You must add marketplace.xsoar.paloaltonetworks.com, storage.googleapis.com, and api.demisto.com otherwise you cannot access the Marketplace.

  • xsoar-contrib.pan.dev

    Contribute content packs.

443

Outbound

On-prem Gateway

onpremgw.crtx.[region].paloaltonetworks.com

Cortex XSOAR accesses new versions from and uploads licenses to this repository.

443

Outbound

Download packages required for installation

  • deb.debian.org

  • security.debian.org

80

Outbound

Task 4. Configure NTP servers

Abstract

Configure NTP servers to ensure all nodes are synchronized with no NTP offset and prevent degraded storage performance.

Configure NTP servers to improve time synchronization accuracy and prevent degraded storage performance. These settings should be configured before installation but can also be updated after installation.

For VMs deployed on a Cloud platform such as AWS or OCI, skip NTP configuration (leave the default settings).

Tip

For optimal time synchronization, it is best practice to specify either a single NTP server or at least three servers. Configuring three or more servers enables establishing a quorum, which improves synchronization reliability and allows better detection and resolution of discrepancies between time sources.

  1. From the textual UI menu, select NTP Configuration.

  2. In the NTP Servers field, set the IP addresses of the NTP servers that the nodes will be synced with, separated by spaces. By default, the nodes get an out-of-the-box NTP server, you can override the value.

  3. Select Save.

Task 5. (Optional) Configure proxy settings

When a proxy is configured in Cortex XSOAR, the system by default routes internal node-to-node communication and other internal traffic through that configured proxy. If you do not configure a proxy, the system uses standard network routing and DNS resolution.

If you want to use a proxy, define the proxy address and port settings. The proxy can be set at any point, during Cortex XSOAR deployment or at a later stage.

If you do not want to use a proxy, you must explicitly list the relevant internal IP addresses or FQDNs in the No Proxy field. You should then verify the internal DNS correctly resolves these addresses for direct connections.

  1. From the textual UI menu, select Proxy Configuration.

  2. Configure the following settings.

    • Proxy Protocol: Choose HTTP or HTTPS.

    • Proxy Address

    • Proxy Port

    • Proxy User: If using an authenticated proxy, enter the user name.

    • Proxy Password If using an authenticated proxy, enter the password.

    • No Proxy

      Specify a comma-separated list of domains, IP addresses, or network ranges that should bypass the proxy.

      Example 2. 

      Example 1: Bypass the proxy for the following IPs and domain:

      • IP address: 1.1.1.1

      • domain: example.com

      • IP range: 10.0.0.0/8

      Set the No Proxy field to: 1.1.1.1,example.com,10.0.0.0/8

      Example 2: Bypass the proxy for the following MSSP IPs and domains:

      • Main tenant IP: 192.168.100.1

      • Main tenant FQDN: xsoarmain.svc.mydomain.com

      • Child tenant IP: 192.168.100.2

      • Child tenant FQDN: xsoarhost.svc.mydomain.com

      Set the No Proxy field to: 192.168.100.1,192.168.100.2,.svc.mydomain.com


  3. Select Save.

Task 6. Establish trust between all nodes in a cluster

This task is not relevant for a standalone deployment (single node).

For each VM (node) in a cluster, the nodes must have SSH connections between them, where all the nodes trust one another. To establish trusted connections in a cluster, one node is designated as the signing server host, generating a token for secure communication and authentication. Other nodes connect to the host using the token displayed on the host's screen.

The IPs of all VMs (nodes) in a cluster as well as the virtual IP must be on the same subnet, they currently cannot be split across subnets.

Important

To implement built-in High Availability, after establishing trust between all nodes in a cluster, in the cluster installation step (Task 7) you need to set a single entry point to distribute traffic across the nodes in the cluster. Do this by setting the Cluster FQDN to either the virtual IP address or to the reverse proxy/ingress controller IP address.

To configure backup and restore in your tenant, see Back up data.

  1. In the textual UI menu for the VM you want to be the host, select Connect Nodes.

  2. Select Host.

    A message displays that this action cancels prior trust established with other nodes. Select Yes to continue.

    This node becomes the host, and a token is generated on the screen. Copy the token, for example:

    Note

    Keep this window open (do not select Stop) until trust is established between all nodes to enable the host to listen for the token from the other nodes.

  3. In the textual UI for each additional node (VM) in the cluster:

    1. Select Connect Nodes.

    2. Select Join.

    3. Paste the Token generated for the host.

    4. Enter the Host IP Address.

    5. Select Submit.

    A message displays that this action cancels prior trust established with other nodes. Select Yes to continue.

  4. Select OK.

  5. After trust is established between all the nodes in the cluster, go back to the host node and select Stop to close the listening window.

Task 7. Install Cortex XSOAR on your VM

Prerequisite

Ensure the following DNS records were added to your DNS server to resolve hostnames to the cluster IP address (only static, DHCP is not supported). These DNS records (for a given tenant) should all point to the same cluster IP address to ensure a single entry point. For MSSP, each tenant must have its own set of xsoar.*, api-*, and ext-* FQDNs pointing to the tenant cluster's single entry point.

  • xsoar.<hostname>.<domain>: The Cortex XSOAR DNS name for accessing the UI. For example, xsoar.mycompany.com.

  • api-<hostname>.<domain>: The Cortex XSOAR DNS name that is mapped for API access. For example, api-xsoar.mycompany.com. This should be a CNAME entry pointing to the same cluster IP address.

  • ext-<hostname>.<domain>: The Cortex XSOAR DNS name that is mapped to access long running integrations. For example, ext-xsoar.mycompany.com. This should be a CNAME entry pointing to the same cluster IP address.

  1. From the textual UI menu, select Cluster Installation.

    The virtual machine you use to run the installer will deploy Cortex XSOAR on all virtual machines in a cluster.

    For a single virtual machine (standalone), configure the settings for a single node.

  2. Configure the following settings.

    Important

    The IPs of all VMs (nodes) in a cluster must be on the same subnet, they currently cannot be split across subnets.

    You can only change these field values in the textual UI menu before installing. To change these values after installing, you need to redeploy your cluster and then reinstall. Contact support or engineering for assistance.

    Field

    Description

    Cluster Nodes

    A list of IPs of all virtual machines/nodes in the cluster, separated by a space. For example, 10.196.37.10 10.196.37.11 10.196.37.12

    Copy the IP of each VM from the Private IPv4 address in the OCI Instance information tab and paste it in this field, separated by a space.

    Cluster FQDN

    The Cortex XSOAR environment DNS name. For example, <subdomain>.<domain name>.<top level domain>

    Copy the FQDN from the Internal FQDN field in the OCI Instance information tab and paste it in this field.

    Note

    For a single node: This field value must be registered in your DNS server so the FQDN will be resolved to the IP of the node.

    Cortex XSOAR supports only static IP addresses for each virtual machine in the cluster, it does not support a DHCP (dynamic IP) network interface.

    Installation Mode

    The tenant installation type. Options to select from are:

    • Enterprise (for non-multi-tenant installation, including production and development tenants)

    • (Multi-Tenant) Parent Tenant

    • (Multi-Tenant) Child Tenant

    Cluster Region

    The region the cluster is located in. For example, US.

    Cortex XSOAR Admin Email, Password, and Confirm Password

    Credentials for the first user to log in to Cortex XSOAR.

    Note

    The password must be at least eight characters long and contain at least:

    • One lower case letter

    • One upper case letter

    • One number, or one of the following special characters: !@#%

    Migration Mode

    Relevant for migration from Cortex XSOAR 6. If checked, the migration wizard starts in the Cortex XSOAR 8 tenant. This cannot be changed at a later stage.

  3. Select Install.

    Verify all nodes meet the required hardware and network requirements, and select Install again.

    The virtual machine you use to run the installer will deploy Cortex XSOAR on all virtual machines in a cluster.

Task 8. Verify you can log in to Cortex XSOAR

After the installation tasks run, an Installation completed successfully message displays in the textual UI. However, you need to wait until the installation process fully completes (approximately 30 minutes) and then check that you can log in to Cortex XSOAR. You then need to upload your license to enable all Cortex XSOAR pages.

  1. Log in to Cortex XSOAR.

    When you log in for the first time, use the Admin password and email you set during installation.

  2. Upload your license to Cortex XSOAR.

    For more information, see Add the Cortex XSOAR license.