Step 3. Set up an engine - Install engines on tenants in a Cortex XSOAR multi-tenant deployment. Configure firewall to allow communication between engine and tenant. - Administrator Guide - 8.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation
Product
Cortex XSOAR
Version
8.13
Creation date
2026-02-12
Last date published
2026-05-27
Category
Administrator Guide
Solution
On-prem
Abstract

Install engines on tenants in a Cortex XSOAR multi-tenant deployment. Configure firewall to allow communication between engine and tenant.

Engines created on child tenants use a different encryption handshake for each child tenant and connect back to the child tenant through the main tenant.

Note

This process is optional. Follow the steps if required.

  1. Download and install the engine.

    1. On the main tenant, go to Settings & InfoSettingsIntegrationsEngines.

    2. Create New Engine.

    3. Select and download the appropriate installer file.

    4. Install the engine on the appropriate remote machine.

    For detailed engine installation instructions, see Install an engine.

  2. Propagate the engine to tenants.

    1. On the main tenant, go to Settings & InfoSettingsIntegrationsEngines, and select the engine.

    2. Click Load-Balancing and Propagation.

    3. Assign one or more engine propagation labels.

      Note

      By default, engines do not have a propagation label. You must define a propagation label (such as all) in the engine to successfully sync it to a child tenant, unless you configured the system to auto-propagate everything.

    4. If you want to allow the use of the engine for tenant-specific integration instances, select Allow tenants to use this engine for custom integration instances.

      If you do not select this option, the engine can only be used with integration instances that were assigned to the engine on the main tenant level and were propagated to tenants.

      Note

      If an engine is shared among several tenants, the integration instances configured to work on that engine must have unique names across all the tenants. If they do not have unique names, subsequent instances will error out due to how the platform internally references each instance's Docker container.

    5. Go to Settings & InfoSettingsTenant Management, and Sync your selected tenant(s).

  3. Verify that the engine is connected, by going to Settings & InfoSettingsIntegrationsEngines.

    Ensure that the engine machine can communicate with the main tenant. You can use Telnet, or any similar tool to check the engine has access to the main tenant before you install it. If there is a firewall you may need to allow access from the machine that hosts the engine, so that it can communicate back on port 443 (or any other port the main host may use) or set an ANY ANY rule.

    Important

    Avoid setting up integration instances, such as a Generic Webhook, in the Main tenant of a multi-tenant environment. This configuration is not supported because the Main tenant cannot fetch data. If you configure an instance in the Main tenant and set it to use an engine, the engine will not run and the required TCP port will not start.