FAQs for Cortex XSOAR 8 on-prem
General
Cortex XSOAR on-prem is now GA. The release does not support:
Migration
Migration from Cortex XSOAR 6 on-prem for Enterprise customers to Cortex XSOAR 8 on-prem is planned for Q3 2025.
Enterprise air-gapped environments
Installation
Cortex XSOAR 8 on-prem is delivered as a virtual appliance on a K8s cluster, available in VHD and OVA formats (MS Hyper-V and VMware hypervisors). We are planning additional formats to be released during 2024 and beyond.
The Cortex XSOAR tenant has specific minimum VM hardware requirements depending on the scale. For more information, see Hardware requirements.Hardware requirements
Cortex XSOAR 8 on-prem does not share the same architecture and data structure as Cortex XSOAR 6. Moving between the versions requires migration and not an upgrade. For the migration process, which will be available at the end of Q1 2025, XSOAR 6 and XSOAR 8 will need to be up and running simultaneously, requiring more hardware resources. In addition, Cortex XSOAR 8 will be delivered as a virtual appliance and cannot be connected to external DBs.
No. As part of the virtual appliance, users will not have access to the k8s level.
The Cortex XSOAR On-prem image-based appliance already includes a Kubernetes cluster, as such it is meant to be deployed in whole. The short answer is no.
Using a 3-node cluster replicates the data between nodes. The Cortex XSOAR high availability solution requires at least three nodes.
You can choose between a standalone and a cluster, but you can't change between deployments. This is not yet available and will come later (no ETA).
Yes, both actions involve downtime of Cortex XSOAR (both standalone and cluster).
For a cluster of three or more nodes, the system can tolerate only one node failing, it does not matter which one fails.
We recommend deploying all notes on a single data center.
Two clusters cannot be connected across data centers, they are deployed separately with no shared resources. You can perform backup and recovery by connecting both clusters to the same external storage (for example, an NFS server).
No, currently all cluster nodes must be on the same subnet.
This connection is used for the following:
Marketplace
Telemetry
Upgrade content packs
The textual UI (TUI), accessed via the Admin user, provides a comprehensive interface for performing all required installation and maintenance tasks for Cortex XSOAR on-prem.
To access the TUI, open an external terminal and use the ssh admin<server ip address> command to SSH log in.
The textual UI menu opens with all the configuration and installation options.
SSH access
Yes, you can SSH into the backend hosts.
For example, to SSH login as an Admin user, open an external terminal and use the ssh admin<server ip address> command.
The textual UI menu opens with all the configuration and installation options.
Admin user: Use the Admin user with the initial password set during installation to access the textual UI (TUI).
Viewer user: Use the viewer user (same password as the Admin user) to access a limited CLI for tasks like downloading log bundles. The viewer user provides a secure way to retrieve log files without full administrator access, ensuring minimal exposure of the system's backend while supporting troubleshooting tasks.
High Availability
For a single data center, Cortex XSOAR is deployed with HA out-of-the-box. Cortex XSOAR on-prem currently supports an HA solution for a use case of node failure, in which the system experiences downtime and then restores automatically.
For cross-data centers, Cortex XSOAR provides the backup and restore solution, where you can periodically back up your production Cortex XSOAR environment on a standby cluster in a secondary data center. When the primary data center is down, you can restore the Cortex XSOAR environment from the backup. To reduce failover time, the secondary environment should be maintained with the same Cortex XSOAR version as production.
If a node goes down, workloads on the failed node are automatically distributed to the other nodes. There may be several minutes of downtime until the other nodes take over and the pods get moved to other nodes.
Backup and restore
With backup and restore, you can periodically back up your production Cortex XSOAR environment on a standby cluster in a secondary data center. When the primary data center is down, you can restore the Cortex XSOAR environment from the backup.
Backup and restore functionality is implemented in the Cotex XSOAR tenant. For more information, see Set up backup and restore in Cortex XSOAR.Set up backup and restore in Cortex XSOAR
Backup will not require downtime. Restore will involve downtime.
Engines
The connection between the engines to Cortex XSOAR On-prem is done directly and not through the cloud.
Remote Repositories
No. Each one is being managed as a separate tenant and does not need to match.
In the development tenant, we do not impose user licensing restrictions. Users can log in above their licensed user limit.
Troubleshooting
If the textual UI is not open, launch the web console from your VM or SSH login from an external terminal as a viewer user.
In the textual UI menu, select Log Bundle.
Use scp/sftp to download the log bundle to your home directory.
For more information, see Access logs and log bundles.Access logs and log bundles
The System Diagnostics page in Cortex XSOAR 8 On-prem provides visibility on Cortex XSOAR cluster health and enables downloading log bundles. We don't yet have API support.