topic Re: Cortex XDR Broker VM Down in Cortex XDR Discussions

Cortex XDR Broker VM Down

RameshShrestha — Thu, 16 Jun 2022 10:14:16 GMT

Hi,

I was looking for an answer in a scenario where only 1 broker VM is available.

What happens when the VM goes down. How does the end point connect to XDR console and how can we get the visibility when VM goes down for long period.

Re: Cortex XDR Broker VM Down

bbarmanroy — Fri, 17 Jun 2022 02:20:16 GMT

Hi @RameshShrestha having a single Broker VM is not a recommended approach. The official guide indicates 1 Broker VM per 10,000 endpoints. Given that, we also need to keep in mind HA, which is to have minimum of 1 on top of the recommendation to ensure your endpoints continue to operate as usual. You can review the other options for download sources as listed in Step 14 here.

If Direct Server Access is enabled in your tenant, the agents will fallback to connecting directly to the tenant via host proxy configurations.

For your second question, I'd recommend you to leverage your exisitng infrastructure monitoring tools to detect when the BVM IP/domain/landing page is unreachable and trigger an alert.

Re: Cortex XDR Broker VM Down

RameshShrestha — Fri, 17 Jun 2022 03:41:49 GMT

Hi Bbarmanroy,

One of our clients has only around 200 endpoints that don't have direct internet access and have only 1 VM. Those endpoints need Broker VM to access to Cortex Server. So in that case, if the VM goes down for some days, can we get the logs of activities of endpoints after VM comes online?

Re: Cortex XDR Broker VM Down

bbarmanroy — Fri, 17 Jun 2022 09:26:34 GMT

Hi @RameshShrestha yes, the customer will get the logs once connectivity is resumed (assuming the alloted disk space is not full, else FIFO). Since this is an airgapped environment, the customer should have at least 2 BVM's to ensure the connectivity is maintained. You can also write a Correlation rule to count the number of endpoints that have gone offline. If the count is equal to the total number of endpoints, that should fire off an alert.

You can use this as a sample XQL query:
dataset = endpoints
| filter endpoint_status = ENUM.DISCONNECTED
| comp count(endpoint_name ) as Count by endpoint_status
| filter Count =200 // indicates all endpoints are offline

Re: Cortex XDR Broker VM Down

RameshShrestha — Fri, 17 Jun 2022 09:40:52 GMT

thank you @bbarmanroy 😊

Re: Cortex XDR Broker VM Down

jcandelaria — Fri, 17 Jun 2022 15:27:55 GMT

additional info on broker VM losing connectivity.