topic Re: Cortex XDR Firewall configuration query. in General Topics

Cortex XDR Firewall configuration query.

Vinothkumar_SBA — Fri, 30 Jun 2023 05:43:28 GMT

We have configured the Check Point firewall version (R81.10), but it is not supported for native log ingestion. However, we have checked the official Palo Alto documentation for this link: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs....

-It states that log ingestion and data require a Cortex XDR Pro per GB license.

-We have purchased a TB license.

-I will need to confirm whether it is possible to ingest CEF logs from Check Point software version R81.10.

Re: Cortex XDR Firewall configuration query.

aleksandar.astardzhiev — Wed, 05 Jul 2023 07:36:02 GMT

Hi @Vinothkumar_SBA ,

The short answer is - Yes, you can ingest Check Point logs to XDR with XDR Pro per TB license.

Palo Alto are making some changes to Cortex XDR licenses and "per TB" will be replaced with "per GB". The difference is that per TB was measuring the ingested data for a month, while the new license "per GB" will measure daily.

What this means is that you previously purchased license for the amount of TB you expect to ingest montly, from now on you will purchase license for the amount of GB you expect to ingest daily.

"per TB" should be automatically migrated to "per GB", but it will continue to serve exact same purpose. It looks like in some of the XDR documentation they have already replace the TB with GB.

This information should have already be provide to you over the email you are using for Palo Alto Customer Support Portal. If not you may want to reach to your sale engineer or account manager for more details.

Re: Cortex XDR Firewall configuration query.

Vinothkumar_SBA — Wed, 05 Jul 2023 08:57:28 GMT

Thank you for your support! We have one more query. Could you kindly confirm the log retention period for all the forwarded logs to the XDR cloud?

Re: Cortex XDR Firewall configuration query.

aleksandar.astardzhiev — Wed, 05 Jul 2023 13:20:22 GMT

Hi @Vinothkumar_SBA ,

There is no change for the retention after license migration from "per TB" to "per GB".

As explained here - https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-firewall-configuration-query/td-p/547833 "per GB/TB" license are ingestion only, meaning they don't effect retention periond.

Which means you should have (by default) 30days of hot retention for ingested data and 180 days of hot retention for alerts and incidents (created by XDR). If you need extend that you need to order license add-ons, details for which you can see in the link above.