06-10-2021 10:18 AM
Dear Palo Alto Community Members,
I hope you will be able to help me out or point me in the correct direction.
I'm struggling to find appropriate information about the operations for a cortex agent which will not be connected to the internet and will never be able to communicate with the cloud (Cortex XDR).
In my customer scenario, the machine is not and will never be connected to the internet. Therefore the agent will never be able to connect to Cortex XDR, not even during/right after installation.
While we could find a way to use the Content.zip which is available for download from the PA support portal alongside the installer itself, we are not sure about a way to export policies from Cortex XDR to feed them manually into the “offline” agent.
We are also not sure about the license considerations, and the only piece of information I have found was informed that after 30 days when the endpoint has not communicated with Cortex Console we should see 'Connection Lost' notification.
But I doubt it could actually be even something we will see in our scenario, as the agent will never communicate with the console.
After some digging through the documentation we've come across information about the Cytool which might help to import/export the policies (for Windows and Linux machines).
As I understand, in theory, I could import the policies from one agent and then export them to another one, is that correct?
Unfortunately, I do not have any options to test it and I'm wondering if anyone had a chance to do it already, or maybe had some experience with a similar scenario and could share some thoughts?
I will really appreciate some help on this one.
Thank you in advance!
06-16-2021 03:03 AM
Dear all,
In case if anyone will need this info in the future:
We've checked this with the Palo Alto Support and it turned out that, The XDR does not support the fully offline environment.
The XDR requires network communication for the agent management purpose: Cortex XDR for windows - requirements
The Agent installation option for the Content Update package is to reduce the network bandwidth for the initial Agent installation. But the agent must be able to connect to the XDR Cloud for the registration, license allocation, Policy Rule's acquirement and etc. Therefore, the XDR does not support the fully closed network environment.
But we still have some options, and might try reaching out to our SE and ask for deployment options or Palo Alto's account team to submit a New Feature Request (NFR).
Hope this info helps those who seek an answer to the same question 😉
Have a great one!
06-12-2021 11:04 AM
Hello Adamski.
You can use proxy communication for Cortex XDR agents to connecting Cortex XDR app. For that you must install Cortex Broker VM (about Broker VM). After installation enable Agent proxy settings.
06-15-2021 05:33 AM
Hello Orkan,
Thank you for your input, but since the goal is offline operation, a proxy solution does not meet the customer requirements for this scenario.
I assume I will need to ask Palo Alto Support to advise on that matter further.
I wish you a great day!
Cheers,
06-16-2021 03:03 AM
Dear all,
In case if anyone will need this info in the future:
We've checked this with the Palo Alto Support and it turned out that, The XDR does not support the fully offline environment.
The XDR requires network communication for the agent management purpose: Cortex XDR for windows - requirements
The Agent installation option for the Content Update package is to reduce the network bandwidth for the initial Agent installation. But the agent must be able to connect to the XDR Cloud for the registration, license allocation, Policy Rule's acquirement and etc. Therefore, the XDR does not support the fully closed network environment.
But we still have some options, and might try reaching out to our SE and ask for deployment options or Palo Alto's account team to submit a New Feature Request (NFR).
Hope this info helps those who seek an answer to the same question 😉
Have a great one!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
