Cortex XDR Pathfinder

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR Pathfinder

L2 Linker

I dont really understand logic behind PATHFINDER. I installed Broker VM and configured pathfinder. But i can not see anything in Pathfinder Collection Center. I can not find answers to my questions  in documentations. Can anybody please explain about pathfinder?

7 REPLIES 7

L3 Networker

Hi @OrkanAlibayli ,

 

To be able to use Pathfinder, you need to first have a Cortex XDR Pro per TB license and have your PAN NGFW send logs to Cortex Data Lake. Also, Pathfinder is only able to gather information from Windows endpoints.

 

Do you have the above requirements? Please do also follow this article for Pathfinder. Activate Pathfinder (paloaltonetworks.com)

 

Hi @fmoixsante . Thanks for your answer. 

We have Cortex XDR Pro per TB license. And i also followed Activate pathfinder.

But our NGFW dont send logs to Cortex Data Lake 

My questions are these:

  •   when pathfinder begin gather information from Windows endpoints?
  •   How pathfinder gather this information without any agent?

Thanks!

Hi @OrkanAlibayli ,

 

You need to send your PAN NGFW logs to CDL so that whenever Analytics get trigger, Pathfinder will then try to gather information from the involved endpoint/s.

L2 Linker

This pathfinder thing has been a real pain.  I was told via a support ticket to identify devices without XDR on it I needed to:

Install Broker VM

Install Network Mapper

Install Pathfinder

 

I was told when net mapper does a scan it will identify devices and then pathfinder will run its script on them.

This business of NGFW logs seems irrelevant. Although, we do send all of our pan logs to the cortex lake.

Since installing pathfinder, I have not seen any activity in the collection center. In fact I purposely placed a windows 10 device without XDR on it on the same network range Net Mapper scans and pathfinder isnt doing a thing. When I look at pathfinder logs all I see are my "tests".   

What is the point of network mapper if it doesnt pass on new devices to the asset manager?

What is the point of pathfinder if no alerts are sent for it to interrogate.

Where is the palo alto documentation on these items that we paid for? All there is is install guides less than a page long.

 

I am tired of opening tickets and getting support people who clearly know nothing about this.

 

Yes, I am aware the new cortex has what appears to be a peer to peer agent scan for devices process. Lets just say I dont want to use that method. For one the documentation says it will discover MAC and Platform only, I want the name of the unprotected device. Perhaps the doc is wrong but I still want to know after spending all this time setting up these services why they are not working. 

L1 Bithead

Is there any reply to ESJosephPrinz? The frustration is real. 

L5 Sessionator

Hi @ESJosephPrinz as @fmoixsante mentioned - Pathfinder will only trigger a deployment of a dissolvable agent on the target endpoint/s which do not have Cortex XDR, when an Analytics event of High/Medium severity is triggered. 
The POC that you performed does not mention if the pre-requisites specified in the documentation are met. 

Have you had a conversation with your Customer Success teams or Account representatives to get further clarity on this over a call/demo as it is more interactive than a forum? I am sure all of these questions can be addressed with proper context.

 

Ref: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Activate-Pa...

bbarmanroy_0-1673582452168.png

 

L1 Bithead

hey,

 

My name is Mickey im with the Technical Marketing Engineering team of Palo.

i am looking into this thread and trying to activate the pathfinder on my end and i would like to go on a session with the customer here.

can you send me email please so we can schedule?

mabutbul@paloaltonetworks.com

 

@ESJosephPrinz @OrkanAlibayli 

thanks

  • 6642 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!