- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-29-2023 10:43 PM
We have configured the Check Point firewall version (R81.10), but it is not supported for native log ingestion. However, we have checked the official Palo Alto documentation for this link: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs....
-It states that log ingestion and data require a Cortex XDR Pro per GB license.
-We have purchased a TB license.
-I will need to confirm whether it is possible to ingest CEF logs from Check Point software version R81.10.
07-05-2023 12:36 AM
Hi @Vinothkumar_SBA ,
The short answer is - Yes, you can ingest Check Point logs to XDR with XDR Pro per TB license.
Palo Alto are making some changes to Cortex XDR licenses and "per TB" will be replaced with "per GB". The difference is that per TB was measuring the ingested data for a month, while the new license "per GB" will measure daily.
What this means is that you previously purchased license for the amount of TB you expect to ingest montly, from now on you will purchase license for the amount of GB you expect to ingest daily.
"per TB" should be automatically migrated to "per GB", but it will continue to serve exact same purpose. It looks like in some of the XDR documentation they have already replace the TB with GB.
This information should have already be provide to you over the email you are using for Palo Alto Customer Support Portal. If not you may want to reach to your sale engineer or account manager for more details.
07-05-2023 12:36 AM
Hi @Vinothkumar_SBA ,
The short answer is - Yes, you can ingest Check Point logs to XDR with XDR Pro per TB license.
Palo Alto are making some changes to Cortex XDR licenses and "per TB" will be replaced with "per GB". The difference is that per TB was measuring the ingested data for a month, while the new license "per GB" will measure daily.
What this means is that you previously purchased license for the amount of TB you expect to ingest montly, from now on you will purchase license for the amount of GB you expect to ingest daily.
"per TB" should be automatically migrated to "per GB", but it will continue to serve exact same purpose. It looks like in some of the XDR documentation they have already replace the TB with GB.
This information should have already be provide to you over the email you are using for Palo Alto Customer Support Portal. If not you may want to reach to your sale engineer or account manager for more details.
07-05-2023 01:57 AM
Thank you for your support! We have one more query. Could you kindly confirm the log retention period for all the forwarded logs to the XDR cloud?
07-05-2023 06:20 AM
Hi @Vinothkumar_SBA ,
There is no change for the retention after license migration from "per TB" to "per GB".
As explained here - https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-firewall-configuration-query/td-p/547... "per GB/TB" license are ingestion only, meaning they don't effect retention periond.
Which means you should have (by default) 30days of hot retention for ingested data and 180 days of hot retention for alerts and incidents (created by XDR). If you need extend that you need to order license add-ons, details for which you can see in the link above.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!