Cortex XDR Firewall configuration query.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Cortex XDR Firewall configuration query.

L3 Networker

We have configured the Check Point firewall version (R81.10), but it is not supported for native log ingestion. However, we have checked the official Palo Alto documentation for this link: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Ingest-Logs....

 

-It states that log ingestion and data require a Cortex XDR Pro per GB license.

 

-We have purchased a TB license.

 

-I will need to confirm whether it is possible to ingest CEF logs from Check Point software version R81.10.

1 accepted solution

Accepted Solutions

Hi @Vinothkumar_SBA ,

 

The short answer is - Yes, you can ingest Check Point logs to XDR with XDR Pro per TB license.

 

Palo Alto are making some changes to Cortex XDR licenses and "per TB" will be replaced with "per GB". The difference is that per TB was measuring the ingested data for a month, while the new license "per GB" will measure daily.

 

What this means is that you previously purchased license for the amount of TB you expect to ingest montly, from now on you will purchase license for the amount of GB you expect to ingest daily.

 

"per TB" should be automatically migrated to "per GB", but it will continue to serve exact same purpose. It looks like in some of the XDR documentation they have already replace the TB with GB.

 

 

This information should have already be provide to you over the email you are using for Palo Alto Customer Support Portal. If not you may want to reach to your sale engineer or account manager for more details.

View solution in original post

3 REPLIES 3

Hi @Vinothkumar_SBA ,

 

The short answer is - Yes, you can ingest Check Point logs to XDR with XDR Pro per TB license.

 

Palo Alto are making some changes to Cortex XDR licenses and "per TB" will be replaced with "per GB". The difference is that per TB was measuring the ingested data for a month, while the new license "per GB" will measure daily.

 

What this means is that you previously purchased license for the amount of TB you expect to ingest montly, from now on you will purchase license for the amount of GB you expect to ingest daily.

 

"per TB" should be automatically migrated to "per GB", but it will continue to serve exact same purpose. It looks like in some of the XDR documentation they have already replace the TB with GB.

 

 

This information should have already be provide to you over the email you are using for Palo Alto Customer Support Portal. If not you may want to reach to your sale engineer or account manager for more details.

Thank you for your support! We have one more query. Could you kindly confirm the log retention period for all the forwarded logs to the XDR cloud?

Hi @Vinothkumar_SBA ,

 

There is no change for the retention after license migration from "per TB" to "per GB".

As explained here - https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-firewall-configuration-query/td-p/547...  "per GB/TB" license are ingestion only, meaning they don't effect retention periond.

 

Which means you should have (by default) 30days of hot retention for ingested data and 180 days of hot retention for alerts and incidents (created by XDR). If you need extend that you need to order license add-ons, details for which you can see in the link above.

  • 1 accepted solution
  • 1581 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!