Episode Transcript:
John:
Hello, and welcome back to PANCast. In today's episode, we will be talking about Broker VM capabilities and how it is implemented in Cortex XDR. We have a special guest today Pooja who will share more on this topic.
Before we get started, Pooja, could you tell us more about yourself?
Pooja Agrawal is the Team Lead for Cortex support team including both Cortex XDR and Cortex XSOAR. She has a strong technical background and is passionate about sharing her knowledge and supporting and enabling people for self help.
Pooja:
Sure. Thanks John!
Hello Everyone! My name is Pooja and I am currently working as a Team Lead for the Cortex Team. Today I am really excited to share about Broker VM (BVM) capabilities with you in this episode of PANCast.
John:
Thank you Pooja. Could you share with us the Broker VM capabilities?
Introduction to BVM
Pooja:
Yeah. Let me begin by introducing you to Broker VM.
The Palo Alto Networks Broker is a secure virtual machine (VM) that is integrated with Cortex XDR and serves as a link between your network and Cortex XDR. By configuring the Broker, you create a secure connection through which you can route your endpoints, as well as collect and forward logs and files for analysis.
The Broker can be used to run multiple services on the VM using the same Palo Alto Networks authentication.
Once installed, the Broker receives automatic updates and enhancements from Cortex XDR, providing you with new capabilities without your intervention.
John:
This sounds great Pooja, so how do we set this up?
Broker VM Setup
Pooja:
That is a good question. To set up the Broker virtual machine (VM), you need to deploy an image created by Palo Alto Networks on your network or supported cloud infrastructure and activate the available applications.
Additionally, to support larger environments, you can also set up multiple Broker VMs for the same tenant.
John:
Is it a complicated process?
Pooja:
Not at all. Well, setup can be done in an instant. Setting up the Broker VM is extremely simple.
After installing a Broker VM image on the supported platform, you can simply generate a token and register it to the cortex XDR console. Registration of the Broker VM can take up to 30 seconds.
After a successful registration, Cortex XDR displays a notification.
Following that, you can configure your broker VM's settings, such as IP address, gateway, subnet mask, DNS and NTP server, and so on.
You can also configure a proxy and use your own Broker VM certificate as the server certificate for endpoints. Voila! You are now ready to begin using Broker VM.
John:
It certainly does sound easy. Can you tell us more about the Broker VM components?
Broker VM Components
Pooja:
Absolutely! Let me tell you about various BVM components that can be configured based on your needs.
The first component is Local agent settings You can configure the Broker VM to act as a proxy that routes all traffic between the Cortex XDR management server and XDR agents via a centralized and controlled access point when deploying Cortex XDR in restricted networks where endpoints do not have a direct internet connection. This allows your agents to receive security policy updates and send logs and files to Cortex XDR without needing to connect to the internet.
On Broker VM, you can also enable caching. You might wonder what is the point of caching? Well, you can cache XDR agent installations, upgrades, and content updates on your BVM to reduce external network bandwidth load. Every 15 minutes, the Broker VM retrieves the latest installers and content files from Cortex XDR and stores them for a 30-day retention period since an agent last requested them. If the files were not available on the Broker VM when the request was made, the agent downloads them directly from the Cortex XDR server.
The Syslog collector is next on the list. Yes, you heard that correctly.
You can set up the Syslog Collector applet on a Broker VM in your network to receive Syslog data from an external source.
Important point to take note here is : Ingesting Logs and Data from external sources requires a Cortex XDR Pro per TB license.
Isn't that a plethora of features? This, however, is not it. There are many more features.
Broker VM can also be configured as CSV collector/ Files and folder collector/FTP collector/Netflow collector. Is that a little too much? Well, we are still left with a couple of important features.
Did you know you can choose to activate the Network Mapper ? The Network Mapper allows you to scan your network to detect and identify unmanaged hosts in your environment according to defined IP address range.
Pathfinder is a highly recommended, but optional component integrated with the Broker VM that deploys a non-persistent data collector on network hosts, servers, and workstations that are not managed by a Cortex XDR agent. And when an alert is triggered, the data collector is able to run for up to 2 weeks gathering EDR data from unmanaged hosts. You can track and manage the collector directly from the Cortex console, and investigate the EDR data by running a query from the Query Center.
And.. last but not the least you can also Activate the Windows Event Collector feature on Broker VM.
To enable the collection of the event logs, you need to configure and establish trust between the Windows Event Forwarding (WEF) and the Windows Events Collector (WEC). Establishing trust between the WEFs and the WEC is achieved by mutual authentication over TLS using server and client certificates.
John:
These are good use cases Pooja. I hope our PANCasters can take advantage of these capabilities. Could you please summarize what are our takeaways from this episode?
Pooja:
Yeah, To Summarize, Broker VM can be used as:
- Local Agent
- Syslog Collector
- Apache Kafka Collector
- CSV Collector
- Database collector
- Files and folder collector
- Netflow collector
- Network mapper
- Pathfinder
- Windows Event Collector
You can choose and decide based on your requirements.
John:
Thank you, Pooja, for your insights on Broker VM. We hope our PANCasters will be able to leverage these features. You can find the episode’s transcript and a ton of in-depth articles on this topic on live.paloaltonetworks.com under PANCast.
Pooja:
Thank you for having me …..and hope to join you on another episode of PANCast.
John:
PANCasters, if you have topics you need us to cover, please send in your feedback through the Ideas Submission page on LIVEcommunity, and we’ll be happy to review them.
Until next time. Bye!
Check out the full PANCast YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.
Related Content: