Cortex XDR protects data center endpoints such as servers and VMs against malware and exploits on the endpoint itself, while the next-generation firewall protects against threats that cross the network (and therefore must traverse the firewall) to reach the endpoint. When malware or exploits are already on an endpoint or get onto an endpoint, if the endpoint executes the threat (for example, through an .exe or .dll file), the firewall doesn’t see the threat because the action is on the endpoint and no traffic crosses the firewall, so there’s nothing for the firewall to see. However, on each endpoint, the Cortex XDR agent sees threats in executables, macros in documents, dynamic-link library files, and more. When these threats attempt to run, Cortex XDR goes into action on the endpoint itself and protects the endpoint.

Cortex XDR and the next-generation firewall provide a double layer of protection to data center endpoints so that the firewall protects endpoints from threats on the network while Cortex XDR monitors and protects endpoints against threats that reside on the endpoint. The security policy you configure for endpoints on an Endpoint Security Manager (ESM) and the security policy you configure on Panorama or on the firewall don’t conflict because they govern different events at different locations. Cortex XDR controls security within each individual endpoint. The firewall controls security of traffic that traverses the firewall.

Install the Cortex XDR agent on every data center endpoint. The best practices for Cortex XDR in the data center are the same as the best practices for Cortex XDR on any endpoint because the context for Cortex XDR is always the endpoint itself, so the context “in the data center” or “in a user group” doesn’t matter—Cortex XDR protects all endpoints the same way. So the recommended Cortex XDR deployment process, the malware protection policy deployment process, etc., are the same for the data center as for any other area of the network.