Cortex XDR Agent protects data center endpoints such as servers and VMs against malware and exploits on the endpoint itself, while the next-generation firewall protects against threats that cross the network (and therefore must traverse the firewall) to reach the endpoint. When malware or exploits are already on an endpoint or get onto an endpoint, if the endpoint executes the threat (for example, through an .exe or .dll file), the firewall doesn’t see the threat because the action is on the endpoint and no traffic crosses the firewall, so there’s nothing for the firewall to see. However, on each endpoint, Cortex XDR Agent sees threats in executables, macros in documents, dynamic-link library files, and more. When these threats attempt to run, Traps goes into action on the endpoint itself and protects the endpoint.

Cortex XDR Agent and the next-generation firewall provide a double layer of protection to data center endpoints so that the firewall protects endpoints from threats on the network while Cortex XDR Agent monitors and protects endpoints against threats that reside on the endpoint. The security policy you configure for endpoints on an Endpoint Security Manager (ESM) and the security policy you configure on Panorama or on the firewall don’t conflict because they govern different events at different locations. Cortex XDR Agent controls security within each individual endpoint. The firewall controls security of traffic that traverses the firewall.

Install Cortex XDR Agent on every data center endpoint. The best practices for Cortex XDR Agent in the data center are the same as the best practices for Cortex XDR Agent on any endpoint because the context is always the endpoint itself, so the context “in the data center” or “in a user group” doesn’t matter—Cortex XDR Agent protects all endpoints the same way. So the deployment process, the malware protection policy best practices, etc., are the same for the data center as for any other area of the network.