Inquiry Regarding Impact of Palo Alto XDR on Veeam Backup Server & Proxy

Hi,

this KB article should provide a valid starting point.

Hi ​@epul,

The article provided my Matt gives a good overview.

Please keep in mind that from a security perspective it may (but not must!) happen that if anyone gets access to your Palo Alto XDR management plane it could be possible to disable services on every component that it’s installed on.

If you use that XDR for production as well than I’d not install it on the DR components in the first place since you specifically want a “gap” between your prod and you DR. This would be an “intersection” because XDR would control both prod and DR and an attacker could potentially manipulate both - that is what you don’t want to happen.

I personally recommend to use another (standalone) XDR or even the Windows Defender with a hardened network design and other hardening measures to be completely independent.

Best

Lukas

Thanks ​@MattM and ​@lukas.k, I really appreciate your answers and suggestions. I’ll review the article.

Agree with the above comments, but will add one piece of advice that will help you with troubleshooting:

Any time something that was working stops working suddenly, set your XDR (or EDR) to “permissive” mode or “learning mode”.

I’ve not used Palo Alto specifically, but keep in mind that our KB1999 is very much so oriented towards older signature based scanning solutions. Modern XDR/EDR don’t really work like that and are more heuristics based, and the exclusions often will be ignored if the XDR / EDR determines the activity to be “bad” enough. Usually these systems have a less strict mode that is meant to be temporary and let you review behavior, do installations / management without totally disabling the security solution, etc, and this is usually a good test to help narrow down the cause.

I wrote this post a few years ago on our RnD forums when i was still in Veeam Support, and I stand by this today to help explain questions like “why would AV only affect one VM out of dozens?” or “why now when it’s been working fine for years?” or “why does it work after an active full?”

Basically, security solutions are good and they are doing exactly what they’re designed to in most cases -- blocking what they think might be dangerous activity on your system. But understanding how they do this detection is important, as you can lose a ton of time on troubleshooting if you’re not willing to consider that these solutions will do their best to protect you at any cost, even if it means interrupting operations -- that’s their job, and you need to consider it carefully (especially since the logging is typically pretty sparse by design for security solutions)