https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/430671#M1011 <P><SPAN>Just wondering if anyone else is experiencing this... We have about 600 XDR agents deployed and keep running into scenarios where the agents just seemingly randomly stop checking in. Nothing meaningful in the logs. Doing a cytool checkin does nothing. The agents disappear from the dashboard entirely making it reeeeeeallly hard to even determine that the agent has stopped communicating. If we use the XDRAgentCleaner to manually remove the agent and re-install it magically starts working just fine. We've seen it on multiple agent versions from 7.0 to 7.3. The last_checkin dates are all over the map.. It's just super odd. Palo support has been completely unhelpful.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://www.rapidfs.us/" target="_self"><SPAN>official rapidfs</SPAN></A></P> Thu, 02 Sep 2021 04:59:32 GMT Breitenberg 2021-09-02T04:59:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/429647#M1001 <P>Hi There,</P><P>&nbsp;</P><P>What does it mean to see Cortex status DISABLED in the VDI?</P><P>&nbsp;</P><P>Looking forward.</P><P>&nbsp;</P> Fri, 27 Aug 2021 08:23:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/429647#M1001 LuisEhate 2021-08-27T08:23:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/430612#M1009 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/155629">@LuisEhate</a>&nbsp;wrote:<BR /><P>Hi There,</P><P>&nbsp;</P><P>What does it mean to see Cortex status DISABLED in the VDI?</P><P>&nbsp;</P><P>Looking forward.</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Hello LuisEhate,</P><P>&nbsp;</P><P>Can you share a screenshot of your issue?, If you are referring to Cortex XDR agent operational status.</P><P>You can find more information here:</P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/monitor-agent-operational-status.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/monitor-agent-operational-status.html</A></P><P>&nbsp;</P><P>For example the unprotected status could mean;</P><P>&nbsp;</P><DIV><UL><LI><DIV>Behavioral threat protection and Malware protection are not running</DIV></LI><LI><DIV>Exploit protection and malware protection are not running</DIV></LI><LI><DIV><DIV class="p"><DIV>The content is unavailable.</DIV></DIV></DIV></LI></UL></DIV><P>&nbsp;</P><P>Cortex XDR agent on VDI's:</P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-2/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/cortex-agent-for-virtual-environments-and-desktops.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-2/cortex-xdr-agent-admin/cortex-xdr-agent-for-windows/cortex-agent-for-virtual-environments-and-desktops.html</A></P><P>&nbsp;</P><P>Endpoint details:</P><P><A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoints/view-details-for-an-endpoint.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/investigate-endpoints/view-details-for-an-endpoint.html</A></P><P>&nbsp;</P><DIV><DIV class="p"><P class="p1">The registration statuses of the Cortex XDR agent on endpoint are:</P><P class="p1"><STRONG>• Connected</STRONG>—The Cortex XDR agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.</P><P class="p1"><STRONG>• Connection Lost</STRONG>—The Cortex XDR agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.</P><P class="p1"><STRONG>• Disconnected</STRONG>—The Cortex XDR agent has checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.</P><P class="p1"><STRONG>• VDI Pending Log-on</STRONG>—(<STRONG>Windows only</STRONG>) Indicates a non-persistent VDI endpoint is waiting for user logon, after which the Cortex XDR agent consumes a license and starts enforcing protection.</P><P class="p1"><STRONG>• Uninstalled</STRONG>—The Cortex XDR agent has been uninstalled from the endpoint.</P></DIV></DIV> Tue, 31 Aug 2021 22:48:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/430612#M1009 yalonso 2021-08-31T22:48:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/430671#M1011 <P><SPAN>Just wondering if anyone else is experiencing this... We have about 600 XDR agents deployed and keep running into scenarios where the agents just seemingly randomly stop checking in. Nothing meaningful in the logs. Doing a cytool checkin does nothing. The agents disappear from the dashboard entirely making it reeeeeeallly hard to even determine that the agent has stopped communicating. If we use the XDRAgentCleaner to manually remove the agent and re-install it magically starts working just fine. We've seen it on multiple agent versions from 7.0 to 7.3. The last_checkin dates are all over the map.. It's just super odd. Palo support has been completely unhelpful.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://www.rapidfs.us/" target="_self"><SPAN>official rapidfs</SPAN></A></P> Thu, 02 Sep 2021 04:59:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-about-cortex-7-3-0/m-p/430671#M1011 Breitenberg 2021-09-02T04:59:32Z