topic Re: Broker VM and connection to the agents visibility in Cortex XDR Discussions

Broker VM and connection to the agents visibility

RFeyertag — Mon, 22 Aug 2022 10:17:17 GMT

Hello dear community,

now I setup everything what I needed to get an agent running with the broker vm. The agent is also connecting through P2P and directly to the server.

But where and how can I see, if the communication is ok through the broker vm?

Rob

Re: Broker VM and connection to the agents visibility

creddy — Mon, 22 Aug 2022 12:01:41 GMT

Hi @RFeyertag
You can test access from agent to broker VM by reaching agent registration URL.

The Cortex XDR agent will use registration URL to register to Cortex XDR Server.

To get this URL, we need to have Agent Installer ID at first place.

The Cortex XDR agent installer ID can be checked from the Cortex XDR Management console -> Endpoints -> Agent Installations page. Add the Id column in the Layout to view installer ID.

Take the ID of the package that you have used to install agent before.

Add this installer ID in the end of below URL

https://distributions.traps.paloaltonetworks.com/operations/provision/register-url/<insert the installer ID here>

Configure the browser application (on the endpoint you are testing) to use the BVM proxy. In below screenshot with Firefox browser, 192.168.0.189 is the Broker VM IP address and port 8888 is the port configured in BVM Local Agent Settings.
Access the above URL from this broswer.

The expected result here are the following:
"chUrl":"https:\/\/ch-<xdr-tenant>.traps.paloaltonetworks.com",
"ccUrl":"https:\/\/cc-<xdr-tenant>.traps.paloaltonetworks.com",
"cdcUrl":"https:\/\/dc-<xdr-tenant>.traps.paloaltonetworks.com",
"instType":0

If you get above expected result, it means the connection between agent and server is fine.
Thank you!

Re: Broker VM and connection to the agents visibility

creddy — Mon, 22 Aug 2022 12:05:25 GMT

Hi @RFeyertag
Aside to above, to check if your agent proxy is working,

You may run the following commands
Windows
C:\Program Files\Palo Alto Networks\Traps>cytool proxy query
Mac
Sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool proxy query
Linux
/opt/traps/bin/cytool proxy query

The BVM IP address and port should be listed under Last good Proxy in the command output. If there is no Last Good Proxy, it means your agent cannot connect to Broker VM .If Proxy server is not configured properly, you can run this command to configure Proxy.

“cytool proxy set X.X.X.X:YYYY”

*replace X.X.X.X with BVM IP address and YYYY with BVM port

Re: Broker VM and connection to the agents visibility

neelrohit — Mon, 22 Aug 2022 12:41:51 GMT

hi @RFeyertag ,

Couple of questions before answering in detail,what is your requirement? :

1. Do you want the agent to communicate to cloud via proxy?

2. Do you want the agent to take content and agent upgrades via Broker VM?

Answer 1: If you need the agents to Cortex XDR cloud via agent proxy on the broker VM, following are the steps:

On the Broker VM applet, right click on Local Agent Settings> Activate.
On the Agent Proxy, select Enable, Choose Port number(remember not to use reserved ports and others mentioned in the broker vm configuration document) and the listening interface(optional).
If you have already installed agents, please follow instructions provided by @creddy. Steps may differ for Windows, Linux and MacOS machines. Make sure you follow the installation guides for the same.
Once you have the proxy IP and port configured, you can use cytool commands as mentioned by @creddy or from the Broker VM console on cortex XDR, hover your cursor on the Local Agent Settings applet and you should see the number of active connections. The active connection number denotes the number of agents connecting to Cortex XDR via the Broker VM.

Answer 2: for content updates and agent upgrades to happen via broker

Make sure you fulfill all the requirements mentioned in the guide. Link provided here
Add the FQDN in the broker VM configuration page.
Activate the Local Agent Settings> Agent Installer and Content Caching>Select Enable
Go to your Cortex XDR agent setting profile and under the Download Sources, select all the options(P2P, Cortex Server, Broker VM)
Choose your configured broker VM from the list
The validation of the agent taking updates from the broker will be available in the agent logs once they upgrade automatically.
Check the agent logs for your broker VM FQDN and you should find the content upgrade actions list.

Re: Broker VM and connection to the agents visibility

RFeyertag — Thu, 25 Aug 2022 10:57:34 GMT

Thank you! This worked for me for checking it localy!

Re: Broker VM and connection to the agents visibility

RFeyertag — Thu, 25 Aug 2022 11:51:37 GMT

Hello Neelrohit,

thank you, yes both questions cover my requirements.

Do you know a way, how can we be informed by mail/alert when a broker vm is down? Until now, I only could find out, this message about the broker vm status appears in the notifications and in the settings in the app cloud console.

I would prefer it in an audit log to throw a alert/mail.

Re: Broker VM and connection to the agents visibility

neelrohit — Thu, 25 Aug 2022 12:08:08 GMT

@RFeyertag ,

The data for broker VM connectivity and other associated detail is audited and logged in the management audit logs. You can filter the same and create a notification forwarding for the Broker VM disconnections.

Regards,

Neel

Re: Broker VM and connection to the agents visibility

RFeyertag — Tue, 30 Aug 2022 09:45:03 GMT

Hello Neelrohit!

It takes one hour until the log entry is written to management audit logs. It this one hour delay adjustable?

Rob

Re: Broker VM and connection to the agents visibility

neelrohit — Wed, 31 Aug 2022 01:39:01 GMT

@RFeyertag ,

As of now, this is not adjustable. We request you to kindly open a support case and report the issue and the engineering team can fix this to optimise the latency in the log status.

Regards,

@neelrohit

Re: Broker VM and connection to the agents visibility

RFeyertag — Wed, 31 Aug 2022 11:41:38 GMT

Thank you! I will ask them.

Rob