topic Re: Force policy check in Cortex XDR in Cortex XDR Discussions

Force policy check in Cortex XDR

MartinCimone — Wed, 09 Sep 2020 14:15:56 GMT

Hi,

Is there any way to force a policy check on an endpoint?

I have created a new Policy Rule and assigned a new set of Policy Profiles to it. I then assigned specific endpoints to this Policy Rule and the rule is #1 in the policy order tab.

The problem I am facing is that the targeted computers do not seem to receive the new policy.

YES, the rule is ENABLED 😉

Thanks for your time.

Re: Force policy check in Cortex XDR

DKasabji — Sun, 13 Sep 2020 16:00:29 GMT

What do you mean with 'computers does not seem to receive policy' ?

Whenever there is some file execution, Cortex XDR will initiate its soo called File Analysis and Protection Flow, which evaluates it's decision based on the defined profiles within the policies applied to the given endpoint.

Best,

Re: Force policy check in Cortex XDR

MartinCimone — Mon, 14 Sep 2020 11:46:52 GMT

A ticket is open with PaloAlto support.

Whenever I create a new set of policies, it does not apply to any endpoints. NEVER!

Seems to be a "bug" within PaloAlto.

Re: Force policy check in Cortex XDR

DKasabji — Mon, 14 Sep 2020 11:55:42 GMT

Hmm. I am sure PA will be able to help you as they can see more details. I know that in our case it is working normally.

Have you checked that the policy is correctly applied to the endpoints?

Best,

Re: Force policy check in Cortex XDR

dfalcon — Mon, 14 Sep 2020 13:04:11 GMT

Hi @MartinCimone

You should be able to force a policy check-in using by leveraging the script execution abilities of the agent. You can initiate a cytool checkin command. More info can be found at:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windows/troubleshoot-traps-for-windows/cytool.html

On your underlying issue, have you verified that the affected endpoints fall into the collection/group where the policy rule is applied. If you look at the agent details:

1. Do the endpoints show as online?

2. Does it show the policy applied ?

3. If you initiate a check-in from the endpoint itself, do you see successful communication?

Re: Force policy check in Cortex XDR

MartinCimone — Mon, 14 Sep 2020 13:08:32 GMT

Hi @dfalcon.

1. Do the endpoints show as online?

YES they are.

2. Does it show the policy applied ?

Nope. That's my whole problem ...

3. If you initiate a check-in from the endpoint itself, do you see successful communication?

Absolutely. Targetted endpoints are even receiving content update but are not updating the policy assigned to it.

A support case has been opened with PaloAlto and they are still investigating the issue.

Thanks for your time 😉

Re: Force policy check in Cortex XDR

DKasabji — Mon, 14 Sep 2020 13:11:49 GMT

Will be interesting to see what the root cause was.

Sounds like there is no transmission between Endpoints and Console for only just policies, which is weird.

Have you tried accessing the Endpoint via Console through Live Terminal? Or run any script from Action Center? Just to see if you are able to interact with them.

Re: Force policy check in Cortex XDR

dfalcon — Mon, 14 Sep 2020 13:21:12 GMT

Hi @MartinCimone -

Can you go to one of the affected machines and make note of the time and click check-in now from the agent interface? Once you have initiated the request, give it a few seconds. Next, open the log file from the same agent interface. Scroll to the bottom and work your way back up. Look for the time you click check in now. Do you see any errors or communication failure messages during that time? This may give us a good starting point to isolate the issue.

Re: Force policy check in Cortex XDR

MartinCimone — Mon, 14 Sep 2020 14:01:02 GMT

Hi @DKasabji

YES, Live Action Terminal, and Script are working perfectly on the targetted endpoint.

The problem seems only related to Policy.

I'll keep you informed as soon as I got some news from the Palo Alto Support investigation.

Re: Force policy check in Cortex XDR

Retired Member — Tue, 15 Sep 2020 14:33:18 GMT

Isn't a "Perform Heartbeat " under right-click Endpoint Control the way to ask the endpoint to check-in before the 5 minute interval?

While I have not had this issue with 7.1.3 Prevent, the first thing I would check is to ensure there are no blocks on your firewall to ensure there is not some odd communication issue.

Re: Force policy check in Cortex XDR

MartinCimone — Tue, 15 Sep 2020 17:53:17 GMT

Hi guys,

Quick feedback on the situation. The issue has been resolved by PaloAlto Support on Sunday evening.

They applied a new Server version on our Tennant and that fixed the issue.

All good now!