https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555307#M5037 <P>Hi Community</P> <P>&nbsp;</P> <P>Finally we figured out what caused this issue!</P> <P><BR />The brokers transmits all HTTP packets to the webproxy with the endpoints IP addresses as source.<BR />So the webproxy blocked the connections as we only add the brokers IP addresses on the URL whitelist.</P> <P>We mainly focused on connections between the brokers and webproxy/internet. However, because webproxy rules apply on application layer, we overlooked this.</P> <P>&nbsp;</P> <P>After activating content caching on the brokers (and tcp443 connections) everything works fine.</P> <P>&nbsp;</P> <P>Best regards</P> Fri, 25 Aug 2023 14:42:59 GMT Rocky-25 2023-08-25T14:42:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555072#M5031 <P>Hi Community</P> <P>&nbsp;</P> <P>We're facing an connection issue with Endpoints using Broker VMs (agent proxy). We opened a TAC case, but it's stuck. There is no useful help yet.</P> <P>- Endpoints are isolated from the internet (no direct or webproxy access)<BR />- Endpoints are registered in Cortex, but doesn't get content updates<BR />- Live terminal to endpoints is not possible<BR />- Brokers connect to the internet through a webproxy<BR />- Webproxy has whitelisted the URLs* (no Authentication, no TLS Interception)</P> <P>&nbsp;</P> <P>We've checked the following:<BR />- Re-installed agents<BR />- Re-deployed brokers<BR />- Connection from endpoints to brokers is successful (tcp8888)<BR />- Connection from brokers to URLs* is successful (https)</P> <P>&nbsp;</P> <P>Has anyone some useful information or connectivity tests we can run?</P> <P>&nbsp;</P> <P>*) <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access</A></P> <P>&nbsp;</P> <P>Thanks &amp; Best regards</P> Thu, 24 Aug 2023 14:25:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555072#M5031 Rocky-25 2023-08-24T14:25:05Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555274#M5036 <P>Hello Roman,</P> <P>We have not came across such scenarios. This case requires TAC intervention.</P> <P>&nbsp;</P> <P>If it is stuck, I would suggest reaching out to Accounts Team to accelerate the progress.</P> <P>&nbsp;</P> <P>Thanks!</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 25 Aug 2023 11:44:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555274#M5036 aspatil 2023-08-25T11:44:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555307#M5037 <P>Hi Community</P> <P>&nbsp;</P> <P>Finally we figured out what caused this issue!</P> <P><BR />The brokers transmits all HTTP packets to the webproxy with the endpoints IP addresses as source.<BR />So the webproxy blocked the connections as we only add the brokers IP addresses on the URL whitelist.</P> <P>We mainly focused on connections between the brokers and webproxy/internet. However, because webproxy rules apply on application layer, we overlooked this.</P> <P>&nbsp;</P> <P>After activating content caching on the brokers (and tcp443 connections) everything works fine.</P> <P>&nbsp;</P> <P>Best regards</P> Fri, 25 Aug 2023 14:42:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/broker-vm-connection-issue/m-p/555307#M5037 Rocky-25 2023-08-25T14:42:59Z