https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229519#M8322 <P>Hi,<BR />the error is :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tlmarques_0-1747764885543.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67689iE2DD133779296EA0/image-size/medium?v=v2&amp;px=400" role="button" title="tlmarques_0-1747764885543.png" alt="tlmarques_0-1747764885543.png" /></span></P> <P><BR />in this case is only a test network...<BR />but normaly we&nbsp;<SPAN>using a /16 range&nbsp;.</SPAN></P> Tue, 20 May 2025 18:17:25 GMT tlmarques 2025-05-20T18:17:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229258#M8314 <P><SPAN>We’re experiencing an issue with Cortex brokers related to the network mapper.</SPAN><BR /><SPAN>When we run network scans using the "ICMP Echo" flag, the scan completes successfully and everything works as expected.</SPAN><BR /><BR /><SPAN>However, when performing a "TCP SYN" scan on the following ports:</SPAN><BR /><SPAN>80, 443, 22, 21, 25, 53, 23, 110, 123, 135, 137, 139, 143, 3389, 3306, 445, 1433, 161, 5900, 993, 587, 8080, 6660-6669, 5432, 5985, 5986, 636, 9100,</SPAN><BR /><SPAN>the result is always a failure.</SPAN><BR /><BR /><SPAN>On our firewalls and core switches, we’ve already created ACLs allowing any service, but the behavior remains the same.<BR /><BR />We have not observed any signs of network congestion. We use multiple monitoring platforms and none have reported any issues.<BR /><BR />As for the scanning configuration, we’re currently using a /16 range instead of /24. This is because we manage multiple sites, and each sites contains 50-100 of /24 subnets.<BR /><BR />What is the recommended approach for conducting large-scale scans? <BR />Would it be more efficient or accurate to specify each /24 subnet individually rather than scanning an entire /16?<BR /><BR /><BR /></SPAN></P> Fri, 16 May 2025 09:42:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229258#M8314 tlmarques 2025-05-16T09:42:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229515#M8321 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>Can you please share what kind of error messages you are seeing? Please share the screenshot (hiding any confidential information).&nbsp;&nbsp;</P> Tue, 20 May 2025 17:10:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229515#M8321 nsinghvirk 2025-05-20T17:10:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229519#M8322 <P>Hi,<BR />the error is :</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tlmarques_0-1747764885543.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/67689iE2DD133779296EA0/image-size/medium?v=v2&amp;px=400" role="button" title="tlmarques_0-1747764885543.png" alt="tlmarques_0-1747764885543.png" /></span></P> <P><BR />in this case is only a test network...<BR />but normaly we&nbsp;<SPAN>using a /16 range&nbsp;.</SPAN></P> Tue, 20 May 2025 18:17:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229519#M8322 tlmarques 2025-05-20T18:17:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229628#M8326 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for your response. There is a possibility of firewalls blocking broker vm traffic. Please make sure to allow broker vm network resources on your firewalls. Below is the link for all the network FQDNs and IPs required by XDR. You will find resources specific to broker vm under heading "Required for deployments that use Broker VM features".</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Enable-access-to-required-PANW-resources" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Enable-access-to-required-PANW-resources</A></P> <P>&nbsp;</P> <P>If above resources are allowed and still seeing error then open a TAC case to investigate logs for troubleshooting.</P> Wed, 21 May 2025 15:26:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1229628#M8326 nsinghvirk 2025-05-21T15:26:23Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1230356#M8357 <P data-start="81" data-end="278">I have full communication open to and from the broker VM. I spoke with support, and they mentioned that the issue is related to the number of open ports. They recommend a maximum of 20 ports.</P> Thu, 29 May 2025 12:44:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-broker-mapper-scans/m-p/1230356#M8357 tlmarques 2025-05-29T12:44:14Z