Partialy protected

E.Istanto — Wed, 17 Jun 2026 05:05:10 GMT

Hello everyone, I'm having issues with my Cortex XDR agent. The operational status is partially protected, with the following details:
1. The OS I'm using is Ubuntu 24.04.0
2. I'm using the latest agent installer, version 9.2.0.119
3. The operational status details generally state that the Linux kernel cannot be loaded.

Is there a solution I can try, or has anyone else experienced something similar before?

Re: Partialy protected

susekar — Wed, 17 Jun 2026 12:25:14 GMT

Hello @E.Istanto ,

Greetings for the day and thanks for attaching the snapshot.

The "Partially Protected" status on Ubuntu 24.04 with a "Linux kernel cannot be loaded" error typically indicates that the Cortex XDR kernel module (KM) is either blocked from loading by the operating system or is incompatible with the installed kernel version. Ubuntu 24.04 x86_64 is supported starting with Cortex XDR Agent version 9.2.

(Common Causes and Solutions)

1. UEFI Secure Boot Block:

The most common cause on Ubuntu 24.04 is Secure Boot being enabled without the Palo Alto Networks kernel module signing certificate being enrolled in the system's Machine Owner Key (MOK) database.

Verify Secure Boot Status

Run the following command:mokutil --sb-state

If the output shows "SecureBoot enabled", enroll the PANW certificate.

Locate the Certificate:

Replace [distro] with the appropriate directory (for example, ubuntu24 )

ls -l /opt/traps/download/content/km/modules/[distro]/xdr_kernel_cert.der

Import the Certificate:

sudo mokutil --import /opt/traps/download/content/km/modules/[distro]/xdr_kernel_cert.der

Set a temporary password, reboot the system, and follow the UEFI prompts to Enroll MOK using the password you created.

2. Unsupported Kernel Version:

Ubuntu 24.04 uses newer 6.x kernels (for example, 6.8.x). If the specific kernel version is not yet supported by the installed content package, the kernel module may fail to load.

Workaround: Switch to User Space Mode:

User Space mode (eBPF-based) does not require a kernel module for most protections.

Navigate to:

Endpoints → Policy Management → Agent Settings Profiles
Edit the profile assigned to the Ubuntu 24.04 endpoint.
Change Agent Operation Mode to User Space.
Save the profile and wait for the agent to heartbeat and apply the change.

3. Kernel Module Load Lock

The agent may create a .load_lock file after repeated ungraceful shutdowns to prevent further kernel module loading.

Clear the Lock:

sudo /opt/traps/bin/cytool runtime stop all
sudo rm /opt/traps/km_utils/.load_lock
sudo /opt/traps/bin/cytool runtime start all

On some Ubuntu versions, the lock file may instead reside at:/etc/traps/km/.load_lock

(Verification)

After applying the above steps, verify the agent status:sudo /opt/traps/bin/cytool status

Look for one of the following statuses:

Kernel Module is Loaded
Bpf is Running

These indicate that endpoint protection has been successfully enabled.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Partialy protected in Cortex XDR Discussions