A question about Cortex 7.3.0

cancel
Showing results for 
Search instead for 
Did you mean: 

A question about Cortex 7.3.0

L0 Member

Hi There,

 

What does it mean to see Cortex status DISABLED in the VDI?

 

Looking forward.

 

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

@LuisEhate wrote:

Hi There,

 

What does it mean to see Cortex status DISABLED in the VDI?

 

Looking forward.

 


Hello LuisEhate,

 

Can you share a screenshot of your issue?, If you are referring to Cortex XDR agent operational status.

You can find more information here:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/monitor-agent-op...

 

For example the unprotected status could mean;

 

  • Behavioral threat protection and Malware protection are not running
  • Exploit protection and malware protection are not running
  • The content is unavailable.

 

Cortex XDR agent on VDI's:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-2/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

 

Endpoint details:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

 

The registration statuses of the Cortex XDR agent on endpoint are:

• Connected—The Cortex XDR agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.

• Connection Lost—The Cortex XDR agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.

• Disconnected—The Cortex XDR agent has checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.

• VDI Pending Log-on—(Windows only) Indicates a non-persistent VDI endpoint is waiting for user logon, after which the Cortex XDR agent consumes a license and starts enforcing protection.

• Uninstalled—The Cortex XDR agent has been uninstalled from the endpoint.

View solution in original post

2 REPLIES 2

L2 Linker

@LuisEhate wrote:

Hi There,

 

What does it mean to see Cortex status DISABLED in the VDI?

 

Looking forward.

 


Hello LuisEhate,

 

Can you share a screenshot of your issue?, If you are referring to Cortex XDR agent operational status.

You can find more information here:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring/monitor-agent-op...

 

For example the unprotected status could mean;

 

  • Behavioral threat protection and Malware protection are not running
  • Exploit protection and malware protection are not running
  • The content is unavailable.

 

Cortex XDR agent on VDI's:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-2/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

 

Endpoint details:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

 

The registration statuses of the Cortex XDR agent on endpoint are:

• Connected—The Cortex XDR agent has checked in within 10 minutes for standard endpoints, and within 3 hours for mobile endpoints.

• Connection Lost—The Cortex XDR agent has not checked in within 30 to 180 days for standard endpoints, and between 90 minutes and 6 hours for VDI and temporary sessions.

• Disconnected—The Cortex XDR agent has checked in within the defined inactivity window: between 10 minutes and 30 days for standard and mobile endpoints, and between 10 minutes and 90 minutes for VDI and temporary sessions.

• VDI Pending Log-on—(Windows only) Indicates a non-persistent VDI endpoint is waiting for user logon, after which the Cortex XDR agent consumes a license and starts enforcing protection.

• Uninstalled—The Cortex XDR agent has been uninstalled from the endpoint.

View solution in original post

L0 Member

Just wondering if anyone else is experiencing this... We have about 600 XDR agents deployed and keep running into scenarios where the agents just seemingly randomly stop checking in. Nothing meaningful in the logs. Doing a cytool checkin does nothing. The agents disappear from the dashboard entirely making it reeeeeeallly hard to even determine that the agent has stopped communicating. If we use the XDRAgentCleaner to manually remove the agent and re-install it magically starts working just fine. We've seen it on multiple agent versions from 7.0 to 7.3. The last_checkin dates are all over the map.. It's just super odd. Palo support has been completely unhelpful.

 

 

official rapidfs

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!