Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Broker VM and connection to the agents visibility

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Broker VM and connection to the agents visibility

L4 Transporter

Hello dear community, 

 

now I setup everything what I needed to get an agent running with the broker vm. The agent is also connecting through P2P and directly to the server. 

But where and how can I see, if the communication is ok through the broker vm?

 

BR

 

Rob

 

 

2 accepted solutions

Accepted Solutions

L3 Networker

Hi @RFeyertag 
Aside to above, to check if your agent proxy is working,

You may run the following commands
Windows
C:\Program Files\Palo Alto Networks\Traps>cytool proxy query
Mac
Sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool proxy query
Linux
/opt/traps/bin/cytool proxy query

The BVM IP address and port should be listed under Last good Proxy in the command output. If there is no Last Good Proxy, it means your agent cannot connect to Broker VM .If Proxy server is not configured properly, you can run this command to configure Proxy.

“cytool proxy set X.X.X.X:YYYY”

*replace X.X.X.X with BVM IP address and YYYY with BVM port

 

View solution in original post

L5 Sessionator

hi @RFeyertag ,

 

Couple of questions before answering in detail,what is your requirement? :

1. Do you want the agent to communicate to cloud via proxy?

2. Do you want the agent to take content and agent upgrades via Broker VM?

 

Answer 1: If you need the agents to Cortex XDR cloud via agent proxy on the broker VM, following are the steps:

  1. On the Broker VM applet, right click on Local Agent Settings> Activate.
  2. On the Agent Proxy, select Enable, Choose Port number(remember not to use reserved ports and others mentioned in the broker vm configuration document) and the listening interface(optional).
  3. If you have already installed agents, please follow instructions provided by @creddy. Steps may differ for Windows, Linux and MacOS machines. Make sure you follow the installation guides for the same.
  4. Once you have the proxy IP and port configured, you can use cytool commands as mentioned by @creddy  or from the Broker VM console on cortex XDR, hover your cursor on the Local Agent Settings applet and you should see the number of active connections. The active connection number denotes the number of agents connecting to Cortex XDR via the Broker VM.

    Screenshot 2022-08-22 at 8.33.44 PM.png

Answer 2: for content updates and agent upgrades to happen via broker

  • Make sure you fulfill all the requirements mentioned in the guide. Link provided here
  • Add the FQDN in the broker VM configuration page.
  • Activate the Local Agent Settings> Agent Installer and Content Caching>Select Enable
  • Go to your Cortex XDR agent setting profile and under the Download Sources, select all the options(P2P, Cortex Server, Broker VM)
  • Choose your configured broker VM from the list
  • The validation of the agent taking updates from the broker will be available in the agent logs once they upgrade automatically.
  • Check the agent logs for your broker VM FQDN and you should find the content upgrade actions list.

View solution in original post

9 REPLIES 9

L3 Networker

Hi @RFeyertag 
You can test access from agent to broker VM by reaching agent registration URL.


The Cortex XDR agent will use registration URL to register to Cortex XDR Server.

To get this URL, we need to have Agent Installer ID at first place.

The Cortex XDR agent installer ID can be checked from the Cortex XDR Management console -> Endpoints -> Agent Installations page. Add the Id column in the Layout to view installer ID.

Take the ID of the package that you have used to install agent before.

Add this installer ID in the end of below URL


https://distributions.traps.paloaltonetworks.com/operations/provision/register-url/<insert the installer ID here>


Configure the browser application (on the endpoint you are testing) to use the BVM proxy. In below screenshot with Firefox browser, 192.168.0.189 is the Broker VM IP address and port 8888 is the port configured in BVM Local Agent Settings.
Access the above URL from this broswer.

The expected result here are the following:
"chUrl":"https:\/\/ch-<xdr-tenant>.traps.paloaltonetworks.com",
"ccUrl":"https:\/\/cc-<xdr-tenant>.traps.paloaltonetworks.com",
"cdcUrl":"https:\/\/dc-<xdr-tenant>.traps.paloaltonetworks.com",
"instType":0

If you get above expected result, it means the connection between agent and server is fine.
Thank you!

L3 Networker

Hi @RFeyertag 
Aside to above, to check if your agent proxy is working,

You may run the following commands
Windows
C:\Program Files\Palo Alto Networks\Traps>cytool proxy query
Mac
Sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cytool proxy query
Linux
/opt/traps/bin/cytool proxy query

The BVM IP address and port should be listed under Last good Proxy in the command output. If there is no Last Good Proxy, it means your agent cannot connect to Broker VM .If Proxy server is not configured properly, you can run this command to configure Proxy.

“cytool proxy set X.X.X.X:YYYY”

*replace X.X.X.X with BVM IP address and YYYY with BVM port

 

L5 Sessionator

hi @RFeyertag ,

 

Couple of questions before answering in detail,what is your requirement? :

1. Do you want the agent to communicate to cloud via proxy?

2. Do you want the agent to take content and agent upgrades via Broker VM?

 

Answer 1: If you need the agents to Cortex XDR cloud via agent proxy on the broker VM, following are the steps:

  1. On the Broker VM applet, right click on Local Agent Settings> Activate.
  2. On the Agent Proxy, select Enable, Choose Port number(remember not to use reserved ports and others mentioned in the broker vm configuration document) and the listening interface(optional).
  3. If you have already installed agents, please follow instructions provided by @creddy. Steps may differ for Windows, Linux and MacOS machines. Make sure you follow the installation guides for the same.
  4. Once you have the proxy IP and port configured, you can use cytool commands as mentioned by @creddy  or from the Broker VM console on cortex XDR, hover your cursor on the Local Agent Settings applet and you should see the number of active connections. The active connection number denotes the number of agents connecting to Cortex XDR via the Broker VM.

    Screenshot 2022-08-22 at 8.33.44 PM.png

Answer 2: for content updates and agent upgrades to happen via broker

  • Make sure you fulfill all the requirements mentioned in the guide. Link provided here
  • Add the FQDN in the broker VM configuration page.
  • Activate the Local Agent Settings> Agent Installer and Content Caching>Select Enable
  • Go to your Cortex XDR agent setting profile and under the Download Sources, select all the options(P2P, Cortex Server, Broker VM)
  • Choose your configured broker VM from the list
  • The validation of the agent taking updates from the broker will be available in the agent logs once they upgrade automatically.
  • Check the agent logs for your broker VM FQDN and you should find the content upgrade actions list.

Thank you! This worked for me for checking it localy! 

Hello Neelrohit, 

 

thank you, yes both questions cover my requirements.

Do you know a way, how can we be informed by mail/alert when a broker vm is down? Until now, I only could find out, this message about the broker vm status appears in the notifications and in the settings in the app cloud console. 

I would prefer it in an audit log to throw a alert/mail. 

 

@RFeyertag ,

 

The data for broker VM connectivity and other associated detail is audited and logged in the management audit logs. You can filter the same and create a notification forwarding for the Broker VM disconnections.

 

Regards,

Neel

Hello Neelrohit!

 

It takes one hour until the log entry is written to management audit logs. It this one hour delay adjustable?

 

BR

 

Rob

@RFeyertag , 

 

As of now, this is not adjustable. We request you to kindly open a support case and report the issue and the engineering team can fix this to optimise the latency in the log status.

 

Regards,

@neelrohit 

Thank you! I will ask them. 

 

BR

 

Rob

  • 2 accepted solutions
  • 7145 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!