check cortex xdr agent status

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

check cortex xdr agent status

L1 Bithead

Hi everyone,

 

I have a doubt

how can I check the status of the cortex xdr service / agent in windows 10 ?

cause my client won't synchronize with server 

Thanks in advance.

 

greetings.

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Hi @Seka,

if with the command that @bbarmanroy provided you see that services are not running, please try the following in your non connected endpoint and as admin user: 

 

C:\Program Files\Palo Alto Networks\Traps\cytool.exe runtime start

 

That should start the services/xdr processes and if it doesn't, it will give you an error or some clue of what might be going on at your endpoint. 

If this command does not get your xdr services/processes up and running and/or if your agent is not able to do the checkin, please open a TAC support case and our TAC engineers will help you further.

You can also try to force the checkin (once your xdr processes are running) with cytool.exe checkin 

Make sure that your endpoint is not network-isolated so it can reach the tenant. That might be another issue  

KR,

Luis  

 

 

View solution in original post

6 REPLIES 6

L3 Networker

Hi @Seka ,

 

If i guess your agents are not able to check-in to cloud console, I think you will have to use a 3rd party tool here. We use 3rd party tool to check on services of Cortex XDR if it is running or not.

 

Or probably you can use the below command and loop over your endpoint list:

wmic /node:"you-pc" service list brief | findstr cyserver

 

The above command wont be useful if the endpoints are not on domain and also where IP connectivity is limited.

Kind Regards
KS

L5 Sessionator

Hi @Seka if your endpoint is not connected, run the following commands to identify if XDR is running.

cytool runtime query

bbarmanroy_0-1648542937051.png

 

  1. If this is a fresh installation, I'd recommend you to uninstall and reinstall the agent to see if it works, assuming this endpoint has the same network access levels as others in your tenant. 
  2. Otherwise, try using the command "cytool reconnect force <distribution ID>", where the ID can be obtained from the Agent Installations page (you can also create a new one).
  3. Does a reboot help?
  4. If the aforementioned steps fail, please raise a support ticket at support.paloaltonetworks.com. Please retrieve the TSF logs from the endpoint itself and upload it to the portal.
     
     

     

     


     

     

     

 

Ensure your endpoint agent has access to internet (host firewalls, perimeter firewalls, corporate proxies etc.). Check if this is an isolated incident with one endpoint/few endpoints or if it is happening with all endpoints in your estate. 

 

 

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-6/cortex-xdr-agent-admin/cortex-xdr-agent-for-...

L4 Transporter

Hi @Seka,

if with the command that @bbarmanroy provided you see that services are not running, please try the following in your non connected endpoint and as admin user: 

 

C:\Program Files\Palo Alto Networks\Traps\cytool.exe runtime start

 

That should start the services/xdr processes and if it doesn't, it will give you an error or some clue of what might be going on at your endpoint. 

If this command does not get your xdr services/processes up and running and/or if your agent is not able to do the checkin, please open a TAC support case and our TAC engineers will help you further.

You can also try to force the checkin (once your xdr processes are running) with cytool.exe checkin 

Make sure that your endpoint is not network-isolated so it can reach the tenant. That might be another issue  

KR,

Luis  

 

 

thank you for your reply , i will try it and get you back

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!