Cortex XDR on Citrix non-persistent multi-user server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR on Citrix non-persistent multi-user server

L7 Applicator

Hi community

Quite often we have issues with cortex xdr on citrix infrastructure. Currently meinly with windows server 2022 we are in the situation where it is not possible to run cortex at all because of possibel servercrashes which are not yet analyzed and resolved. So we needed to - at least temporary - change to microsoft defender. I wanted to ask here what are your solutions to let cortex xdr run properly on citrix servers without bothering the user too much? Do you use exceptions for different paths or specific configurations?
Would be great to collect some informations on how to do this properly as I assume this could also help others here.

 

Looking forward to your replies 🙂
Remo

5 REPLIES 5

L5 Sessionator

Hi @Remo, thanks for reaching us using the Live Community.

 

Have you installed the agents following our specific procedure fore VDI environments?: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.6/Cortex-XDR-Agent-Administrator-Guide/Corte...

 

Pay attention to this note in the linked doc:

jmazzeo_0-1732298433429.png

 

If this post answers your question, please mark it as the solution.

 

JM

Hi @jmazzeo 

Thanks for your answer. Yes we installed cortex according to this document. But on server 2022 we still have big issues. At least until version 8.5.0.

We actually always used the TS_ENABLED=1 param for these multi-user servers, but TAC told us to use the VDI_ENABLED=1 option for out installation, so since about 2 month. Which option would you recommend and are there other hints on how to successfully use cortex xdr on citrix servers?

 

L2 Linker

Hi  Remo 

You can disable event collector ("cytool event_collection disable")  to reduce CPU usage if high. If does not work , you could create support ticket. The support team will provide YARA rule to map exception profiles, but protection capability performance will reduce slightly

SmartIT

@E.Jafarov to be honest, this does not really help. The issues we have seem to be quite complex as support so far is still analyzing the issue. It is not only the high cpu (even if disabling event collection is also not a solution as if you have cortex xdr you probably want this feature), the servers simply and then need to rebooted. Which results in hours of work lost for our customers every time it happens ...

L7 Applicator

The troubleshooting goes on. So far support has multiple memory dumps and cortex logs. Unfortunately so far I don't know any result of the analysis. Next week we plan to have a call between Paloalto and Citrix in order to move on in this situation.

 

At least so far it looks like with version 8.6.0 the situation seem to be more stable.

 

  • 331 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!