Duplicate endpoint entries observed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Duplicate endpoint entries observed

L2 Linker

Hi All,

 

We have started noticing duplicate endpoint entries in the "All Endpoints" section.

After checking all the fields we found that there are different endpoint_ids for the same endpoint name.

What could be the reason behind the creation of these multiple/duplicate entries and how can we clean up these entries? 

 

Thanks!!

2 accepted solutions

Accepted Solutions

Hi Mithun,
Each agent have its own unique ID to communicate to XDR server. XDR server communicate to each endpoint agent based on this unique ID. XDR server cant communicate to multiple agents (that have same unique ID) at same time. But it communicate to multiple agents where its service started recently which could be happening in your case.

From your statements, I can understand that agent might have received same unique ID to multiple endpoints when they registered to XDR server.
There could be a possibility where a multiple endpoint XDR Agents can receive same agent ID during its registration process.
So when a endpoint agent services getting started, it is able to start communicating to XDR server. The other endpoint already connected stop any connections with XDR server at this stage.

This can happen because of two reasons.


1.SSL inspection enabled on firewall.
If SSL decryption is enabled in the firewall, we recommend adding the Resources required for Cortex XDR access to your SSL Decryption Exclusion list for proper communication between agent and server. Refer step #7 in Enable Access to Cortex XDR


2.Caching enabled on proxy servers.
Disable cache for all PAN URLs in the proxy server for proper communication and response between agent and server.
Since you already mentioned there is no proxy, you can ignore this point.


After above settings are fixed, you can verify if a new agent installed is getting unique agent ID from XDR server or not.

Coming to cleanup existing duplicate endpoints, machines which are already affected with this duplicate agent ID, we can force the agent to get a new agent ID(unique ID) to resolve the issue on affected machines with the following steps:

1.Uninstall agent from the machine.
2.Locate and Delete agent id file from the machine using below steps.
For Windows: Delete agent.id file under the path C:\ProgramData\Cyvera\LocalSystem\OSPersistence\

For Linux: Delete the agent.id file under the path /etc/traps/

For Mac: Delete the agent.id file under the path /etc/traps/

3.Delete the Endpoint entry from Endpoints -> All Endpoints section in the XDR Management Console.
4.Restart the endpoint.
5.Install the agent package on the endpoint and verify agent ID on the XDR console.
6.Verify the Agent ID value under the Endpoint ID column for the particular endpoint from Endpoints -> All Endpoints section in the XDR Management Console. It shows the unique agent ID for each endpoint.

Coming to license portion, if there are any duplicates showing up in XDR console, all these duplicate may consume license.

If you found this post helpful, please mark this as Answer/Solution.

View solution in original post

10 REPLIES 10

L3 Networker

There could be various reasons for duplicate endpoints in XDR console.
How are the agents being deployed on endpoints.
Are the agents connected XDR server using any proxy server other than broker VM?
If yes, you need to make sure caching is disabled for XDR urls in proxy servers. This will help to make sure proper communication happening between agent and server.

L3 Networker

We have a simmilar behaviour. One PC 32 bit WIN 10 4GB RAM is going out pf ressources. So it is reinstalled by its own couple of times. 😞

 

BR

 

Rob 

L2 Linker

Hi MithunKT again,

 
The duplication can be a part of another installation retry on the same endpoint (e.g. reimaging)
 
What I usually do is to create a widget in Cortex XDR with the dedup filter. 
 
| dedup hostname desc by last_seen
 
The dedup will deduplicate same hostname but will retain who reported latest in the Cortex XDR console. 
Let's have a seat and talk for a while.

Hey @MarvinC 

 

I have tried creating a custom widget and I'm getting report of duplicate entries every day. But how do you remove the entries which are not needed?

I have tried the "delete endpoint" option, it will remove the entry from the "All endpoints" but in the next day's report, it will reappear again.

 

What's the best solution to clean up all these unnecessary entries permanently?

Hi @creddy 

 

There is no proxy server placed between agent and XDR tenant communication.  I too investigated from the user end to find out what actually is creating duplicate entries.

 

I found out the below reasons;
1) whenever multiple users login to the same endpoint(Shared host) then duplicate entries are created.
2) whenever the same user connects from different IPs(VPN, office network) then duplicate entries are created for the same endpoint.

 

I just wanted to understand Is this the natural behavior of XDR creating duplicate entries for the same endpoint whenever user authority or IP changes? If so;
How licensing will be affected for these duplicate entries?
How do we clean up the unnecessary duplicates automatically?

 

Thanks!!

Hi Mithun,
Each agent have its own unique ID to communicate to XDR server. XDR server communicate to each endpoint agent based on this unique ID. XDR server cant communicate to multiple agents (that have same unique ID) at same time. But it communicate to multiple agents where its service started recently which could be happening in your case.

From your statements, I can understand that agent might have received same unique ID to multiple endpoints when they registered to XDR server.
There could be a possibility where a multiple endpoint XDR Agents can receive same agent ID during its registration process.
So when a endpoint agent services getting started, it is able to start communicating to XDR server. The other endpoint already connected stop any connections with XDR server at this stage.

This can happen because of two reasons.


1.SSL inspection enabled on firewall.
If SSL decryption is enabled in the firewall, we recommend adding the Resources required for Cortex XDR access to your SSL Decryption Exclusion list for proper communication between agent and server. Refer step #7 in Enable Access to Cortex XDR


2.Caching enabled on proxy servers.
Disable cache for all PAN URLs in the proxy server for proper communication and response between agent and server.
Since you already mentioned there is no proxy, you can ignore this point.


After above settings are fixed, you can verify if a new agent installed is getting unique agent ID from XDR server or not.

Coming to cleanup existing duplicate endpoints, machines which are already affected with this duplicate agent ID, we can force the agent to get a new agent ID(unique ID) to resolve the issue on affected machines with the following steps:

1.Uninstall agent from the machine.
2.Locate and Delete agent id file from the machine using below steps.
For Windows: Delete agent.id file under the path C:\ProgramData\Cyvera\LocalSystem\OSPersistence\

For Linux: Delete the agent.id file under the path /etc/traps/

For Mac: Delete the agent.id file under the path /etc/traps/

3.Delete the Endpoint entry from Endpoints -> All Endpoints section in the XDR Management Console.
4.Restart the endpoint.
5.Install the agent package on the endpoint and verify agent ID on the XDR console.
6.Verify the Agent ID value under the Endpoint ID column for the particular endpoint from Endpoints -> All Endpoints section in the XDR Management Console. It shows the unique agent ID for each endpoint.

Coming to license portion, if there are any duplicates showing up in XDR console, all these duplicate may consume license.

If you found this post helpful, please mark this as Answer/Solution.

Hi @creddy 

I am referring to the steps you listed here:

1.Uninstall agent from the machine.
2.Delete agent id file from the machine using below command.
3.Disable Agent Tampering Protection and perform the below step.

 

We do not need to disable agent tamper protection as the agent is already uninstalled.

 

What can be done as an alternative is:

1. disable all processes (cytool runtime stop all)

2. disable tamper protection (for Windows only)

3. delete/rename the agent.id file 

4. enable tamper protection (for Windows only)

5. restart all processes (cytool runtime start all)

6. delete the old entry from Cortex XDR console.

 

That'll get the agent a new agent ID. See an example below:

 

bbarmanroy_0-1658914097585.png

 

 

Thank @bbarmanroy 
There was a typo in my steps shared earlier. I have corrected it.

Thank you @creddy !

With XDR 3.4, there is a new feature to automatically cleanup duplicate entries.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/fea...

bbarmanroy_0-1658988946168.png

 

  • 2 accepted solutions
  • 5814 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!