Force policy check in Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Force policy check in Cortex XDR

L1 Bithead

Hi,

 

Is there any way to force a policy check on an endpoint?

 

I have created a new Policy Rule and assigned a new set of Policy Profiles to it.  I then assigned specific endpoints to this Policy Rule and the rule is #1 in the policy order tab.

 

The problem I am facing is that the targeted computers do not seem to receive the new policy.

 

YES, the rule is ENABLED  😉

 

Thanks for your time.

Martin Cimone
1 accepted solution

Accepted Solutions

Hi guys,

 

Quick feedback on the situation.  The issue has been resolved by PaloAlto Support on Sunday evening.

 

They applied a new Server version on our Tennant and that fixed the issue. 

 

All good now!

Martin Cimone

View solution in original post

10 REPLIES 10

L2 Linker

What do you mean with 'computers does not seem to receive policy' ?

 

Whenever there is some file execution, Cortex XDR will initiate its soo called File Analysis and Protection Flow, which evaluates it's decision based on the defined profiles within the policies applied to the given endpoint. 

 

Best,

D

A ticket is open with PaloAlto support.

 

Whenever I create a new set of policies, it does not apply to any endpoints.  NEVER!

 

Seems to be a "bug" within PaloAlto.

Martin Cimone

Hmm. I am sure PA will be able to help you as they can see more details. I know that in our case it is working normally.

 

Have you checked that the policy is correctly applied to the endpoints? 

 

Best,

D

Hi @MartinCimone 

 

You should be able to force a policy check-in using by leveraging the script execution abilities of the agent.  You can initiate a cytool checkin command.  More info can be found at: 

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windo...

 

On your underlying issue, have you verified that the affected endpoints fall into the collection/group where the policy rule is applied.  If you look at the agent details:

 

1.  Do the endpoints show as online?

2.  Does it show the policy applied ?

3.  If you initiate a check-in from the endpoint itself, do you see successful communication?

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Hi @dfalcon.

 

1.  Do the endpoints show as online?

YES they are.

 

2.  Does it show the policy applied ?

Nope.  That's my whole problem ...

 

3.  If you initiate a check-in from the endpoint itself, do you see successful communication?

Absolutely.  Targetted endpoints are even receiving content update but are not updating the policy assigned to it.

 

A support case has been opened with PaloAlto and they are still investigating the issue.

 

Thanks for your time 😉

Martin Cimone

Will be interesting to see what the root cause was.


Sounds like there is no transmission between Endpoints and Console for only just policies, which is weird. 

 

Have you tried accessing the Endpoint via Console through Live Terminal? Or run any script from Action Center? Just to see if you are able to interact with them.

 

 

Hi @MartinCimone -

 

Can you go to one of the affected machines and make note of the time and click check-in now from the agent interface?  Once you have initiated the request, give it a few seconds.  Next, open the log file from the same agent interface.  Scroll to the bottom and work your way back up.  Look for the time you click check in now.  Do you see any errors or communication failure messages during that time?  This may give us a good starting point to isolate the issue. 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Hi @DKasabji 

 

YES, Live Action Terminal, and Script are working perfectly on the targetted endpoint.

 

The problem seems only related to Policy.

 

I'll keep you informed as soon as I got some news from the Palo Alto Support investigation.

Martin Cimone

L2 Linker

Isn't a "Perform Heartbeat " under right-click Endpoint Control the way to ask the endpoint to check-in before the 5 minute interval?

 

While I have not had this issue with 7.1.3 Prevent, the first thing I would check is to ensure there are no blocks on your firewall to ensure there is not some odd communication issue.

 

 

Hi guys,

 

Quick feedback on the situation.  The issue has been resolved by PaloAlto Support on Sunday evening.

 

They applied a new Server version on our Tennant and that fixed the issue. 

 

All good now!

Martin Cimone
  • 1 accepted solution
  • 11464 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!