Force policy check in Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Force policy check in Cortex XDR

L1 Bithead

Hi,

 

Is there any way to force a policy check on an endpoint?

 

I have created a new Policy Rule and assigned a new set of Policy Profiles to it.  I then assigned specific endpoints to this Policy Rule and the rule is #1 in the policy order tab.

 

The problem I am facing is that the targeted computers do not seem to receive the new policy.

 

YES, the rule is ENABLED  😉

 

Thanks for your time.

Martin Cimone
1 ACCEPTED SOLUTION

Accepted Solutions

Hi guys,

 

Quick feedback on the situation.  The issue has been resolved by PaloAlto Support on Sunday evening.

 

They applied a new Server version on our Tennant and that fixed the issue. 

 

All good now!

Martin Cimone

View solution in original post

10 REPLIES 10

L2 Linker

What do you mean with 'computers does not seem to receive policy' ?

 

Whenever there is some file execution, Cortex XDR will initiate its soo called File Analysis and Protection Flow, which evaluates it's decision based on the defined profiles within the policies applied to the given endpoint. 

 

Best,

D

A ticket is open with PaloAlto support.

 

Whenever I create a new set of policies, it does not apply to any endpoints.  NEVER!

 

Seems to be a "bug" within PaloAlto.

Martin Cimone

Hmm. I am sure PA will be able to help you as they can see more details. I know that in our case it is working normally.

 

Have you checked that the policy is correctly applied to the endpoints? 

 

Best,

D

Hi @MartinCimone 

 

You should be able to force a policy check-in using by leveraging the script execution abilities of the agent.  You can initiate a cytool checkin command.  More info can be found at: 

 

https://docs.paloaltonetworks.com/cortex/cortex-xdr/5-0/cortex-xdr-agent-admin/traps-agent-for-windo...

 

On your underlying issue, have you verified that the affected endpoints fall into the collection/group where the policy rule is applied.  If you look at the agent details:

 

1.  Do the endpoints show as online?

2.  Does it show the policy applied ?

3.  If you initiate a check-in from the endpoint itself, do you see successful communication?

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!