- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-09-2020 07:15 AM
Hi,
Is there any way to force a policy check on an endpoint?
I have created a new Policy Rule and assigned a new set of Policy Profiles to it. I then assigned specific endpoints to this Policy Rule and the rule is #1 in the policy order tab.
The problem I am facing is that the targeted computers do not seem to receive the new policy.
YES, the rule is ENABLED 😉
Thanks for your time.
09-15-2020 10:53 AM
Hi guys,
Quick feedback on the situation. The issue has been resolved by PaloAlto Support on Sunday evening.
They applied a new Server version on our Tennant and that fixed the issue.
All good now!
09-13-2020 09:00 AM
What do you mean with 'computers does not seem to receive policy' ?
Whenever there is some file execution, Cortex XDR will initiate its soo called File Analysis and Protection Flow, which evaluates it's decision based on the defined profiles within the policies applied to the given endpoint.
Best,
D
09-14-2020 04:46 AM
A ticket is open with PaloAlto support.
Whenever I create a new set of policies, it does not apply to any endpoints. NEVER!
Seems to be a "bug" within PaloAlto.
09-14-2020 04:55 AM
Hmm. I am sure PA will be able to help you as they can see more details. I know that in our case it is working normally.
Have you checked that the policy is correctly applied to the endpoints?
Best,
D
09-14-2020 06:04 AM
You should be able to force a policy check-in using by leveraging the script execution abilities of the agent. You can initiate a cytool checkin command. More info can be found at:
On your underlying issue, have you verified that the affected endpoints fall into the collection/group where the policy rule is applied. If you look at the agent details:
1. Do the endpoints show as online?
2. Does it show the policy applied ?
3. If you initiate a check-in from the endpoint itself, do you see successful communication?
09-14-2020 06:08 AM
Hi @dfalcon.
1. Do the endpoints show as online?
YES they are.
2. Does it show the policy applied ?
Nope. That's my whole problem ...
3. If you initiate a check-in from the endpoint itself, do you see successful communication?
Absolutely. Targetted endpoints are even receiving content update but are not updating the policy assigned to it.
A support case has been opened with PaloAlto and they are still investigating the issue.
Thanks for your time 😉
09-14-2020 06:11 AM
Will be interesting to see what the root cause was.
Sounds like there is no transmission between Endpoints and Console for only just policies, which is weird.
Have you tried accessing the Endpoint via Console through Live Terminal? Or run any script from Action Center? Just to see if you are able to interact with them.
09-14-2020 06:20 AM - edited 09-14-2020 06:21 AM
Hi @MartinCimone -
Can you go to one of the affected machines and make note of the time and click check-in now from the agent interface? Once you have initiated the request, give it a few seconds. Next, open the log file from the same agent interface. Scroll to the bottom and work your way back up. Look for the time you click check in now. Do you see any errors or communication failure messages during that time? This may give us a good starting point to isolate the issue.
09-14-2020 07:01 AM
Hi @DKasabji
YES, Live Action Terminal, and Script are working perfectly on the targetted endpoint.
The problem seems only related to Policy.
I'll keep you informed as soon as I got some news from the Palo Alto Support investigation.
09-15-2020 07:33 AM
Isn't a "Perform Heartbeat " under right-click Endpoint Control the way to ask the endpoint to check-in before the 5 minute interval?
While I have not had this issue with 7.1.3 Prevent, the first thing I would check is to ensure there are no blocks on your firewall to ensure there is not some odd communication issue.
09-15-2020 10:53 AM
Hi guys,
Quick feedback on the situation. The issue has been resolved by PaloAlto Support on Sunday evening.
They applied a new Server version on our Tennant and that fixed the issue.
All good now!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!