How to check endpoint has no agent and intregate edl with NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to check endpoint has no agent and intregate edl with NGFW

L1 Bithead

Hi Expert ,

 

How to check endpoint has no agent and integrate edl with NGFW when found endpoint 

 

Now , I have try to create  python script  to get all endpoint  but not have idea to check endpoint has no agent 

 

Thank you

3 REPLIES 3

L5 Sessionator

Hi @Pattarachai-FTH , 

 

Thank you for writing to live community!

 

Having no agent is one part of the problem and integrate EDL with NGFW is another set. These are not related. Can you help us with more specific used case on the same. 

 

Your asset management tools can be used for checking applications installed, however, you can also do so using Cortex XDR by using Broker VM network mapper as  a tool and aggregating DHCP logs for asset discovery. Cortex XDR Network mapper will scan the subnet to discover IPs and will populate entries for endpoints with agent installed as "YES". The DHCP logs ingestion will help you get appropriate MAC addresses for devices with IPs that do not have cortex agent installed on them. Some of them might be ICND devices where you cannot install agents, but remaining can be leveraged to check if those do not have agents and can be pushed for installation. 

 

Waiting to hear from you on your EDL perspective. Please mark this "Accept as Solution" if it answers your question.

 

Regards

L1 Bithead

If you have an asset management tool like SCCM, I would recommend creating a Powershell script (or whatever scripting language you prefer) to run the command and parse the response to ensure it matches the current day. This will accomplish two checks, one being that the agent is installed (if the command fails due to cytool not existing the agent is not installed) and that it's healthy and connecting by validating its connected to the console that day. You'll sometimes run into agents where the service is running, but for one reason or another it's not communicating successful, so this will validate that.

L1 Bithead

Sorry I forgot to include the actual command, it's "cytool last_checkin" - see https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/7.9/Cortex-XDR-Agent-Administrator-Guide/Cytoo...

  • 1269 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!