I have a machine with Operational Status Data as:
Xdr Data Collection Not Running Or Not Sent
Module is disabled by Adaptive Policy
Btp Not Working
Module is disabled by Adaptive Policy
How can I remediate this machine so that its status will be back to Protected? Thanks!
Adaptive Policy is established to address high CPU/memory detected. When Adaptive Policy is first executed by the endpoint, it will go into a partially protected state as presented in the operational status data you provided. This will initially disable BTP and Event Collection (EC) functionality.
On the endpoint, cytool can be utilized to examine/manage the Adaptive Policy. From C:\Program Files\Palo Alto Networks\Traps, enter the command “cytool adaptive_policy query” into your command line to view the status of your Adaptive Policy state (assuming this is on Windows, commands may slightly differ depending on OS). It should look similar to the following in the case of your partially protected operational status with BTP and EC disabled.
More information regarding managing Adaptive Policy can be found when looking at the manual for the same command as well, with the “/?” option instead of “query”.
Setting the Adaptive Policy interval to zero (>cytool adaptive_policy interval 0) will disable Adaptive Policy from running from the next cycle and will disable the Adaptive Policy exception. Adaptive Policy recalculations can also be done to trigger a recalculation of the existing Adaptive Policy. The following remediation selections will likely vary in success depending on your existing configuration.
The available selections from this menu can be used to remediate the issue if high resource utilization is not persistent. If you are experiencing limited protection frequently, we highly recommend contacting technical assistance to help address this issue at support.paloaltonetworks.com.
Adaptive Policy was also one of the primary topics discussed in the Cortex XDR webinar for the month of September. More information can be found on the Live Community webinar page:
Thank you for your response!
Does it mean that if I disable the Adaptive Policy (setting the interval to 0) this should fix the Module is disabled by Adaptive Policy operational status data for XDR Data Collection and BTP?
Is it advisable to disable the Adaptive Policy?
Or is there any command that I can run on the machine to fix XDR Data Collection and BTP Module being disabled by Adaptive Policy?
I have located resolution on other issue about Operation Status Data in Knowledge Base but this particular issue about the modules being disabled by Adaptive Policy is not indicated.
Hope you can shed some light.
As mentioned in the reply, setting the Adaptive Policy interval to 0 will disable Adaptive Policy from running its next cycle and will remove any existing Adaptive Policy exceptions. These exceptions are the limited functionality that you are seeing for XDR Data Collection and BTP.
This option can be good because the Adaptive Policy can be re-enabled and there will be no Partially Protected limitations if the issue is not persistent Though, if you are experiencing this Partially Protected status on your endpoints frequently, we highly recommend contacting technical support to help address the issue at support.paloaltonetworks.com. The viability of disabling Adaptive Policy greatly depends on your existing environment.
The aforementioned Cortex XDR webinar for the month of September also discusses the different resolutions with Adaptive Policy in great detail. This is discussed both conceptually and through a live demo, so it is a great resource to inform yourself on this topic.
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!