When Broker VM cannot connect to Paloalto Cloud Console, how to enable its Local Agent Settings service

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

When Broker VM cannot connect to Paloalto Cloud Console, how to enable its Local Agent Settings service

L1 Bithead

 

Hello, everyone

Does anyone know how to use the SSH command to execute commands to the Broker VM, so that the Broker VM can start the Local Agent Settings service even when it cannot connect to the Paloalto Cloud Console.

Because we have customers who implement physical isolation in the military, the BrokerVM Local Agent Settings service will stop when the Internet is disconnected. At this time, all XDR Agents will have a red alarm and cannot connect to the host (because we used ---proxy- list="10.1.1.1:8888"", I don't know if we enable the BrokerVM service, it will not have a red alarm, and then when the Broker VM can connect to the Paloalto Cloud Console, This Broker VM will send the Queue message to Paloalto Cloud Console ? Such as Alert, Agent status, etc.?

 
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @kentwuhc ,

 

Thank you for writing to live community!

 

First of all, we would appreciate if you would be okay to remove the data logs attached to the query as this is a public forum and it would expose the configuration information.

 

In cases when network isolation is performed the broker vm will not be able to send the data to the cloud. The broker VM and cortex xdr in totality are meant to be cloud solutions and there would be no ways to bypass network to start the services or applets.The local agent settings applet still stays up and running but because we do not have network connectivity, the agent is not able to send the data to the cloud and also, the proxy fails. The broker vm is a transparent app specific proxy and if the agents fail to send data to the xdr cloud only. The broker vm local agent settings applet does not cache the EDR data from the agents, rather it is the agents itself who cache the EDR data and other relevant data upto a specific threshold in the local disk and when the connectivity is restored, they connect to the cloud and all the data is uploaded. 

 

Hope this clarifies it

View solution in original post

3 REPLIES 3

L5 Sessionator

Hi @kentwuhc ,

 

Thank you for writing to live community!

 

First of all, we would appreciate if you would be okay to remove the data logs attached to the query as this is a public forum and it would expose the configuration information.

 

In cases when network isolation is performed the broker vm will not be able to send the data to the cloud. The broker VM and cortex xdr in totality are meant to be cloud solutions and there would be no ways to bypass network to start the services or applets.The local agent settings applet still stays up and running but because we do not have network connectivity, the agent is not able to send the data to the cloud and also, the proxy fails. The broker vm is a transparent app specific proxy and if the agents fail to send data to the xdr cloud only. The broker vm local agent settings applet does not cache the EDR data from the agents, rather it is the agents itself who cache the EDR data and other relevant data upto a specific threshold in the local disk and when the connectivity is restored, they connect to the cloud and all the data is uploaded. 

 

Hope this clarifies it

L1 Bithead
Thank you for your quick reply, so this customer's architecture does not apply to the XDR solution, can it be understood in this way?

Hi @kentwuhc ,

 

Not sure if I understand the use case clearly in physical isolation, but to the use case of trying to enable the local agent settings applet on network disconnection, it would not be applicable. The agent is capable of caching the data and then when network is restored, it should be able to upload the data. 

 

Hope this helps.

  • 1 accepted solution
  • 1727 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!