- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-28-2023 08:09 AM - edited 06-28-2023 08:41 AM
Hello, everyone
Does anyone know how to use the SSH command to execute commands to the Broker VM, so that the Broker VM can start the Local Agent Settings service even when it cannot connect to the Paloalto Cloud Console.
Because we have customers who implement physical isolation in the military, the BrokerVM Local Agent Settings service will stop when the Internet is disconnected. At this time, all XDR Agents will have a red alarm and cannot connect to the host (because we used ---proxy- list="10.1.1.1:8888"", I don't know if we enable the BrokerVM service, it will not have a red alarm, and then when the Broker VM can connect to the Paloalto Cloud Console, This Broker VM will send the Queue message to Paloalto Cloud Console ? Such as Alert, Agent status, etc.?
06-28-2023 08:31 AM
Hi @kentwuhc ,
Thank you for writing to live community!
First of all, we would appreciate if you would be okay to remove the data logs attached to the query as this is a public forum and it would expose the configuration information.
In cases when network isolation is performed the broker vm will not be able to send the data to the cloud. The broker VM and cortex xdr in totality are meant to be cloud solutions and there would be no ways to bypass network to start the services or applets.The local agent settings applet still stays up and running but because we do not have network connectivity, the agent is not able to send the data to the cloud and also, the proxy fails. The broker vm is a transparent app specific proxy and if the agents fail to send data to the xdr cloud only. The broker vm local agent settings applet does not cache the EDR data from the agents, rather it is the agents itself who cache the EDR data and other relevant data upto a specific threshold in the local disk and when the connectivity is restored, they connect to the cloud and all the data is uploaded.
Hope this clarifies it
06-28-2023 08:31 AM
Hi @kentwuhc ,
Thank you for writing to live community!
First of all, we would appreciate if you would be okay to remove the data logs attached to the query as this is a public forum and it would expose the configuration information.
In cases when network isolation is performed the broker vm will not be able to send the data to the cloud. The broker VM and cortex xdr in totality are meant to be cloud solutions and there would be no ways to bypass network to start the services or applets.The local agent settings applet still stays up and running but because we do not have network connectivity, the agent is not able to send the data to the cloud and also, the proxy fails. The broker vm is a transparent app specific proxy and if the agents fail to send data to the xdr cloud only. The broker vm local agent settings applet does not cache the EDR data from the agents, rather it is the agents itself who cache the EDR data and other relevant data upto a specific threshold in the local disk and when the connectivity is restored, they connect to the cloud and all the data is uploaded.
Hope this clarifies it
06-28-2023 08:47 AM
Thank you for your quick reply, so this customer's architecture does not apply to the XDR solution, can it be understood in this way?
06-28-2023 09:00 AM
Hi @kentwuhc ,
Not sure if I understand the use case clearly in physical isolation, but to the use case of trying to enable the local agent settings applet on network disconnection, it would not be applicable. The agent is capable of caching the data and then when network is restored, it should be able to upload the data.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!