Symptoms
A firewall is unable to register to Cortex Data Lake (CDL) for log forwarding. You might see red lights under the logging status or the firewall fails to connect to the CDL.
Diagnosis
- Make sure FQDN refresh is enabled on the firewall
- Able to resolve CDL FQDN
- Traffic from the firewall to CDL is not being decrypted
- The URLs and ports below are whitelisted for Prisma Access communication.
NOTE: More information can be found at Set Up Prisma Access.
-
Port 444 (for Cortex Data Lake)
-
api.lc.prod.us.cs.paloaltonetworks.com (for Cortex Data Lake)
-
api.gpcloudservice.com (for Prisma Access)
-
api.paloaltonetworks.com (for Prisma Access)
-
apitrusted.paloaltonetworks.com (for Prisma Access)
Solution
Try following these steps on the firewall's CLI.
- Troubleshooting
- delete license key <logging_service_key>
- request logging-service-forwarding certificate delete
- request logging-service-forwarding certificate fetch
- Verification
- show logging-status
- debug log-receiver rawlog_fwd_trial stats global show
- request logging-service-forwarding status
- request license info
- show system state | match lcaas
- show system state | match cust
- request logging-service-forwarding customerinfo show
- request logging-service-forwarding certificate info
- show netstat numeric-hosts yes numeric-ports yes | match 3978
If it does not help, please Start a Topic in the Prisma Access Discussions area for community help. You may also open a TAC Case for further assistance, and be sure to reference the error and the steps provided. You can reference this document if needed.