>
    Strata Copilot
    Deploy and Configure Cloud Tracer
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy and Configure Cloud Tracer
    Download PDF
    Prisma AIRS

    Deploy and Configure Cloud Tracer

    Table of Contents

    Deploy and Configure Cloud Tracer

    Learn about Prisma AIRS Cloud Tracer.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Security
    You can diagnose multi-cloud network connectivity and security policy issues using Cloud Tracer. Cloud Tracer provides advanced diagnostic capabilities, offering real-time visibility into network traffic paths within your cloud environments. This tool helps network, security and cloud administrators understand packet traversal, identify bottlenecks, misconfigurations, or security policy violations, and validate network designs.
    Cloud Tracer is offered as a preview at this release.
    Use Cloud Tracer to diagnose multi-cloud network connectivity and security policy issues. Cloud Tracer delivers real-time insights into network traffic paths and security policy enforcement within your cloud environments. It enables you to trace packet routes and diagnose connectivity issues.
    This architecture provides granular, per-segment network visibility, and offers near real-time insights for issue resolution in your network.
    This procedure guides administrators through deploying, configuring, and validating the Cloud Tracer feature within your environment.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights Cloud Network Security Cloud Tracer.
    3. Click Run Trace to get started.
    4. In the Trace Parameters screen, enter the following information:
      1. In the Source section, specify the Cloud Provider and use the drop-down to select the corresponding Region, select the VPC/VNet and indicate the IP address, then enter the Source Port and optionally select the Protocol (for example, TCP, UDP, or ICMP).
      2. In the Destination section, use the drop-down to select the Region, choose the VPC/VNet and indicate the IP address, then enter the Destination Port.
    5. Click Run Trace.
      Cloud Tracer displays a hop-by-hop visualization of the path, including Transit Gateways, Gateway Load Balancers, Internal Load Balancers, and Palo Alto firewalls. Misconfigurations, policy blocks, and routing issues are highlighted in the path view. Select any hop for per-hop detail: security group rules, NACLs, route table entries, and firewall policy evaluations.
      You can trace in both forward and reverse directions. Toggle the direction control before running the trace to reverse the path.
    6. Save and re-run trace queries. After a trace completes, select Save Query to store the source, destination, port, protocol, and direction; saved queries can be re-run at any time — for example, to confirm that a misconfiguration has been resolved after an update.
    7. Download a trace report. From a completed trace or saved query result, select Download Report. Cloud Tracer generates a PDF containing the full hop-by-hop path and detailed information for every component

    Validate Cloud Tracer Installation and Operation

    To validate Cloud Tracer operation:
    1. Navigate to Cloud Tracer > Status. This page provides an overview of deployed Cloud Tracer instances and their operational status.
    2. Verify the Status column for your Cloud Tracer instance shows Running. A Running status confirms successful deployment and active monitoring. Investigate any other status, such as Pending or Error.
    3. Perform a test trace to confirm active data collection:
      1. Select your deployed Cloud Tracer instance.
      2. Select Run Test Trace.
      3. Enter the Test Source IP (e.g., 192.168.1.15).
      4. Enter the Test Destination IP (e.g., 10.0.0.10).
      5. Select Initiate Trace.
      6. Review the initial trace results to confirm data visibility.
      7. Observe the Trace Path visualization, noting hops and devices.
      8. Check the Latency and Packet Loss metrics.
      9. Confirm trace data aligns with your network topology and expected traffic flow.

    © 2026 Palo Alto Networks, Inc. All rights reserved.