1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Troubleshoot the Cloud Identity Engine
    5. Cloud Identity Engine Troubleshooting Checklist

    Cloud Identity Engine Troubleshooting Checklist

    Review the checklist to troubleshoot Cloud Identity Engine configuration and connection issues.
    Use the checklist below to troubleshoot general issues such as configuration or connection issues for the Cloud Identity Engine. After each task, check if the issue still exists before attempting the next task.
    1. Confirm that your configuration meets the system requirements.
    2. Use the Palo Alto Networks services status page (status.paloaltonetworks.com) to confirm that the Cloud Identity Engine service is active.
    3. Use the system logs on the firewall associated with your Cloud Identity Engine tenant to check the Cloud Identity Engine status for any issues.
    4. (
      On-premises Active Directory only
      ) Confirm that you have configured your network to allow Cloud Identity Engine traffic.
    5. (
      On-premises Active Directory only
      ) Confirm your configuration is correct.
      • On the agent host:
        • Confirm you have administrator privileges for the agent host so that you can install and configure the agent.
        • Confirm that the
          Protocol
           you specify for the agent is supported and enabled on the agent host.
        • Close the agent and restart it.
        • Clear the DNS cache by entering the following command from an administrative command prompt:
          ipconfig /flushdns
          .
        • Confirm the server where you installed the agent meets the system requirements.
      • On the agent:
        • Stop and restart the connection to the Cloud Identity Engine service.
        • Confirm that the
          Bind DN
           and
          Bind Password
           are correct.
        • Confirm that the region for the
          Cloud Identity Engine
           in your
          Cloud Identity Configuration
           matches the region for your tenant.
        • Confirm that the
          Domain
           is a fully qualified domain name and the specified
          Port
           on the Active Directory server allows communication with the Cloud Identity agent.
        • Try increasing your
          Bind Timeout
           and
          Search Timeout
           to allow more time for the agent to connect and the search to complete.
      • In the app:
        • Check the
          Agents & Certificates
           page to verify you are using the latest version of the agent.
        • Check the
          Directories
           and
          Agents & Certificates
           pages to confirm the domains the agent is monitoring are correct.
        • Check the
          Directories
           page to confirm the
          NetBIOS Name
           is not empty. If the NetBIOS Name is empty, correct the domain name in the Cloud Identity agent and commit your changes. Wait at least five minutes before using the
          Directories
           page to verify the domain name and NetBIOS name are now correct, then remove the entry for the incorrect domain in the app.
    6. (
      On-premises Active Directory only
      ) Check the status of your certificates.
      • On the agent host:
        • If you are using LDAPS or LDAP with STARTTLS, confirm the root and intermediate CA certificates that were used to issue your domain controller certificates are valid and available in the Local Computer Trusted Root CA.
        • Confirm that you are not using a certificate that was generated for another tenant and that the certificate is not used for another agent or service.
        • Confirm you have generated a unique certificate in the Cloud Identity Engine app for each agent and that it is available in the Local Computer certificate store of the agent host.
      • In the app:
        • Check the
          Agents & Certificates
           page to verify that the agent has an associated
          Certificate
          .
        • Check the
          Agents & Certificates
           page to verify that the certificate status is not expired or revoked.
    7. (
      On-premises Active Directory only
      ) Confirm all connections are active.
      • On the agent:
        • Check the
          Cloud Identity Configuration
           to verify that the agent status is
          Running
          .
        • Check the
          LDAP Configuration
           is valid and
          Test Connectivity to AD
           to confirm the connection to your Active Directory is active.
        • View the
          Monitoring
           page to confirm the agent is
          Connected
           to the
          Cloud Identity Engine
          .
        • Check when the
          Last Update to Cloud Identity Engine
           was successful to determine the last time the agent was able to connect to the service.
        • Check when the
          Last LDAP Fetch
           was successful to determine the last time the agent was able to connect to your Active Directory.
      • In the app:
        • Check the
          Directories
           page for the
          Sync Status
           to determine if the last sync between the agent and the service was successful.
        • Check when the attributes were
          Last Updated
           by your Active Directory.
        • Check the
          Agents & Certificates
           page to confirm the agent’s
          Status
           is
          Online
          .
    8. (
      Cloud-based directory only
      ) If you are experiencing issues with your cloud-based directory:
      • Reconnect your directory to your Cloud Identity Engine tenant.
      • Verify your directory credentials are correct.
      • Verify that you have granted the permissions that the Cloud Identity Engine requires.
    If you are still encountering issues:

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo