Verify and Troubleshoot Forwarding Profile Configurations for Dynamic Privilege Access Agents

• To view the traffic log files from the Strata Cloud Manager log viewer:

  1. Select Incidents & AlertsLog Viewer.
  2. View the Firewall/Traffic logs for more details.

• To view the traffic log files on an endpoint:

  1. Start the remote shell in ManagePrisma Access Agent or open a Windows command prompt or macOS terminal window on an end user's device.
  2. To show the forwarding rules in a forwarding profile, issue the following command:

     • On Windows:

       "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" traffic show 

     • On macOS:

       /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli traffic show

     If you set up an environment variable for the PACli tool (pacli), you can just enter pacli traffic show.

     The sample PACli command-line output shows a table containing the forwarding rules that are in effect in the forwarding profile, including the priorities of the forwarding rules. The traffic enforcement selections for the forwarding profile are also shown. This table corresponds to the forwarding rules that you set up in your forwarding profile.
  3. To show the details of a forwarding rule, issue the following command:

     pacli traffic show <number>

     Where <number> is the number in the Priority column, for example:

  4. To troubleshoot split tunnel issues, you might need to examine what agent traffic is inside or outside the tunnel. You can do this by showing the Prisma Access Agent connection log. Issue the following command:

     pacli traffic log

     To show an individual log entry, issue the following command:

     pacli traffic log <index>

     Where <index> corresponds to the index number for the entry. For example:

     You can also export the connection log to a file for further analysis by issuing:

     pacli traffic log export <filename>