Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies
Strata Cloud Manager

Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies

Table of Contents

Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies

Troubleshoot issues on your NGFWs.
Where Can I Use This?
What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
  • VM-Series, funded with Software NGFW Credits
  • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    is required for Cloud Management for NGFWs
  • Strata Logging Service
    license is required for logging
  • If you have a Prisma Access license, you can use
    Folder Management
    to view your predefined folders and enable Web Security for a folder
Troubleshoot your NGFWs from Strata Cloud Manager without having to move between various firewall interfaces. If you experience connectivity issues after deploying and configuring your NGFWs, you can get an aggregate view of your routing and tunnel states, and drill down to specifics to find anomalies and problematic configurations.
Troubleshoot your identity-based policy rules and dynamically defined endpoints. You can check the status of specific NGFWs and expose possible mismatches between how you expect a policy to work and its actual enforcement behavior.
lets you drill down on issue that might arise within these networking and identity features–track down and resolve connectivity issues or policy enforcement anomalies:
Network Troubleshooting
Identity and Policy Troubleshooting
Go to the feature you want to troubleshoot and select the
button to get started.
View and sort troubleshooting jobs you've run by Status, Action, Search Target, and Timestamp.
Feature Location
Available Actions
Action Scope
Job Output Organized By:
DNS Proxy (Network)
Manage Configuration
NGFW and Prisma Access
Device Settings
DNS Proxy
  • Show DNS Proxy Cache
  • Search the DNS Proxy Cache
Firewalls you specify
  • Domain Name
  • IP Address
  • Type–IPv4 Address Record (A), IPv6 Address Record (AAAA), Canonical Name Record (CNAME), Mail Exchange Record (MX), and Pointer to a canonical name (PTR)
  • Class: Internet (IN TCP/IP), Chaos (CH), and Hesiod (HS)
  • Time-to-live (TTL) in seconds
  • Hits–Number of times the record was requested since the last reboot
NAT (Network)
Manage Configuration
NGFW and Prisma Access
Network Policies
Show the NAT Rule IP Pool
Firewalls you specify
  • Rule
  • Type
  • Used
  • Available
  • Memory Size Ratio
User Groups (Identity)
Manage Configuration
NGFW and Prisma Access
Identity Services
Cloud Identity Engine
  • Show User Group
  • Search User Group
Firewalls you specify
  • Username
  • Group
Manage Configuration
NGFW and Prisma Access
Address Groups
  • Show All Dynamic Address Groups
  • Search for a Dynamic Address Group (Chosen from a list)
Firewalls you specify
  • Name
  • Filter
  • Members
Manage Configuration
NGFW and Prisma Access
Dynamic User Groups
  • Search by Dynamic User Group
  • Search by Username
Firewalls you specify
  • Members (Username) and / or Dynamic User Group
User ID (Identity)
Manage Configuration
NGFW and Prisma Access
Identity Services
Identity Redistribution
  • Show All User IP Mapping
  • Search For User IP Mapping
Firewalls you specify
  • IP
  • User
  • From
  • Idle Timeout
  • Max Timeout

Export Metadata for Troubleshooting

To provide technical support with the information they need to better assist you,
AIOps for NGFW
enables you to export your deployment data to your local machine. This data arrives in JSON files that are compressed in the gzip format.
  1. Select
    Help > Export Tenant Metadata
  2. Prepare Metadata
  3. Download
    your metadata file.
    The metadata file name contains your Customer Support Portal (CSP) ID, your AIOps for NGFW tenant ID, and the timestamp for the export:

Recommended For You