Prisma Access Agent Logs and Management Logs
Lean how to audit Prisma Access Agent logs and management logs using the log
viewer on Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
- NGFW (Managed by Panorama)
|
- Check the prerequisites for the deployment you're
using
- Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
|
You can use the auditing and logging features of the Prisma Access Agent to help
improve your problem investigation and troubleshooting experience. Having the correct
context and data about the errors that occurred can help you reduce the time for
remediation.
Prisma Access Agent logs and management logs are generated and sent to
Strata Logging Service. The logs are viewable in the log viewer or
Strata Logging Service, where you can use the
capabilities of the log viewer to filter and
search for various data to help you audit and analyze information in the logs.
You can use the auditing capabilities to perform troubleshooting tasks such as:
- Debugging and completing root cause analysis on user authentication failures. For
example, you would like to understand at what stage the user authentication is
failing, including:
- Did the Prisma Access Agent receive an authentication response from
the Cloud Identity Engine?
To troubleshoot this, you can audit the
management log to look for the Event ID Value of
Epm Cie Token Validation and validate
whether the event succeeded or failed.
- Did Prisma Access Agent send a reply to the Prisma Access Agent
app?
To troubleshoot this, you can audit the management log to look
for the Event ID Value of Epm Auth
Response and validate whether the event succeeded or
failed.
- Troubleshooting user tunnel connections and performance concerns. As a part of the
investigation, you might need to understand the following aspects:
- Was the tunnel established using the IPSec protocol?
To troubleshoot this,
you can audit the Prisma Access Agent log to look for the
Tunnel Type of
IPSEC and validate whether the event
succeeded or failed.
- Did the tunnel connection fall back from IPSec to SSL?
To troubleshoot
this, you can audit the Prisma Access Agent log to look for the
Event ID Value of
gateway-switch-to-ssl and validate
whether the event succeeded or failed.
- Receiving notifications when a Prisma Access agent is tampered with through file
downloads, process, or registry changes.
To troubleshoot this, you can audit the
Prisma Access Agent log to look for logs with the
Description (opaque) that is
similar to File Anti-Tampering,
Process Anti-Tampering, or
Registry Anti-Tampering and validate whether
the event succeeded or failed.
