>
    Strata Copilot
    Use Serviceability Commands for Troubleshooting
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Overview
    5. Use Serviceability Commands for Troubleshooting
    Download PDF
    Prisma Access

    Use Serviceability Commands for Troubleshooting

    Table of Contents

    Use Serviceability Commands for Troubleshooting

    Use the Serviceability Commands area to check routing information, retrieve service endpoint addresses, and clear security associations to assist with IPSec tunnel issues.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Use the Serviceability Commands area to check routing information, clear security associations for an existing IPSec tunnels, or retrieve the service endpoint address for your service connections and remote network connections.

    Use Serviceability Commands for Troubleshooting (Strata Cloud Manager)

    Use Logging Status, Routing Information, and EDL Info and Status to retrieve troubleshooting information.
    To retrieve serviceability information for a Prisma Access (Managed by Strata Cloud Manager) deployment, complete these steps.
    1. Navigate to the serviceability commands.
      • For service connections, go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessService Connections.
      • For remote networks, go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessRemote Networks.
    2. View the info in the Serviceability Commands area.
      • Routing Information—Provides you with routing information for service connections or remote networks. To view service connection information, select the service connection or remote network name from the drop-down. Click Show to show the routing table for the service connection or remote network connection.
        The Routing Table shows the following information:
        • Destination—The IP address and subnet of networks that the virtual router can reach.
        • Nexthop—The IP address of the device at the next hop toward the Destination network. A next hop of 0.0.0.0 indicates the default route.
        • Metric/AD—The Metric for the route. When a routing protocol has more than one route to the same destination network, it prefers the route with the lowest metric value. Each routing protocol uses a different type of metric; for example, BGP uses the Multi Exit Discriminator (MED) Attribute. Prisma Access considers the metric when making routing decisions; for example, given the same route, Prisma Access prefers a static route with a lower metric over a BGP route with a higher metric.
        • Flags—The set of flags that are displayed for the route.
          • A?B—Active and learned from BGP
          • A C—Active and a result of an internal interface (connected) - Destination = network
          • A H—Active and a result of an internal interface (connected) - Destination = Host only
          • A R—Active and learned from RIP
          • A S—Active and static
          • O1—OSPF external type-1
          • O2—OSPF external type-2
          • Oi—OSPF intra-area
          • Oo—OSPF inter-area
          • S—Inactive (because this route has a higher metric) and static
      • Service IP Address—Retrieves the Service IP Address for a remote network or service connection.
        The service endpoint address is the FQDN or IP address that you use as the peer IP address for your CPE when you set up the IPSec tunnel for your service connection or remote network connection.
      • Clear Security Associations—Clears the security associations for a remote network or service connection.
        If you need to adjust the cryptographic profiles for an IPSec tunnel to resolve a mismatch, you can use this tool to clear the current IKE or IPSec security associations from both your CPE and Prisma Access, and then renegotiate the tunnel.
    3. (Optional) To export the results of the troubleshooting commands to a .csv file, select Export to CSV after running the command.

    Use Serviceability Commands for Troubleshooting (Panorama)

    Use Logging Status, Routing Information, and EDL Info and Status to retrieve troubleshooting information.
    To retrieve serviceability information for a Prisma Access (Managed by Panorama) deployment, complete these steps.
    • If you are having issues with receiving logs from one or more locations, you can check the Logging Status for a mobile user location or remote network to check the connectivity status of Strata Logging Service with Prisma Access.
    • If you are experiencing routing issues with a service connection or remote network location, you can view the Prisma Access Routing Information.
    • If you are having issues with EDLs not being updated in a timely fashion, you can query Prisma Access to see what information (IP addresses or URLs) are included in the EDLs by viewing the EDL Info and EDL Status. You can also refresh the EDL information (EDL Refresh) or Search EDL by entering search terms to find data inside the EDLs you use with mobile users and remote networks.
    1. Go to PanoramaCloud ServicesConfigurationService SetupService OperationsServiceability Commands.
    2. View the info in the Serviceability Commands area.
      • Logging Status—Provides you with the connection status between Strata Logging Service and Prisma Access for one or more mobile user locations or remote networks.
        To view Mobile Users logging information, select the Prisma Access Location from the drop-down, or select All to view the logging status for all locations. To view Remote Networks information, select the Site Name from the drop-down, or select All to view all remote networks. The Retrieved Data table shows the following information:
        • Connection Name—The mobile user location (for mobile users) or the name of the remote network connection.
          The name of the connection between the mobile users location or remote network and Prisma Access displays as Connection-xxxxx, where xxxxxx is a six-digit number that identifies the mobile users location or remote network in the Prisma Access infrastructure.
          You cannot map this six-digit number to a location, but you can see the location of the mobile user location or remote networks in the Connection Timestamp area.
        • Status—Provides you with details of the connection between Prisma Access and Strata Logging Service status (Up or Down).
        • Connection Timestamp—The time that Panorama checked the connection status. The timestamp uses the local time of the mobile user location or remote network.
      • Routing Information—Provides you with routing information for service connections or remote networks. To view service connection information, select the Service Connection name from the drop-down; to view remote network information, select the Site Name from the drop-down. Click Show Route Table to show the routing table for the service connection or remote network connection. The Retrieved Data table shows the following information:
        • Destination—The IP address and subnet of networks that the virtual router can reach.
        • Nexthop—The IP address of the device at the next hop toward the Destination network. A next hop of 0.0.0.0 indicates the default route.
        • Metric—The Metric for the route. When a routing protocol has more than one route to the same destination network, it prefers the route with the lowest metric value. Each routing protocol uses a different type of metric; for example, BGP uses the Multi Exit Discriminator (MED) Attribute. Prisma Access considers the metric when making routing decisions; for example, given the same route, Prisma Access prefers a static route with a lower metric over a BGP route with a higher metric.
        • Flags—The set of flags that are displayed for the route.
          • A?B—Active and learned from BGP
          • A C—Active and a result of an internal interface (connected) - Destination = network
          • A H—Active and a result of an internal interface (connected) - Destination = Host only
          • A R—Active and learned from RIP
          • A S—Active and static
          • O1—OSPF external type-1
          • O2—OSPF external type-2
          • Oi—OSPF intra-area
          • Oo—OSPF inter-area
          • S—Inactive (because this route has a higher metric) and static
      • Clear IPSec SA—Clears the security associations (SAs) for a remote network or service connection.
        If you need to adjust the cryptographic profiles for an IPSec tunnel to resolve a mismatch, you can use this tool to clear the current IPSec or IKE SA from both your CPE and Prisma Access, and then renegotiate the tunnel.
      • EDL Info—Displays information about External Dynamic Lists (EDLs) for mobile user locations and remote networks.
        For mobile user locations, select the EDL Type and the EDL Name for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (Mobile Users GW IP address).
        To find the IP address of a mobile user gateway from the GlobalProtect app, open the Settings and find the Gateway IP address in the Connection tab. To retrieve the IP address of a mobile user gateway from Prisma Access, use the API and specify the "serviceType": "gp_gateway" keywords in the .txt file.
        For remote networks, select the EDL Type, the EDL Name for the type you specified, and the Remote Networks Site Name.
        After you Show EDL Info, the Retrieved Data table shows the following information:
        • Total Valid Entries—The total number of valid entries in the specified EDL.
        • Total Ignored Entries—The total number of entries, if any, that Prisma Access ignored in the specified EDL.
        • Total Invalid Entries—The total number of invalid entries, if any, in the specified EDL.
        • Valid Entries—Shows the valid entries in the EDL.
          These entries reflect the EDL type; for example, an EDL Type of ip displays the IP addresses in the EDL and an EDL Type of URL displays valid URLs in the EDL.
          The Valid Entries column shows detailed EDL information for a maximum number of 100 EDL entries.
      • EDL Status—Displays the status of the EDLs used by Prisma Access for mobile user locations and remote networks.
        For mobile user locations, select the EDL Type and the EDL Name for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (Mobile Users GW IP address).
        To find the IP address of a mobile user gateway from the GlobalProtect app, open the Settings and find the Gateway IP address in the Connection tab. To find the IP address of a mobile user gateway from Prisma Access, use the API and specify the "serviceType": "gp_gateway" keywords in the .txt file.
        For remote networks, select the EDL Type, the EDL Name for the type you specified, and the Remote Networks Site Name. Predefined URLs are not supported.
        The Retrieved Data table shows the following information:
        • Next Update At—The time when the EDL of the specified type will be refreshed.
        • Source—More details about what is included in this EDL.
        • Referenced—Whether the EDL is referenced in a security policy rule.
        • Valid—Whether or not the EDL is valid.
        • Auth-Valid—If the EDL uses authentication, whether or not the authentication is valid.
      • EDL Refresh—Refreshes the EDLs for mobile user locations and remote networks. You cannot refresh predefined EDLs.
        Refreshing an EDL is resource-intensive. Palo Alto Networks recommends that you refresh the EDLs a maximum of once every two minutes. If you do not manually refresh the EDLs, Prisma Access automatically refreshes EDLs using the Check for Updates value you defined in each EDL.
        For mobile user locations, select the EDL Type and the EDL Name for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (Mobile Users GW IP address).
        To find the IP address of a mobile user gateway from the GlobalProtect app, open the Settings and find the Gateway IP address in the Connection tab. To find the IP address of a mobile user gateway from Prisma Access, use the API and specify the "serviceType": "gp_gateway" keywords in the .txt file.
        For remote networks, select the EDL Type, the EDL Name for the type you specified, and the Remote Networks Site Name.
        The Retrieved Data table shows the Message related to the EDL refresh operation (either that the EDL refresh operation is queued or that it is complete) and the Timestamp when the refresh operation was performed. The timestamp uses the local time of the mobile user or remote network.
        To view the last time that the status was refreshed, select the EDL Status tab. To see the EDL information after it was refreshed, select the EDL Info tab.
      • Search EDL—Enter search terms to find data inside the EDLs you use with mobile user locations and remote networks in Prisma Access. This functionality does not work with Predefined URL lists or URL lists that you create; EDLs that use IP addresses are supported.
        You can enter search terms for either Mobile Users or Remote Networks. To search for Mobile Users, enter the IP address of the mobile user location (gateway) for which you want to search (Mobile Users GW IP address) with the Search String; to search in the Remote Networks area, enter the Site Name with the Search String. Click Search EDL to perform the search.
        If the string is matched in an EDL, the Retrieved Data table shows the EDL Name where the search string was matched, along with the Timestamp when the match was made. The timestamp uses the date and time of the Panorama that manages Prisma Access.
      • Service IP Address—Retrieves the Service IP Address for a remote network or service connection.
        The service endpoint address is the FQDN or IP address that you use as the peer IP address for your CPE when you set up the IPSec tunnel for your service connection or remote network connection.
    3. (Optional) To export the results of the troubleshooting commands to a .csv file, select Export to CSV after running the command.

    © 2026 Palo Alto Networks, Inc. All rights reserved.