- Logging Status—Provides you with the connection
status between Strata Logging Service and Prisma Access
for one or more mobile user locations or remote networks.
To view
Mobile Users logging information, select
the Prisma Access Location from the
drop-down, or select All to view the logging
status for all locations. To view Remote
Networks information, select the Site
Name from the drop-down, or select
All to view all remote networks. The
Retrieved Data table shows the following
information:
Connection Name—The mobile user
location (for mobile users) or the name of the remote
network connection.
The name of the connection between the mobile users location
or remote network and Prisma Access displays as
Connection-xxxxx,
where xxxxxx is a six-digit number that
identifies the mobile users location or remote network in
the Prisma Access infrastructure.
You cannot map this six-digit number to a location, but you
can see the location of the mobile user location or remote
networks in the Connection Timestamp
area.
Status—Provides you with details of
the connection between Prisma Access and Strata Logging Service status
(Up or
Down).
Connection Timestamp—The time that
Panorama checked the connection status. The timestamp uses
the local time of the mobile user location or remote
network.
- Routing Information—Provides you with routing
information for service connections or remote networks. To view service
connection information, select the Service
Connection name from the drop-down; to view remote
network information, select the Site Name from
the drop-down. Click Show Route Table to show the
routing table for the service connection or remote network connection.
The Retrieved Data table shows the following
information:
Destination—The IP address and subnet
of networks that the virtual router can reach.
Nexthop—The IP address of the device
at the next hop toward the Destination network. A next hop
of 0.0.0.0 indicates the default route.
Metric—The Metric for the route. When
a routing protocol has more than one route to the same
destination network, it prefers the route with the lowest
metric value. Each routing protocol uses a different type of
metric; for example, BGP uses the Multi Exit Discriminator
(MED) Attribute. Prisma Access considers the metric when
making routing decisions; for example, given the same route,
Prisma Access prefers a static route with a lower
metric over a BGP route with a higher metric.
Flags—The set of flags that are
displayed for the route.
A?B—Active and learned from
BGP
A C—Active and a result of an
internal interface (connected) - Destination =
network
A H—Active and a result of an
internal interface (connected) - Destination = Host
only
A R—Active and learned from
RIP
A S—Active and static
O1—OSPF external type-1
O2—OSPF external type-2
Oi—OSPF intra-area
Oo—OSPF inter-area
S—Inactive (because this route
has a higher metric) and static
- Clear IPSec SA—Clears the security associations
(SAs) for a remote network or service connection.
If you need to
adjust the cryptographic profiles for an IPSec tunnel to resolve a
mismatch, you can use this tool to clear the current IPSec or IKE SA
from both your CPE and Prisma Access, and then renegotiate the
tunnel.
- EDL Info—Displays information about External Dynamic Lists (EDLs)
for mobile user locations and remote networks.
For mobile user
locations, select the EDL Type and the
EDL Name for the type you specified from
the drop-down choices; then, enter the IP address of the mobile user
location (gateway) (Mobile Users GW IP
address).
To find the IP address of a mobile user gateway from the
GlobalProtect app, open the
Settings and
find the
Gateway IP address in the
Connection tab. To retrieve the IP
address of a mobile user gateway from
Prisma Access,
use the
API and specify the
"serviceType":
"gp_gateway" keywords in the .txt file.
For remote networks, select the EDL
Type, the EDL Name for the
type you specified, and the Remote Networks Site
Name.
After you Show EDL
Info, the Retrieved Data
table shows the following information:
Total Valid Entries—The total number
of valid entries in the specified EDL.
Total Ignored Entries—The total number
of entries, if any, that Prisma Access ignored in the
specified EDL.
Total Invalid Entries—The total number
of invalid entries, if any, in the specified EDL.
Valid Entries—Shows the valid entries
in the EDL.
These entries reflect the EDL type; for example, an
EDL Type of
ip displays the IP addresses in
the EDL and an EDL Type of
URL displays valid URLs in the
EDL.
The Valid Entries column shows
detailed EDL information for a maximum number of 100 EDL
entries.
- EDL Status—Displays the status of the EDLs used
by Prisma Access for mobile user locations and remote
networks.
For mobile user locations, select the EDL
Type and the EDL Name for the
type you specified from the drop-down choices; then, enter the IP
address of the mobile user location (gateway) (Mobile
Users GW IP address).
To find the IP address of a mobile user gateway from the
GlobalProtect app, open the
Settings and
find the
Gateway IP address in the
Connection tab. To find the IP
address of a mobile user gateway from
Prisma Access,
use the API
and specify the
"serviceType": "gp_gateway"
keywords in the .txt file.
For remote networks, select the EDL
Type, the EDL Name for the
type you specified, and the Remote Networks Site
Name. Predefined URLs are not supported.
The
Retrieved Data table shows the following
information:
Next Update At—The time when the EDL
of the specified type will be refreshed.
Source—More details about what is
included in this EDL.
Referenced—Whether the EDL is
referenced in a security policy rule.
Valid—Whether or not the EDL is valid.
Auth-Valid—If the EDL uses
authentication, whether or not the authentication is valid.
- EDL Refresh—Refreshes the EDLs for mobile user
locations and remote networks. You cannot refresh predefined EDLs.
Refreshing an EDL is resource-intensive. Palo Alto Networks
recommends that you refresh the EDLs a maximum of once every two
minutes. If you do not manually refresh the EDLs,
Prisma Access automatically refreshes EDLs using the
Check for Updates
value you defined in each EDL.
For mobile user locations, select the EDL
Type and the EDL Name for the
type you specified from the drop-down choices; then, enter the IP
address of the mobile user location (gateway) (Mobile
Users GW IP address).
To find the IP address of a mobile user gateway from the
GlobalProtect app, open the
Settings and
find the
Gateway IP address in the
Connection tab. To find the IP
address of a mobile user gateway from
Prisma Access,
use the API
and specify the
"serviceType": "gp_gateway"
keywords in the .txt file.
For remote networks, select the EDL
Type, the EDL Name for the
type you specified, and the Remote Networks Site
Name.
The Retrieved
Data table shows the Message
related to the EDL refresh operation (either that the EDL refresh
operation is queued or that it is complete) and the
Timestamp when the refresh operation was
performed. The timestamp uses the local time of the mobile user or
remote network.
To view the last time that the status was
refreshed, select the EDL Status tab. To see
the EDL information after it was refreshed, select the
EDL Info tab.
- Search EDL—Enter search terms to find data inside
the EDLs you use with mobile user locations and remote networks in Prisma Access. This functionality does not work with Predefined URL
lists or URL lists that you create; EDLs that use IP addresses are
supported.
You can enter search terms for either Mobile
Users or Remote Networks. To
search for Mobile Users, enter the IP address
of the mobile user location (gateway) for which you want to search
(Mobile Users GW IP address) with the
Search String; to search in the
Remote Networks area, enter the
Site Name with the Search
String. Click Search EDL to
perform the search.
If the string is matched in an EDL, the
Retrieved Data table shows the
EDL Name where the search string was
matched, along with the Timestamp when the
match was made. The timestamp uses the date and time of the Panorama
that manages Prisma Access.
- Service IP Address—Retrieves the Service IP
Address for a remote network or service connection.
The service
endpoint address is the FQDN or IP address that you use as the peer
IP address for your CPE when you set up the IPSec tunnel for your
service connection or remote network connection.
