Use Logging, Routing, and EDL Information to Troubleshoot Your Deployment

Use Logging Status, Routing Information, and EDL Info and Status to retrieve troubleshooting information.
The
Troubleshooting Commands
area in Panorama (
Panorama
Cloud Services
Configuration
Service Setup
Service Operations
Troubleshooting Commands
enables you to easily retrieve the logging status of Prisma Access infrastructure components, as well as retrieve the latest information about External Data Lists (EDLs) that are used with Prisma Access. This information can be useful to monitor and troubleshoot issues with your Prisma Access deployment.
  • If you are having issues with receiving logging from one or more locations, you can check the
    Logging Status
    for a mobile user or remote network security processing node (SPN) to check the connectivity status of Cortex Data Lake with that SPN.
  • If you are experiencing routing issues with service connections, also known as
    Corporate Access Nodes (CANs)
    , or Remote Network SPNs, you can view the Prisma Access routing tables.
  • If you are having issues with EDLs not being updated in a timely fashion, you can query Prisma Access to see what information (IP addresses or URLs) are included in the EDLs. You can also refresh the EDL information.
To export the results of the troubleshooting commands to a .csv file, select
Export to CSV
after running the command.
The
Troubleshooting Commands
window displays the following information:
Tab
Description
Logging Status
Provides you with the connection status between Cortex Data Lake and the Prisma Access mobile user security processing nodes (MU-SPNs) or remote network security processing nodes (RN-SPNs).
To view
Mobile Users
MU-SPN logging information, select the
Prisma Access Location
from the drop-down, or select
All
to view the logging status for all locations. To view
Remote Networks
RN-SPN information, select the
Site Name
from the drop-down, or select
All
to view all remote networks. The
Retrieved Data
table shows the following information:
  • Connection Name
    —The mobile user location (for mobile users) or the name of the remote network connection.
    The name of the connection between the MU-SPN or RN-SPN and Prisma Access displays as
    Connection-
    xxxxx
    , where
    xxxxxx
    is a six-digit number that identifies the MU-SPN or RN-SPN in the Prisma Access infrastructure.
    You cannot map this six-digit number to a location, but you can see the location of the MU-SPN or RN-SPN in the
    Connection Timestamp
    area.
  • Status
    —Provides you with details of the connection between Prisma Access and Cortex Data Lake status (
    Up
    or
    Down
    ).
  • Connection Timestamp
    —The time that Panorama checked the connection status. The timestamp uses the local time of the MU-SPN or RN-SPN.
Routing Information
Provides you with routing information for service connection corporate access nodes (SC-CANs) and for RN-SPNs. To view SC-CAN information, select the
Service Connection
name from the drop-down; to view RN-SPN information, select the
Site Name
from the drop-down. Click
Show Route Table
to show the routing table for the service connection or remote network connection. The
Retrieved Data
table shows the following information:
  • Destination
    —The IP address and subnet of networks that the virtual router can reach.
  • Nexthop
    —The IP address of the device at the next hop toward the Destination network. A next hop of 0.0.0.0 indicates the default route.
  • Metric
    —The Metric for the route. When a routing protocol has more than one route to the same destination network, it prefers the route with the lowest metric value. Each routing protocol uses a different type of metric; for example, BGP uses the Multi Exit Discriminator (MED) Attribute. Prisma Access considers the metric when making routing decisions; for example, given the same route, Prisma Access prefers a static route with a lower metric over a BGP route with a higher metric.
  • Flags
    —The set of flags that are displayed for the route.
    • A?B
      —Active and learned from BGP
    • A C
      —Active and a result of an internal interface (connected) - Destination = network
    • A H
      —Active and a result of an internal interface (connected) - Destination = Host only
    • A R
      —Active and learned from RIP
    • A S
      —Active and static
    • O1
      —OSPF external type-1
    • O2
      —OSPF external type-2
    • Oi
      —OSPF intra-area
    • Oo
      —OSPF inter-area
    • S
      —Inactive (because this route has a higher metric) and static
EDL Info
Displays information about External Dynamic Lists (EDLs) for
Mobile Users
MU-SPNs and
Remote Networks
RN-SPNs.
For MU-SPNs, select the
EDL Type
and the
EDL Name
for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (
Mobile Users GW IP address
).
To find the IP address of a mobile user gateway from the GlobalProtect app, open the
Settings
and find the
Gateway IP
address in the
Connection
tab. To find the IP address of a mobile user gateway from Prisma Access, use the API to retrieve Prisma Access infrastructure IP addresses using the
"serviceType": "gp_gateway"
keywords in the .txt file.
For RN-SPNs, select the
EDL Type
, the
EDL Name
for the type you specified, and the
Remote Networks Site Name
.
After you
Show EDL Info
, the
Retrieved Data
table shows the following information:
  • Total Valid Entries
    —The total number of valid entries in the specified EDL.
  • Total Ignored Entries
    —The total number of entries, if any, that Prisma Access ignored in the specified EDL.
  • Total Invalid Entries
    —The total number of invalid entries, if any, in the specified EDL.
  • Valid Entries
    —Shows the valid entries in the EDL.
    These entries reflect the EDL type; for example, an
    EDL Type
    of
    ip
    displays the IP addresses in the EDL and an
    EDL Type
    of
    URL
    displays valid URLs in the EDL.
    The
    Valid Entries
    column shows detailed EDL information for a maximum number of 100 EDL entries.
EDL Status
Displays the status of the EDLs used by Prisma Access for
Mobile Users
and
Remote Networks
MU-SPNs and RN-SPNs.
For MU-SPNs, select the
EDL Type
and the
EDL Name
for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (
Mobile Users GW IP address
).
To find the IP address of a mobile user gateway from the GlobalProtect app, open the
Settings
and find the
Gateway IP
address in the
Connection
tab. To find the IP address of a mobile user gateway from Prisma Access, use the API to retrieve Prisma Access infrastructure IP addresses using the
"serviceType": "gp_gateway"
keywords in the .txt file.
For RN-SPNs, select the
EDL Type
, the
EDL Name
for the type you specified, and the
Remote Networks Site Name
. Predefined URLs are not supported.
The
Retrieved Data
table shows the following information:
  • Next Update At
    —The time when the EDL of the specified type will be refreshed.
  • Source
    —More details about what is included in this EDL.
  • Referenced
    —Whether the EDL is referenced in a security policy rule.
  • Valid
    —Whether or not the EDL is valid.
  • Auth-Valid
    —If the EDL uses authentication, whether or not the authentication is valid.
EDL Refresh
Refreshes the EDLs for
Mobile Users
and
Remote Networks
MU-SPNs and RN-SPNs. You cannot refresh predefined EDLs.
Refreshing an EDL is resource-intensive. Palo Alto Networks recommends that you refresh the EDLs a maximum of once every two minutes. If you do not manually refresh the EDLs, Prisma Access automatically refreshes External Dynamic Lists (EDLs) using the Check for Updates value you defined in each EDL.
For MU-SPNs, select the
EDL Type
and the
EDL Name
for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (
Mobile Users GW IP address
).
To find the IP address of a mobile user gateway from the GlobalProtect app, open the
Settings
and find the
Gateway IP
address in the
Connection
tab. To find the IP address of a mobile user gateway from Prisma Access, use the API to retrieve Prisma Access infrastructure IP addresses using the
"serviceType": "gp_gateway"
keywords in the .txt file.
For RN-SPNs, select the
EDL Type
, the
EDL Name
for the type you specified, and the
Remote Networks Site Name
.
The
Retrieved Data
table shows the
Message
related to the EDL refresh operation (either that the EDL refresh operation is queued or that it is complete) and the
Timestamp
when the refresh operation was performed. The timestamp uses the local time of the MU-SPN or RN-SPN.
To view the last time that the status was refreshed, select the
EDL Status
tab. To see the EDL information after it was refreshed, select the
EDL Info
tab.
Search EDL
Enter search terms to find data inside the EDLs you use with mobile users and remote networks in Prisma Access. This functionality does not work with Predefined URL lists or URL lists that you create; EDLs that use IP addresses are supported.
You can enter search terms for either
Mobile Users
or
Remote Networks
. To search for
Mobile Users
, enter the IP address of the mobile user location (gateway) for which you want to search (
Mobile Users GW IP address
) with the
Search String
; to search in the
Remote Networks
area, enter the
Site Name
with the
Search String
. Click
Search EDL
to perform the search.
If the string is matched in an EDL, the
Retrieved Data
table shows the
EDL Name
where the search string was matched, along with the
Timestamp
when the match was made. The timestamp uses the date and time of the Panorama that manages Prisma Access.

Recommended For You