Troubleshoot the Prisma Access Deployment
Focus
Focus

Troubleshoot the Prisma Access Deployment

Table of Contents

Troubleshoot the Prisma Access Deployment

Use Logging Status, Routing Information, and EDL Info and Status to retrieve troubleshooting information.
The Troubleshooting Commands area in Panorama (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands) enables you to easily retrieve the logging status of Prisma Access infrastructure components, as well as retrieve the latest information about External Data Lists (EDLs) that are used with Prisma Access. This information can be useful to monitor and troubleshoot issues with your Prisma Access deployment.
  • If you are having issues with receiving logs from one or more locations, you can check the Logging Status for a mobile user or remote network security processing node (SPN) to check the connectivity status of Strata Logging Service with that SPN.
  • If you are experiencing routing issues with service connections, also known as Corporate Access Nodes (CANs), or Remote Network SPNs, you can view the Prisma Access routing tables.
  • If you are having issues with EDLs not being updated in a timely fashion, you can query Prisma Access to see what information (IP addresses or URLs) are included in the EDLs. You can also refresh the EDL information.
To export the results of the troubleshooting commands to a .csv file, select Export to CSV after running the command.
The Troubleshooting Commands window displays the following information:
TabDescription
Logging Status
Provides you with the connection status between Strata Logging Service and the Prisma Access mobile user security processing nodes (MU-SPNs) or remote network security processing nodes (RN-SPNs).
To view Mobile Users MU-SPN logging information, select the Prisma Access Location from the drop-down, or select All to view the logging status for all locations. To view Remote Networks RN-SPN information, select the Site Name from the drop-down, or select All to view all remote networks. The Retrieved Data table shows the following information:
  • Connection Name—The mobile user location (for mobile users) or the name of the remote network connection.
    The name of the connection between the MU-SPN or RN-SPN and Prisma Access displays as Connection-xxxxx, where xxxxxx is a six-digit number that identifies the MU-SPN or RN-SPN in the Prisma Access infrastructure.
    You cannot map this six-digit number to a location, but you can see the location of the MU-SPN or RN-SPN in the Connection Timestamp area.
  • Status—Provides you with details of the connection between Prisma Access and Strata Logging Service status (Up or Down).
  • Connection Timestamp—The time that Panorama checked the connection status. The timestamp uses the local time of the MU-SPN or RN-SPN.
Routing Information
Provides you with routing information for service connection corporate access nodes (SC-CANs) and for RN-SPNs. To view SC-CAN information, select the Service Connection name from the drop-down; to view RN-SPN information, select the Site Name from the drop-down. Click Show Route Table to show the routing table for the service connection or remote network connection. The Retrieved Data table shows the following information:
  • Destination—The IP address and subnet of networks that the virtual router can reach.
  • Nexthop—The IP address of the device at the next hop toward the Destination network. A next hop of 0.0.0.0 indicates the default route.
  • Metric—The Metric for the route. When a routing protocol has more than one route to the same destination network, it prefers the route with the lowest metric value. Each routing protocol uses a different type of metric; for example, BGP uses the Multi Exit Discriminator (MED) Attribute. Prisma Access considers the metric when making routing decisions; for example, given the same route, Prisma Access prefers a static route with a lower metric over a BGP route with a higher metric.
  • Flags—The set of flags that are displayed for the route.
    • A?B—Active and learned from BGP
    • A C—Active and a result of an internal interface (connected) - Destination = network
    • A H—Active and a result of an internal interface (connected) - Destination = Host only
    • A R—Active and learned from RIP
    • A S—Active and static
    • O1—OSPF external type-1
    • O2—OSPF external type-2
    • Oi—OSPF intra-area
    • Oo—OSPF inter-area
    • S—Inactive (because this route has a higher metric) and static
EDL Info
Displays information about External Dynamic Lists (EDLs) for Mobile Users MU-SPNs and Remote Networks RN-SPNs.
For MU-SPNs, select the EDL Type and the EDL Name for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (Mobile Users GW IP address).
To find the IP address of a mobile user gateway from the GlobalProtect app, open the Settings and find the Gateway IP address in the Connection tab. To find the IP address of a mobile user gateway from Prisma Access, use the API to retrieve Prisma Access infrastructure IP addresses using the "serviceType": "gp_gateway" keywords in the .txt file.
For RN-SPNs, select the EDL Type, the EDL Name for the type you specified, and the Remote Networks Site Name.
After you Show EDL Info, the Retrieved Data table shows the following information:
  • Total Valid Entries—The total number of valid entries in the specified EDL.
  • Total Ignored Entries—The total number of entries, if any, that Prisma Access ignored in the specified EDL.
  • Total Invalid Entries—The total number of invalid entries, if any, in the specified EDL.
  • Valid Entries—Shows the valid entries in the EDL.
    These entries reflect the EDL type; for example, an EDL Type of ip displays the IP addresses in the EDL and an EDL Type of URL displays valid URLs in the EDL.
    The Valid Entries column shows detailed EDL information for a maximum number of 100 EDL entries.
EDL Status
Displays the status of the EDLs used by Prisma Access for Mobile Users and Remote Networks MU-SPNs and RN-SPNs.
For MU-SPNs, select the EDL Type and the EDL Name for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (Mobile Users GW IP address).
To find the IP address of a mobile user gateway from the GlobalProtect app, open the Settings and find the Gateway IP address in the Connection tab. To find the IP address of a mobile user gateway from Prisma Access, use the API to retrieve Prisma Access infrastructure IP addresses using the "serviceType": "gp_gateway" keywords in the .txt file.
For RN-SPNs, select the EDL Type, the EDL Name for the type you specified, and the Remote Networks Site Name. Predefined URLs are not supported.
The Retrieved Data table shows the following information:
  • Next Update At—The time when the EDL of the specified type will be refreshed.
  • Source—More details about what is included in this EDL.
  • Referenced—Whether the EDL is referenced in a security policy rule.
  • Valid—Whether or not the EDL is valid.
  • Auth-Valid—If the EDL uses authentication, whether or not the authentication is valid.
EDL Refresh
Refreshes the EDLs for Mobile Users and Remote Networks MU-SPNs and RN-SPNs. You cannot refresh predefined EDLs.
Refreshing an EDL is resource-intensive. Palo Alto Networks recommends that you refresh the EDLs a maximum of once every two minutes. If you do not manually refresh the EDLs, Prisma Access automatically refreshes External Dynamic Lists (EDLs) using the Check for Updates value you defined in each EDL.
For MU-SPNs, select the EDL Type and the EDL Name for the type you specified from the drop-down choices; then, enter the IP address of the mobile user location (gateway) (Mobile Users GW IP address).
To find the IP address of a mobile user gateway from the GlobalProtect app, open the Settings and find the Gateway IP address in the Connection tab. To find the IP address of a mobile user gateway from Prisma Access, use the API to retrieve Prisma Access infrastructure IP addresses using the "serviceType": "gp_gateway" keywords in the .txt file.
For RN-SPNs, select the EDL Type, the EDL Name for the type you specified, and the Remote Networks Site Name.
The Retrieved Data table shows the Message related to the EDL refresh operation (either that the EDL refresh operation is queued or that it is complete) and the Timestamp when the refresh operation was performed. The timestamp uses the local time of the MU-SPN or RN-SPN.
To view the last time that the status was refreshed, select the EDL Status tab. To see the EDL information after it was refreshed, select the EDL Info tab.
Search EDL
Enter search terms to find data inside the EDLs you use with mobile users and remote networks in Prisma Access. This functionality does not work with Predefined URL lists or URL lists that you create; EDLs that use IP addresses are supported.
You can enter search terms for either Mobile Users or Remote Networks. To search for Mobile Users, enter the IP address of the mobile user location (gateway) for which you want to search (Mobile Users GW IP address) with the Search String; to search in the Remote Networks area, enter the Site Name with the Search String. Click Search EDL to perform the search.
If the string is matched in an EDL, the Retrieved Data table shows the EDL Name where the search string was matched, along with the Timestamp when the match was made. The timestamp uses the date and time of the Panorama that manages Prisma Access.