>
    Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. AIOps for NGFW
    4. Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies
    Download PDF
    Strata Cloud Manager

    Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies

    Table of Contents

    Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies

    Troubleshoot issues on your NGFWs.
    Where Can I Use This?What Do I Need?
    Troubleshoot your NGFWs from Strata Cloud Manager without having to move between various firewall interfaces. If you experience connectivity issues after deploying and configuring your NGFWs, you can get an aggregate view of your routing and tunnel states, and drill down to specifics to find anomalies and problematic configurations.
    Troubleshoot your identity-based policy rules and dynamically defined endpoints. You can check the status of specific NGFWs and expose possible mismatches between how you expect a policy to work and its actual enforcement behavior.
    Troubleshooting lets you drill down on issue that might arise within these networking and identity features–track down and resolve connectivity issues or policy enforcement anomalies:
    Network Troubleshooting
    Identity and Policy Troubleshooting
    Firewall Troubleshooting
    Go to Manage ConfigurationNGFW and Prisma AccessOperations> TroubleshootingSession Browser to start troubleshooting your firewalls.
    Or, you can go to the feature you want to troubleshoot and select the Troubleshooting button to get started.
    View and sort troubleshooting jobs you've run by Status, Action, Search Target, and Timestamp.
    FeatureFeature LocationAvailable ActionsAction ScopeJob Output Organized By:
    Session Browser (Firewall)Manage ConfigurationNGFW and Prisma AccessOperations> TroubleshootingSession BrowserFilter by:
    • Firewalls
    • Rule Name
    • Source Zone
    • Source Address
    • Source User
    • Source Port
    • Destination Zone
    • Destination Address
    • Destination Port
    • App-ID
    		Firewalls you specify
    • Session ID
    • Start Time
    • Zones
    • Source
    • Destination
    • Ports
    • Protocol
    • Application
    • Ingress
    • Egress
    • Bytes
    DNS Proxy (Network)Manage ConfigurationNGFW and Prisma AccessDevice SettingsDNS Proxy
    • Show DNS Proxy Cache
    • Search the DNS Proxy Cache
    		Firewalls you specify
    • Domain Name
    • IP Address
    • Type–IPv4 Address Record (A), IPv6 Address Record (AAAA), Canonical Name Record (CNAME), Mail Exchange Record (MX), and Pointer to a canonical name (PTR)
    • Class: Internet (IN TCP/IP), Chaos (CH), and Hesiod (HS)
    • Time-to-live (TTL) in seconds
    • Hits–Number of times the record was requested since the last reboot
    NAT (Network)Manage ConfigurationNGFW and Prisma AccessNetwork PoliciesNATShow the NAT Rule IP Pool Firewalls you specify
    • Rule
    • Type
    • Used
    • Available
    • Memory Size Ratio
    User Groups (Identity)Manage ConfigurationNGFW and Prisma AccessIdentity ServicesCloud Identity Engine
    • Show User Group
    • Search User Group
    		Firewalls you specify
    • Username
    • Group
    Dynamic Address Groups (Identity)Manage ConfigurationNGFW and Prisma AccessObjectsAddressAddress Groups
    • Show All Dynamic Address Groups
    • Search for a Dynamic Address Group (Chosen from a list)
    		Firewalls you specify
    • Name
    • Filter
    • Members
    Dynamic User Groups (Identity)Manage ConfigurationNGFW and Prisma AccessObjectsDynamic User Groups
    • Search by Dynamic User Group
    • Search by Username
    		Firewalls you specify
    • Members (Username) and / or Dynamic User Group
    User ID (Identity)Manage ConfigurationNGFW and Prisma AccessIdentity ServicesIdentity Redistribution
    • Show All User IP Mapping
    • Search For User IP Mapping
    		Firewalls you specify
    • IP
    • User
    • From
    • Idle Timeout
    • Max Timeout

    Export Metadata for Troubleshooting

    To provide technical support with the information they need to better assist you, AIOps for NGFW enables you to export your deployment data to your local machine. This data arrives in JSON files that are compressed in the gzip format.
    1. Select Help > Export Tenant Metadata.
    2. Prepare Metadata.
    3. Download your metadata file.
      The metadata file name contains your Customer Support Portal (CSP) ID, your AIOps for NGFW tenant ID, and the timestamp for the export: <csp-tenant-timestamp>.gzip.

    © 2024 Palo Alto Networks, Inc. All rights reserved.