Verify and Troubleshoot Forwarding Profile Configurations for Dynamic Privilege Access Agents
Focus
Focus
Prisma Access

Verify and Troubleshoot Forwarding Profile Configurations for Dynamic Privilege Access Agents

Table of Contents

Verify and Troubleshoot Forwarding Profile Configurations for Dynamic Privilege Access Agents

You can verify your forwarding profile configurations and perform high-level troubleshooting of split tunnel issues on your endpoints.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access 5.1 Preferred or Innovation
  • Prisma Access license with the Mobile User subscription
  • macOS 12 or later desktop devices or Windows 10 version 2024 or later or Windows 11 desktop devices
  • Role: Superuser
After you configure a forwarding profile, you can verify whether the traffic is being directed as intended by viewing the traffic log files. You can view the traffic logs in the Strata Cloud Manager log viewer or by using the Prisma Access command-line tool (PACli) on an endpoint.
  • To view the traffic log files from the Strata Cloud Manager log viewer:
    1. Select Incidents & AlertsLog Viewer.
    2. View the Firewall/Traffic logs for more details.
  • To view the traffic log files on an endpoint:
    1. Start the remote shell in ManagePrisma Access Agent or open a Windows command prompt or macOS terminal window on an end user's device.
    2. To show the forwarding rules in a forwarding profile, issue the following command:
      • On Windows:
        "C:\Program Files\Palo Alto Networks\Prisma Access Agent\pacli" traffic show 
      • On macOS:
        /Applications/Prisma\ Access\ Agent.app/Contents/Helpers/pacli traffic show
      If you set up an environment variable for the PACli tool (pacli), you can just enter pacli traffic show.
      The sample PACli command-line output shows a table containing the forwarding rules that are in effect in the forwarding profile, including the priorities of the forwarding rules. The traffic enforcement selections for the forwarding profile are also shown. This table corresponds to the forwarding rules that you set up in your forwarding profile.
    3. To show the details of a forwarding rule, issue the following command:
      pacli traffic show <number>
      Where <number> is the number in the Priority column, for example:
    4. To troubleshoot split tunnel issues, you might need to examine what agent traffic is inside or outside the tunnel. You can do this by showing the Prisma Access Agent connection log. Issue the following command:
      pacli traffic log
      To show an individual log entry, issue the following command:
      pacli traffic log <index>
      Where <index> corresponds to the index number for the entry. For example:
      You can also export the connection log to a file for further analysis by issuing:
      pacli traffic log export <filename>